如何保护 .NET 应用程序中的 API 密钥

发布于 2024-10-17 01:38:02 字数 498 浏览 9 评论 0原文

我的应用程序访问了许多 Web 服务,例如 Twitter 和 Flickr。它使用来自这些服务的 API 密钥,我想在我的二进制文件中混淆它们。 (我并不真正担心盗版或其他任何事情,我只需要对这些密钥保密。)

最好的方法是什么?

如果我将它们存储为 const SecureString ,那么让他们从记忆中消失? MSDN 描述说文本“当不再需要时从计算机内存中删除”,但是 const 不是总是在内存中吗?

Dotfuscator 会在我的程序集中模糊它吗? (假设我可以让它工作。)

My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)

What's the best way to go about it?

If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?

Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

梦幻的味道 2024-10-24 01:38:02

我最近不得不处理这种情况。问题不在于确保某人无法使用十六进制编辑器轻松找到它,而在于它通过线路发送到各种 API 时。无论如何,只需运行 fiddler 并观察请求就会显示密钥。一些 API 具有私钥/公钥的优势,这会有所帮助。

我能想到的唯一解决方案是创建一个我自己的外部托管的 Web 服务,充当客户端和目标 API 之间的代理。这使我能够为每个终端生成可以激活/停用的单独密钥,并且大部分敏感数据存储在我的远程代理应用程序中。

祝你好运!

~“别忘了喝你的阿华田”

I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.

The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.

Good luck!

~ "Dont't forget to drink your Ovaltine"

终陌 2024-10-24 01:38:02

匿名是正确的,没有办法完全保护数据;总有人能得到它。

但你想让事情变得尽可能困难。这意味着不执行易于阅读的操作:

  • 不存储在注册表项(例如 TwitterAPIKey REG_SZ)中,
  • 不存储在文本文件(例如 twitterkey.txt)中,或在 ini 文件中,
  • 不存储在应用程序的 .config 文件
  • 中,不以纯文本形式存储在二进制文件中,
  • 不以未加密的形式存储在二进制文件中

。这将使人们必须了解调试器和(可能)汇编代码。

您已经大大减少了攻击面。

只需遵循前三个建议,您就会顺利上路。

Anon is correct, there is no way to completely protect data; someone can always get it at.

But you want to make it as difficult as possible. This means not doing the things that make it easy to read:

  • not storing in a registry key (e.g. TwitterAPIKey REG_SZ)
  • not storing in a text file (e.g. twitterkey.txt), or in an ini file
  • not storing in the application's .config file
  • not storing as plain text in the binary
  • not storing unencrypted in the binary

This will leave people who have to have knowledge of a debugger, and (possibly) assembly code.

You've reduced the attack surface a lot.

Follow just the first three suggestions and you'll well on your way.

夜还是长夜 2024-10-24 01:38:02

也许您可以要求您的用户使用他们自己的 api 密钥。
他们可以将自己注册到 api,然后在应用程序的设置中引用他们的密钥

maybe you can ask your user to use their own api keys.
They can register themselves to the apis, and then reference their key in your app's settings

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文