如何写出一篇“真实”的文章? C# 中的私有方法?

发布于 2024-12-25 09:46:21 字数 576 浏览 2 评论 0原文

事实上,私有方法是在 C# 中实现的,仍然可以通过 Reflection 进行搜索。

我要做的是编写 public string Encrypt(string data)private string Decrypt(string cipher) 方法来执行加密和解密。

不幸的是,如果有人了解 .NET 框架,他可以使用 Reflection 来查找 Decrypt 方法,并解密所有加密的内容。

看来这不是那么安全。所以我想将 Decrypt 方法设置为 真正 私有方法。

但如何做到这一点呢?


更新于 2012 年 1 月 9 日 10:52PM 悉尼时间

bdares 提供了此问题的技术解释

Eric Lippert 提供了政治这个问题的解释

谢谢两位专家!

In fact, private methods are implemented in C# that can still be searched with Reflection.

What I am going to do is to write public string Encrypt(string data) and private string Decrypt(string cipher) methods to perform encryption and decryption.

Unfortunately, if someone knows .NET framework, he can use Reflection to find Decrypt methods and it decrypt everything that is encrypted.

It seems that is not that secure. So I want to make Decrypt method to truly private method.

But how to do that?


Updated 09 Jan 2012 10:52PM Sydney Time

bdares provides the technical explanation of this question

Eric Lippert provides the political explanation of this question

Thanks both experts!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

魔法唧唧 2025-01-01 09:46:21

你不能。如果攻击者可以访问您的代码(无论是已编译的还是源代码),他就可以跟踪您的程序并找到其加密或解密的位置。

您可以通过将密钥存储在单独的位置来添加一层安全性,但通常如果攻击者在您的服务器上执行代码,您就已经完蛋了。

(如果攻击者在您的服务器上执行代码,您只需担心这一点,因为否则该方法是否私有并不重要。此外,他不能使用反射来查找方法名称,除非他在服务器上执行代码简而言之:您担心的是错误的事情。

You can't. If the attacker has access to your code, compiled or source, he can trace your program and find where it's being encrypted or decrypted.

You can add a layer of security by storing the key in a separate location, but generally if the attacker is executing code on your server, you're already screwed.

(You're only worried about this if the attacker is executing code on your server, because otherwise it doesn't matter whether or not the method is private. Also, he can't use reflection to find method names unless he's executing code on your server. In short: you're worrying about the wrong thing here.)

反话 2025-01-01 09:46:21

你的根本问题是你的信任模型是错误的。如果有人可以使用反射,那么他们就是用户。您是软件提供商。 你为他们工作。信任来自他们,而不来自你。他们是必须信任的人,而不是你他们

如果您不信任用户,那么首先不要向他们出售您的软件。不要向您认为计划攻击您的人出售武器。

Your fundamental problem is that you've got the trust model wrong. If someone can use reflection then they are the user. You are the software provider. You work for them. Trust flows from them, not from you. They are the person who has to trust you, not you them.

If you don't trust the user then do not sell them your software in the first place. Don't sell weapons to people who you believe plan to attack you.

旧伤慢歌 2025-01-01 09:46:21

我相信您指的是混淆,这是一种试图隐藏/伪装代码以防止被读取的尝试在 Reflector 等程序中打开时的人类。
Visual Studio 中提供了 PreEmptive Solutions dotfuscator 的社区使用许可证,它将在小型项目以及 Windows Phone 项目(如果您下载了该附加组件)上提供此功能。还有来自同一供应商和其他供应商的可用的商业平台

这篇博文解释了更多内容

I believe you are referring to obfuscation, which is an attempt to hide/disguise code from being read by humans when opened in program such as Reflector.
Supplied within Visual Studio is a community use license for PreEmptive Solutions dotfuscator which will provide this functionality on small projects, and also for Windows Phone projects (if you download the add-on). There are also commercial platforms available too, from the same vendor and others .

This blog post explains a little more.

逆蝶 2025-01-01 09:46:21

如果您正在创建自己的加密方法,那么您就错了。比你我更了解加密的人已经想出了出色的加密方法,并且 MS 已经实现了其中的大部分。

对于良好的加密来说,保证加密安全的是密钥,而不是方法。确保密钥安全,算法可以(并且应该)发布给所有人查看。

如果您尝试分发这两种内容并对其进行加密(又名 DRM),那么您很可能注定会失败,除非您可以将密钥很好地隐藏在硬件中,即使这样也只能为您赢得一些时间 - 也许是几个月,也许几年。

If you're creating your own encryption method, you're doing it wrong. People who know way more about encryption than you or I have already come up with excellent methods for encryption, and MS has implemented most of them already.

For good encryption, it's the keys, not the method, that makes encryption secure. Keep the keys safe and the algorithm can (and should) be published for all to see.

If you're trying to distribute both content and keep it encrypted, aka DRM, you're most probably doomed to failure unless you can keep the keys very well hidden in hardware, and even that will only buy you some time -- maybe months, maybe years.

紙鸢 2025-01-01 09:46:21

我不确定你的具体申请。但是,如果您将产品销售给将在自己的系统上进行加密和解密的客户,那么就无法对他们保密加密。但您可以允许他们生成新的私钥供自己使用。通过这种方式,每个客户的数据对于其他客户来说都是“安全的”;尽管在同一客户的站点内显然仍然不那么安全。在您控制加密内容的其他情况下,您还可以考虑创建要在您这边生成的私有主密钥,并且只允许客户拥有公钥。

I am not sure about your exact application. But if you are selling a product to a customer who will be doing both the Encryption and Decryption on their own system, then there is no way to keep the encryption secret from them. But you can instead allow them to generate a new Private Key for their own use. In this way each customer's data is 'secure' in regards to other customers; though obviously still not so secure within the same customer's site. In other situations where you control the encrypted content you can also look into creating a private master key to be generated on your side and only allow the customer to have a public key.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文