将密码保存在应用程序代码中

发布于 2024-08-16 13:17:53 字数 415 浏览 4 评论 0原文

我对如何存储在我的应用程序中使用的密码有疑问。我需要动态加密/解密数据,因此密码需要位于某处。选项是将其硬编码在我的应用程序中或从文件加载。

我想加密应用程序的许可证文件,安全步骤之一涉及应用程序能够解密许可证(其他步骤随后进行)。用户永远不知道密码,只有我知道,因为 e 确实不需要它!

我担心的是,黑客会通过我的代码并检索我存储在那里的密码,并使用它来破解许可证,从而突破第一个安全屏障。

此时我不考虑代码混淆(最终我会),所以这是一个问题。

我知道任何存储密码的解决方案都会存在安全隐患,但没有办法解决它!

我考虑过在真正需要密码之前将密码从多个部分组装起来,但在某些时候密码已经完成,因此只需要调试器和一个适当的断点。

当您需要在应用程序中硬编码存储密码时,你们(和胆小鬼)会使用什么方法?

干杯

I have a doubt concerning how to store a password for usage in my application. I need to encrypt/decrypt data on the fly, so the password will need to be somewhere. Options would be to have it hard-coded in my app or load it from a file.

I want to encrypt a license file for an application and one of the security steps involves the app being able to decrypt the license (other steps follow after). The password is never know to the user and only to me as e really doesn't need it!

What I am concerned is with hackers going through my code and retrieving the password that I have stored there and use it to hack the license breaking the first security barrier.

At this point I am not considering code obfuscation (eventually I will), so this is an issue.

I know that any solution that stores passwords is a security hazard but there's no way around it!

I considered assembling the password from multiple pieces before really needing it, but at some point the password is complete so a debugger and a well place breakpoint is all that is needed.

What approaches do you guys(and galls), use when you need to store your passwords hard-coded in your app?

Cheers

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

清秋悲枫 2024-08-23 13:17:54

我过去做过的一种方法是在安装过程中生成一个唯一的ID,它将获取HDD和MCU的SN并在复杂的结构中使用它,然后用户将这个号码发送给我们的自动化系统,我们回复另一个部分是,应用程序现在将在使用过程中动态解密和比较这些数据。

是的,我可以工作,但它仍然有硬密码,我们有一些保护层(即有一些技术可以防止中级黑客了解我们的安全系统)。

我只是建议你做一个非常复杂的系统,并尝试自己破解它,看看反汇编是否可以找到一条简单的道路。添加一些对随机子例程的随机调用,使其非常具有随机性,尝试伪造注册表项和全局变量的使用,使黑客的生活陷入困境,因此他最终会放弃。

An approach I have done in the past was to generate an unique ID during the install, it would get the HDD and MCU's SN and use it in a complex structure, then the user will send this number for our automated system and we reply back with another block of that, the app will now decrypt and compare this data on the fly during the use.

Yes I works but it still have the harded password, we have some layers for protection (ie. there are some techniques that prevents a mid-level hacker to understand our security system).

I would just recommend you to do a very complex system and try to hack it on your own, see if disassembly can lead to an easy path. Add some random calls to random subroutines, make it very alleatory, try to fake the use of registry keys and global variables, turn the hacker life in a hell so he will eventually give up.

少女情怀诗 2024-08-23 13:17:53

我个人的看法和上面GregS一样:浪费时间。无论您如何努力阻止,该应用程序都将被盗版。然而......

你最好的选择是减少随意盗版。

考虑您有两类用户。普通用户和盗版者。盗版者会竭尽全力破解您的应用程序。普通用户只想使用您的应用程序来完成某些任务。你对海盗无能为力。

普通用户不会知道任何有关破解代码的信息(“呃……什么是十六进制编辑器?”)。如果这类人购买该应用程序比盗版更容易,那么他们购买该应用程序的可能性就更大。

看起来您已经考虑过的解决方案对于普通用户来说是有效的。这就是你所能做的一切。

My personal opinion is the same as GregS above: it is a waste of time. The application will be pirated, no matter how much you try to prevent it. However...

Your best bet is to cut down on casual-piracy.

Consider that you have two classes of users. The normal user and the pirate. The pirate will go to great lengths to crack your application. The normal user just wants to use your application to get something done. You can't do anything about the pirate.

A normal user isn't going to know anything about cracking code ("uh...what's a hex editor?"). If it is easier for this type of person to buy the application than it is to pirate it, then they are more likely to buy it.

It looks like the solutions you have already considered will be effective against the normal user. And that's about all that you can do.

难忘№最初的完美 2024-08-23 13:17:53

现在决定您想花多少时间/精力来防止盗版。如果有人下定决心,他们可能无论如何都会让你的应用程序运行。

Decide now how much time/effort you want to spend on preventing piracy. If someone is determined, they're probably going to get your application to work anyway.

黯淡〆 2024-08-23 13:17:53

我知道您不想听到它,但这是浪费时间,如果您的应用程序需要硬编码密码,那么这就是一个缺陷。

I know you don't want to hear it, but it's a waste of time, and if your app needs a hardcoded password then that is a flaw.

虚拟世界 2024-08-23 13:17:53

我不知道有什么方法可以解决这个问题,从而以任何有意义的方式阻止黑客。保守秘密是密码学的重大问题之一。

I don't know that there is any approach to solving this problem that would deter a hacker in any meaningful way. Keeping the secret a secret is one of cryptography's great problems.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文