blocks|key|1005495|text|如果您想保护您的数据不受其他用户的影响。看一下ProtectedData类。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1005496|(免责声明:保护您的数据以创建版权保护方案不在此答案中)。|1005497|此类使用Windows中的DPAPI在用户或计算机级别对数据进行加密和解密。|1005498|使用ProtectedData/DPAPI可以将您从处理密钥和保护数据中解放出来。您可以选择保护当前用户的数据。相同的域用户可以从不同的计算机读取数据。|1005499|如果你想创建你自己的密钥。您可以为每个用户/机器创建一个密钥，并将该密钥存储在注册表中。因为注册表是安全的，所以只有当前用户才能读回键。我知道注册表有不好的报应，但实际上非常擅长存储这样的数据。|1005500|附言:不要把IV放在你的代码里。每次创建一个新的IV，并将其放在数据前面。|1005501|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx^0|N|D|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|V|8|@]|9|@$A|W|B|X|1|Y]]|C|$]]|$1|D|3|E|5|6|7|Z|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|10|8|@]|9|@]|C|$]]|$1|H|3|I|5|6|7|11|8|@]|9|@]|C|$]]|$1|J|3|K|5|6|7|12|8|@]|9|@]|C|$]]|$1|L|3|M|5|6|7|13|8|@]|9|@]|C|$]]|$1|N|3|-4|5|6|7|14|8|@]|9|@]|C|$]]]|O|$P|$5|Q|R|S|C|$T|U]]]]

If you want to protect your data from other users. Take a look at the <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx" rel="noreferrer">ProtectedData</a> class.

(Disclaimer: Protecting your data to create a copy protection scheme is not covered in this answer).

This classes uses the DPAPI from Windows, to encrypt and decrypt data on user or machine level.

Using ProtectedData/DPAPI frees you from handling keys and securing the data yourself. And you can choose to protect the data for the current user. The data can be read from different computers, by the same domain users.

If you want create your own key. You can create a key per user/machine, and store this key in the registry. Because the registry can be secured, only the current user can read the key back. I know the registry has bad karma, but is actually very good at storing data like this.

PS: Do not put the IV in your code. Create a new IV every time, and put it in front of the data.

blocks|key|1005541|text|通常，应该为每个会话创建新的密钥和IV，并且不应该存储密钥和IV以供以后的会话使用。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1005542|要将对称密钥和IV传递给远程方，通常会使用非对称加密对对称密钥和IV进行加密。在不加密的情况下通过不安全的网络发送这些值是非常不安全的，因为任何截获这些值的人都可以解密您的数据。有关此加密和传输密钥和IV的过程的详细信息，请参阅Creating+a+Cryptographic+Scheme。|offset|length|1005543|entityMap|0|LINK|mutability|MUTABLE|url|http://msdn.microsoft.com/en-us/library/0cwc0x23.aspx^0|0|36|V|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|O|8|@]|9|@$D|P|E|Q|1|R]]|A|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|M]]]]

Generally, a new key and IV should be created for every session, and neither the key nor IV should be stored for use in a later session.

To communicate a symmetric key and IV to a remote party, you would usually encrypt the symmetric key and IV using asymmetric encryption. Sending these values across an insecure network without encrypting them is extremely unsafe, as anyone that intercepts these values can then decrypt your data. For more information on this process of encrypting and transferring the key and IV, see <a href="http://msdn.microsoft.com/en-us/library/0cwc0x23.aspx" rel="nofollow">Creating a Cryptographic Scheme</a>.

blocks|key|791554|text|你应该使用机器密钥库，它是一个安全的存储，特别是为了这个目的。例如：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|791555|CspParameters+cspParams+=+new+CspParameters(PROV_RSA_FULL,+null,+KEYNAME);

cspParams.Flags+=+CspProviderFlags.UseMachineKeyStore;

RSACryptoServiceProvider+rsa+=+new+RSACryptoServiceProvider(cspParams);|code-block|syntax|javascript|791556|其中KEYNAME是一个自定义字符串，可用于以后检索密钥。|791557|有关更多示例，请参阅此问题：How+to+store+a+public+key+in+a+machine-level+RSA+key+container|offset|length|791558|entityMap|0|LINK|mutability|MUTABLE|url|https://stackoverflow.com/questions/2274596/how-to-store-a-public-key-in-a-machine-level-rsa-key-container^0|0|0|0|E|1Q|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|V|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|W|8|@]|9|@]|A|$]]|$1|I|3|J|5|6|7|X|8|@]|9|@$K|Y|L|Z|1|10]]|A|$]]|$1|M|3|-4|5|6|7|11|8|@]|9|@]|A|$]]]|N|$O|$5|P|Q|R|A|$S|T]]]]

You should use the Machine Keystore, it's a secure storage especially for this purpose. For example:

<pre><code>CspParameters cspParams = new CspParameters(PROV_RSA_FULL, null, KEYNAME);

cspParams.Flags = CspProviderFlags.UseMachineKeyStore;

RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cspParams);
</code></pre>

Where KEYNAME is a custom string that can be used to retrieve the key later on. 

For more examples, see this question: <a href="https://stackoverflow.com/questions/2274596/how-to-store-a-public-key-in-a-machine-level-rsa-key-container">How to store a public key in a machine-level RSA key container</a>

blocks|key|1005661|text|将文件加密/解密密钥存储在远程服务器上，通过web服务将其通过https传输到应用程序，会怎么样？这样，密钥就保留在计算机的内存中，而不是放入源代码文件中。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1005662|这要求运行应用程序的任何人都要连接到密钥服务器。|1005663|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

What about storing the file encryption/decryption key on a remote server, getting it though a web service that would transfer it though https to the application? that way the key stay in the memory of the computer but is not into a source code file.

This requires to have connection to the key server by whoever runs the application though.

In our application we have a lot of sensitive configuration settings, which we are storing in a xml file which is again encrypted.

This secure file has to be decrypted in runtime and the configuration values read. but an issue arises that the key and initialization vector is hardcoded in the code and hence anyone can read it using Reflector. 

What is the best way to store encryption keys in .NET so no one can read them using Reflector?

Best way to store encryption keys in .NET C#

在我们的应用程序中，我们有很多敏感的配置设置，我们将这些设置存储在一个xml文件中，该文件也是加密的。此安全文件必须在运行时解密，并读取配置值。但是出现了一个问题，键和初始化向量被硬编码在代码中，因此任何人都可以使用Reflector读取它。在.NET中存储加密密钥的最好方法是什么，这样就没有人可以使用Reflecto...

问在.NET C#中存储加密密钥的最佳方法
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在.NET C#中存储加密密钥的最佳方法EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问在.NET C#中存储加密密钥的最佳方法
EN