我开发,其中,用户生成的图像,然后使用FTP连接该应用上传到一个网站主办一个C#WPF应用程序。 对于FTP连接的证书都是一样的,目前只是存储在源代码。 我知道,使用.NET反射器,黑客可以很容易获得的FTP连接的用户名和密码。 我如何以及在哪里可以存储这些凭证是从反编译的安全? 还是有更好的办法,而不是使用FTP上传文件?
Answer 1:
You cannot allow a user access to a program that itself knows credentials which you don't want the user to know. The user will always be able to eventually extract the credentials from the program. You may be able to slow them down, but the usual copy-protection calculus applies:
- If the information is valuable enough for you to think you need to protect it, it is valuable enough for someone else to bypass your protection.
- If you invest enough effort into protection to ensure it is not worthwhile to someone else to bypass your protection, then your investment itself exceeded the value of the information (i.e. you spent too much).
Depending on your relationship to the user and the computer they are using, you have some alternatives:
- Give them the credentials, to be entered in the program configuration after it's installed. Do this only if you trust them of course.
- Implement the FTP connection code as a Windows service. Give the credentials to someone else who will install the program, which will in turn install the service, configured with the credentials. The user will have access only to a client program that will communicate with the service, which in turn will handle the FTP communications on behalf of the user. Again, do this only if you trust the person installing the program, and the untrusted user does not have admin rights on the machine.
- Issue per-user credentials. Frankly, this is IMHO the best approach. Advantages include:
- The user doesn't know anything that would affect the security of anyone else's resources,
- You don't have to try to hide anything from the user,
- You can monitor access to the FTP resource on a per-user basis, and
- You can revoke the credentials for a specific user without affecting your other users.
文章来源: How to store FTP credentials securely in C# application?