I'm developing an intranet application (C#) that uses some data (local to the web server) that we'd like to keep private. This data is encrypted (AES) using a legacy data repository. We can't totally prevent physical access to the machine.
我正在开发一个内部网应用程序(C#),它使用我们想保密的一些数据(Web服务器本地)。使用遗留数据存储库对此数据进行加密(AES)。我们无法完全阻止对机器的物理访问。
Clearly, we're never going to have perfect security here. However, we want to make it as hard as possible for anyone to gain unauthorized access to the data.
显然,我们永远不会在这里拥有完美的安全性。但是,我们希望尽可能让任何人都未经授权访问数据。
The question is how best to store the key. Encrypting it based on some machine specific ID is an option, but that information would be readily available to anyone running a diagnostic tool on the machine.
问题是如何最好地存储密钥。可以选择基于某些机器特定ID对其进行加密,但是在机器上运行诊断工具的任何人都可以轻松获得该信息。
Encoding it in the application is an option (it's a one off application). However, .NET assemblies are pretty easy to decompile. So, would it be best to obfuscate it, use an encryption launcher, compile it?
在应用程序中对其进行编码是一种选择(它是一次性应用程序)。但是,.NET程序集很容易反编译。那么,最好是混淆它,使用加密启动器,编译它?
Or is there an option I'm missing?
或者有一个我缺少的选项?
Just so we're clear, I know it's pretty much a lost cause if someone is determined, but we're looking to make it as hard as possible within the constraints.
正如我们清楚的那样,我知道如果某人有决心,这几乎是一个失败的原因,但我们希望在限制范围内尽可能地努力。
3 个解决方案
#1
5
Encryption is built into the .NET configuration system. You can encrypt chunks of your app/web.config file, including where you store your private key.
加密内置于.NET配置系统中。您可以加密app / web.config文件的块,包括存储私钥的位置。
http://www.dotnetprofessional.com/blog/post/2008/03/03/Encrypt-sections-of-WebConfig-or-AppConfig.aspx
#2
4
Speaking in obfuscation terminology, what you are after is called constant hiding, i.e. a means by which you transform a constant into, say, a number of functions and calculations that are executed at runtime to re-materialize said constant.
在混淆术语中,你所追求的是被称为常量隐藏,即你将一个常量转换为多个函数和计算的方法,这些函数和计算在运行时执行以重新实现所述常量。
This still falls within the domain of obfuscation, however, and is susceptible to either code extraction, where the attacker simply maps out the code relevant to this constant, and runs it in a separate application to retrieve the value; or dumping the application's memory at the right point in order to scan it for the desired value.
然而,这仍然属于混淆域,并且容易受到代码提取的影响,攻击者只需映射出与此常量相关的代码,并在单独的应用程序中运行它以检索值;或者将应用程序的内存转储到正确的位置,以便扫描它以获得所需的值。
There is another, slightly more advanced method of hiding crypto keys in particular, called White-box cryptography, which employs key-less ciphers through essentially generating a cipher function from a given key, baking them together. As the name suggests, this method has been devised to be resilient even in a white-box attack scenario (the attacker has access to the bytecode and is able to inspect and manipulate the executable at runtime).
还有一种稍微更先进的隐藏加密密钥的方法,称为白盒密码术,它采用无密钥密码,通过从给定密钥生成密码函数,将它们烘焙在一起。顾名思义,即使在白盒攻击情形中,该方法也被设计为具有弹性(攻击者可以访问字节码并且能够在运行时检查和操作可执行文件)。
These are both quite advanced methods of achieving security through obscurity, and it might be worth considering alternative models which do not force you to do this in the first place.
这些都是通过默默无闻来实现安全性的非常先进的方法,并且可能值得考虑替代模型,这些模型不会强迫您首先执行此操作。
#3
2
If somebody can just attach a debugger to your program, there is absolutely nothing you can do. They won't have to figure out your config, disassemble your app, etc. All they have to do is run the app - watch it use the key - bingo.
