Windows 应用程序的安全数据库后端,用户无法轻松入侵
我正在编写一个数据库驱动的 Windows 应用程序,可执行文件和数据库都需要安装在客户计算机上。
是否有一个数据库可以用作我的应用程序的后端,即使用户使用存储数据库的同一台计算机,用户也无法进入该数据库。
据我所知,Postgres 对此不起作用,而且我尝试过的访问版本很容易破解密码。
我的应用程序必须能够安装在笔记本电脑上,并且即使在没有互联网访问的情况下也可以使用,因此通常的客户端-服务器数据库模型不起作用。
我考虑过使用 VMWare 虚拟设备,并在某些版本的 Linux 上安装 Postgres,但这会带来相当重的系统负载。
我宁愿不必使用加密的文本文件或类似的东西。
I'm writing a database driven windows application and both the executable and database need to be installed on the customers machine.
Is there a database that I can use as a backend to my application that the user can't get into even though the user is using the same machine that the database is stored on.
As far as I can tell, Postgres won't work for this, and the versions of access that I have tried are easy to get the crack the passwords for.
My application has to be able be installed on a laptop and be useable even when there is no internet access, so the usual client-server database models just don't work.
I have considered using a VMWare virtual appliance with Postgres installed on some version of linux, but this would have a pretty heavy system load.
I would prefer to not have to use encripted text files or something like that.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
由于用户(或黑客)拥有该机器,因此您无法采取任何措施来确保其安全。您尝试的任何操作都将属于通过 Obsecurity 实现安全的类别。
最好的选择是加密数据库并尝试将密钥隐藏在二进制文件中某个不起眼的地方。由于这是一个已安装的应用程序,因此请勿使用数据库服务器。只需使用像 Postgres 这样的数据库库。
Since users (or hackers) own the machine, there is nothing you can do to make it secure. Anything you try will fall into a category called Security Through Obsecurity.
Your best bet is to encrypt your database and try to hide the key in some obscure place in your binary. Since this is an installed application, don't use Database servers. Just use a DB library like Postgres.
数据有多重要?使用标准 RSA 或 AES 以及应用程序中存储和加密的密钥来加密系统上的数据,将使您的妈妈和爸爸用户远离您。
但是,如果您无法向客户端应用程序保密,那么您就会遇到麻烦。
How critical is the data? Encrypting data on your system using standard RSA or AES with a key stored and encrypted in your application will keep your mum and dad user away.
But if you can't keep the secret out of the client application, then you're going to have trouble here.
根据您的预算,您有多种选择。
首先,我使用了 SQL Server Compact Edition 3.5,带有 .NET 程序,用于加密本地数据库。好消息是该文件已加密,只有知道密码才能访问。当然,坏消息是您的密码可能会在您的连接字符串中,除非您执行诸如种子 PRNG 之类的操作来为您生成密码。此外,SSCE 要求它独立于您的应用程序进行安装 - 如果用户出于某种原因通过控制面板卸载它,您的应用程序将无法运行。
其次,我还使用过一个名为 VistaDB 的商业产品,它也支持加密的本地数据库文件。 VistaDB 与其他数据库引擎的比较功能可在其网站上找到 --但他们提供的另一件事是,他们没有必须预安装的运行时——您只需将另一个程序集添加到您的发行版中(他们声称您可以静态链接它,但我个人还没有尝试过)。磁盘上的本地文件也使用 VistaDB 进行加密,没有密码就无法访问底层数据库。
祝你好运!
There's a couple of options available to you, depending on your budget.
First, I have used SQL Server Compact Edition 3.5 with a .NET program for doing a local database that was encrypted. The good news was that the file was encrypted and could only be accessed if you had the password. The bad news of course is that your password will probably be in your connect string, unless you do something like a seeded PRNG to generate up the password for you. Also, SSCE requires that it be installed independent of your application -- if for any reason the user uninstalls it through Control Panel, your application won't run.
Second, I have also used a commercial product called VistaDB, and it also supports local database files that are encrypted. There are comparison features of VistaDB versus other database engines available on their website -- but another thing they offer is that they don't have a runtime that has to be preinstalled -- you just add another assembly to your distribution (they claim you can statically link it, but I haven't tried that personally). The local file on disk is also encrypted with VistaDB, and without the password you can't access the underlying database.
Good luck!