在源代码中存储加密密钥有多安全?
该加密级别是否足够安全?或者有人可以反汇编我的二进制文件来找到密钥和 IV?我用它来解密许可证文件,因此它不能轻易被破坏,这一点非常重要。
internal static class Encryptor
{
// Actual values are put here in my source
private static readonly byte[] Key = { 0, 0, 0, 0, 0, 0, 0, 0 };
private static readonly byte[] Iv = { 0, 0, 0, 0, 0, 0, 0, 0 };
internal static String Encrypt(string source)
{
var des = new DESCryptoServiceProvider();
var enc = des.CreateEncryptor(Key, Iv);
var b = Encoding.ASCII.GetBytes(source);
var encId = enc.TransformFinalBlock(b, 0, b.Length);
return Convert.ToBase64String(encId);
}
internal static string Decrypt(string encrypted)
{
var des = new DESCryptoServiceProvider();
var dec = des.CreateDecryptor(Key, Iv);
var b = Convert.FromBase64String(encrypted);
var decId = dec.TransformFinalBlock(b, 0, b.Length);
return Encoding.ASCII.GetString(decId);
}
}
这类似于这个问题和< a href="https://stackoverflow.com/questions/764012/how-do-you-hide-secret-keys-in-code">这个,但似乎都没有明确的答案(如据我所知- 我承认在这个主题上我是一个完全的初学者)。请指教。 :)
Is this encryption class sufficiently secure? Or can someone disassemble my binary to find the key and IV? I'm using it to decrpyt license files so it's quite important that it can't be easily broken.
internal static class Encryptor
{
// Actual values are put here in my source
private static readonly byte[] Key = { 0, 0, 0, 0, 0, 0, 0, 0 };
private static readonly byte[] Iv = { 0, 0, 0, 0, 0, 0, 0, 0 };
internal static String Encrypt(string source)
{
var des = new DESCryptoServiceProvider();
var enc = des.CreateEncryptor(Key, Iv);
var b = Encoding.ASCII.GetBytes(source);
var encId = enc.TransformFinalBlock(b, 0, b.Length);
return Convert.ToBase64String(encId);
}
internal static string Decrypt(string encrypted)
{
var des = new DESCryptoServiceProvider();
var dec = des.CreateDecryptor(Key, Iv);
var b = Convert.FromBase64String(encrypted);
var decId = dec.TransformFinalBlock(b, 0, b.Length);
return Encoding.ASCII.GetString(decId);
}
}
This is similar to this question and this one, but neither seem to have a clear answer (as far as I can understand - and I admit to being a complete beginner on this topic). Please advise. :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
是的,这很容易被打破。任何熟悉 Reflector(或 ILSpy、dotPeek 等)等工具的开发人员都可以轻松识别加密函数并找到密钥。拥有该程序集的人甚至可以直接调用
Decrypt,而不必费心提取密钥。足够安全吗?这取决于,只有你可以回答。如果这是为了许可,就相当于在盒子上贴了一张贴纸,上面写着“不要复制我的软件”。另一方面,制定一个对于经验丰富且意志坚定的攻击者来说难以破解的强大许可方案是一项艰巨的任务,您可能需要考虑是否值得付出努力。就我个人而言,我会投入时间让软件变得如此出色,让人们愿意付费,而不是阻止少数坏人未经许可使用它。
Yes, this is easily broken. Any developer with knowledge of tools such as Reflector (or ILSpy, or dotPeek, or ...), will have no trouble identifying the encryption function and finding your key. Someone who has the assembly will even be able to call
Decryptdirectly, not bothering with extracting the key.Is it sufficiently secure ? It depends, only you can answer that. If this is for licensing, it is the equivalent of putting a sticker on a box saying "Don't copy my software". On the other hand, making a robust licensing scheme that is hard to break for an experienced and determined attacker, is a large undertaking, and you might want to consider if it is worth the effort. Personally, I would invest my time in making the software so awesome, that people will want to pay for it, rather than stopping a small number of bad guys from using it unlicensed.
不,这不安全。即使进行混淆,它也很容易被破解。有人可以很快地制作注册机。
您可以通过使用公钥加密解决秘密问题,因此只有公开部分会包含在程序集中(并且您自己保留私钥)。
OTOH,有人可以用自己的公钥替换这个公钥...(制作补丁和密钥生成器。)所以你需要更多的东西来保护你的代码,例如代码签名会有帮助。
创建安全的 DRM 并不是一件容易的事(实际上在我看来这是不可能的)。你可以投入比其他人破解它所需的更多的时间。因此,您可以:
a) 使用简单的方法来让诚实的人保持诚实;
b) 创建或购买(比您自己的便宜)一些复杂的解决方案,但不是 100% 安全 - 但这可以给您一些额外的安全时间来销售您的应用程序;
No, it's not secure. It would be easy to break, even with obfuscation. Someone can make a keygen pretty quickly.
You can solve the secret key issue by using public key encryption, so only the public part will be included in the assembly (and you keep the private key to yourself).
OTOH someone can just replace this public key with it's own... (make a patch and a keygen.) so you need a bit more to protect your code, e.g. code signing would help.
Creating a safe DRM is not an easy job (actually it's not possible IMO). You can invest much more time than it would take (for someone else to crack it). So you can either:
a) use a simple one to keep honest people honest;
b) create or buy (cheaper than your own) some complex solution, but not 100% safe - but that can give you some extra safe time to sell your app;
从已编译的程序集中窃取密钥非常很容易。
您需要使用非对称加密(RSA)。
接下来,您将询问如何防止人们修改程序集以放入自己的公钥,或删除整个许可证检查。
It is trivially easy to steal the key from the compiled assembly.
You need to use asymmetric encryption (RSA).
Next, you'll ask how to prevent people from modifying the assembly to put in their own public key, or to remove the entire license check.