如果有人可以将调试器附加到您的程序中,那么您无能为力。他们不必弄清楚你的配置,反汇编你的应用程序等等。他们所要做的只是运行应用程序 - 看它使用密钥 - 宾果游戏。
Obfuscation is of no help under those conditions.
在这些条件下,混淆无济于事。
The best defense is to use hardware to protect the key - which will do the crypto but not give out the key itself (and is sometimes hardened against attacks such as probing the wires, exposing the memory to low temperatures/radiation/other novel stuff). IBM do some appropriate stuff (google IBM-4764) but it's not cheap.
最好的防御方法是使用硬件来保护密钥 - 这将执行加密但不会泄露密钥本身(有时会加强攻击,例如探测电线,将内存暴露在低温/辐射/其他新东西) 。 IBM做了一些适当的事情(谷歌IBM-4764),但它并不便宜。
#1
5
Encryption is built into the .NET configuration system. You can encrypt chunks of your app/web.config file, including where you store your private key.
加密内置于.NET配置系统中。您可以加密app / web.config文件的块,包括存储私钥的位置。
http://www.dotnetprofessional.com/blog/post/2008/03/03/Encrypt-sections-of-WebConfig-or-AppConfig.aspx
#2
4
Speaking in obfuscation terminology, what you are after is called constant hiding, i.e. a means by which you transform a constant into, say, a number of functions and calculations that are executed at runtime to re-materialize said constant.
在混淆术语中,你所追求的是被称为常量隐藏,即你将一个常量转换为多个函数和计算的方法,这些函数和计算在运行时执行以重新实现所述常量。
This still falls within the domain of obfuscation, however, and is susceptible to either code extraction, where the attacker simply maps out the code relevant to this constant, and runs it in a separate application to retrieve the value; or dumping the application's memory at the right point in order to scan it for the desired value.
然而,这仍然属于混淆域,并且容易受到代码提取的影响,攻击者只需映射出与此常量相关的代码,并在单独的应用程序中运行它以检索值;或者将应用程序的内存转储到正确的位置,以便扫描它以获得所需的值。
There is another, slightly more advanced method of hiding crypto keys in particular, called White-box cryptography, which employs key-less ciphers through essentially generating a cipher function from a given key, baking them together. As the name suggests, this method has been devised to be resilient even in a white-box attack scenario (the attacker has access to the bytecode and is able to inspect and manipulate the executable at runtime).
还有一种稍微更先进的隐藏加密密钥的方法,称为白盒密码术,它采用无密钥密码,通过从给定密钥生成密码函数,将它们烘焙在一起。顾名思义,即使在白盒攻击情形中,该方法也被设计为具有弹性(攻击者可以访问字节码并且能够在运行时检查和操作可执行文件)。
These are both quite advanced methods of achieving security through obscurity, and it might be worth considering alternative models which do not force you to do this in the first place.
这些都是通过默默无闻来实现安全性的非常先进的方法,并且可能值得考虑替代模型,这些模型不会强迫您首先执行此操作。
#3
2
If somebody can just attach a debugger to your program, there is absolutely nothing you can do. They won't have to figure out your config, disassemble your app, etc. All they have to do is run the app - watch it use the key - bingo.
如果有人可以将调试器附加到您的程序中,那么您无能为力。他们不必弄清楚你的配置,反汇编你的应用程序等等。他们所要做的只是运行应用程序 - 看它使用密钥 - 宾果游戏。
Obfuscation is of no help under those conditions.
在这些条件下,混淆无济于事。
The best defense is to use hardware to protect the key - which will do the crypto but not give out the key itself (and is sometimes hardened against attacks such as probing the wires, exposing the memory to low temperatures/radiation/other novel stuff). IBM do some appropriate stuff (google IBM-4764) but it's not cheap.
最好的防御方法是使用硬件来保护密钥 - 这将执行加密但不会泄露密钥本身(有时会加强攻击,例如探测电线,将内存暴露在低温/辐射/其他新东西) 。 IBM做了一些适当的事情(谷歌IBM-4764),但它并不便宜。