在字符串中隐藏密码
我正在制作一个自定义 ftp 客户端,它登录到单个 ftp 站点并转到特定文件夹,以避免用户将文件放在错误的位置。
我不太关心它,但密码只是一个启动新 ftp 对象的字符串。
FtpClient ftp = new FtpClient("www.markonsolutions.com", "user", "password");
防止此密码被窥探的最佳方法是什么?
I am making a custom ftp client that logs onto a single ftp site and goes to a specific folder to avoid users' putting files in the wrong place.
I'm not super concerned about it, but the password is just a string to initiate the new ftp object.
FtpClient ftp = new FtpClient("www.markonsolutions.com", "user", "password");
What is the best way to keep this password from prying eyes?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
FTP 仅支持纯文本身份验证 - 如果您想向攻击者隐藏密码,则必须使用 FTPS(基于 SSL 的 FTP) )。
更新
第一步不要关心在源代码中隐藏和混淆密码 - 您的应用程序必须解密它并以纯文本形式通过网络发送。每个人都可以启动 WireShark 或任何其他数据包嗅探器并以纯文本形式获取密码。 首先确保您不会通过网络以纯文本形式发送密码,然后开始考虑在代码中对其进行混淆。
更新
在代码中混淆密码会产生以下结果:当您以纯文本形式发送时,根本没有安全性,但您可以这样做。仅加密字符串就增加了一层间接性。在不混淆的情况下,我必须在您的应用程序中找到密码,而使用 Reflector,通过混淆我必须找到密钥、加密密码和加密方法。这可能仍然只需要几分钟。
使用混淆器来阻止我反编译您的应用程序(转换为可读代码)可能会阻止我几个小时,直到我找到对系统库函数的相关调用(但我不会尝试,而只是从线路读取密码; )。
因此,我建议不要尝试对密码进行混淆——普通用户可能无法在可执行文件中找到纯文本密码,而愿意查找密码的人也无法通过混淆来阻止。在这种情况下,唯一的方法就是首先不在您的应用程序中包含密码。
FTP supports only plain text authentication - if you want to hide the password from attackers you have to use FTPS (FTP over SSL).
UPDATE
Don't care about hiding and obfuscating the password in your source code as a first step - your application will have to decrypt it and send it over the wire in plain text. Everyone can just start WireShark or any other packet sniffer and get the password back in plain text. First make sure that you don't send the password in plain text over a network, then start thinking about obfuscating it in your code.
UPDATE
Obfuscating the password in your code yields no security at all while you are sending it in plain text, but you can do so. Just encrypting the string adds one level of indirection. Without obfuscation I have to finde the password in your application and that's a matter of minutes with Reflector, with obfuscation I have to find the key, the encrypted password, and the encryption method. This will probably still take only minutes.
Using an obfuscator to prevent me from decompiling you application (into readable code) might stop me for a few hours until I find the relevant call into a system library function (but I wouldn't try, but only read the password from the wire ;).
So I suggest not to try to hard to obfuscate the password - the average user is probably unable to find a plain text password in a executable and people willing to find the password cannot be stopped by obfuscation. In this case the only way would be not to include the password in your application in the first place.
您可以使用此来保护您的纯文本字符串来自reflector之类的程序。
You can use this to protect your plain text string from reflector like programs.
请参阅这篇文章了解如何加密和解密字符串,在本例中是您的密码。
您还应该考虑混淆您的代码以使其对于拥有适当工具的人来说,很难通过调试代码来获取密码。
See this SO post about how to encrypt and decrypt a string, in this case your password.
You should also consider obfuscating your code to make it difficult for people with appropriate tools to get the password by debugging your code.
在受保护的文件中设置密码和连接 URL 配置参数。我使用 INI 文件,它们被放置在受 Web 服务器保护的目录中,这样浏览器就无法打开也无法查看该文件/目录。
Make your passwords and connection URLs configuration parameters, in a protected file. I uses INI files, and they are placed in a directory that is protected by the web server such that a browser can't open nor see the file/directory.