从桌面应用程序使用时的PasswordVault安全性
我想使用 Windows.Security。我的桌面应用程序(基于WPF)中的Credentials.PasswordVault 可以安全地存储用户的密码。我设法使用此 MSDN文章。
I'd like to use Windows.Security.Credentials.PasswordVault in my desktop app (WPF-based) to securely store a user's password. I managed to access this Windows 10 API using this MSDN article.
我做了一些实验,似乎可以从任何其他桌面应用程序读取从一个桌面应用程序(不是本机UWP应用程序)写入PasswordVault的任何数据。甚至使用台式机打包我的桌面应用程序Bridge 技术并因此具有程序包标识不能解决此漏洞。
I did some experiments and it appears that any data written to PasswordVault from one desktop app (not a native UWP app) can be read from any other desktop app. Even packaging my desktop app with Desktop Bridge technology and thus having a Package Identity does not fix this vulnerability.
任何想法如何解决并能够安全存储其他应用程序的数据?
Any ideas how to fix that and be able storing the app's data secure from other apps?
更新::PasswordVault似乎没有在 DPAPI 。该案以否定结果告终。
UPDATE: It appeared that PasswordVault adds no extra security over DPAPI. The case is closed with a negative result.
(这是我对您的帖子的了解)
(this is from what I can understand of your post)
当使用此类API的 http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx 进一步介绍了此内容。您可能只想解密您的信息。
There is no real way of preventing data access between desktop apps when using these kind of API's http://www.hanselman.com/blog/SavingAndRetrievingBrowserAndOtherPasswords.aspx tells more about it. You'd probably just want to decrypt your information.
内存访问限制很困难,用户执行的代码始终可由用户检索,因此很难限制
memory access restriction is difficult, code executed by the user is always retrievable by the user so it would be difficult to restrict this.
您是否考虑过使用Windows数据保护API:
https://msdn.microsoft.com/en-us/library/ms995355.aspx
have you considered using the Windows Data Protection API : https://msdn.microsoft.com/en-us/library/ms995355.aspx
直接从源中获取
DPAPI是一种易于使用的服务,它将使必须保护敏感应用程序数据(例如密码和私钥)的开发人员受益
WDPAPI使用操作系统和Triple DES生成的密钥来加密/解密数据。
WDPAPI uses keys generated by the operating system and Triple DES to encrypt/decrypt your data. Which means your application doesn't have to generate these keys, which is always nice.
您也可以使用Rfc2898DeriveBytes类,它使用伪随机数生成器来生成密钥。解密您的密码。与大多数解密程序相比,它更安全,因为没有实际的方法可以将结果从密码返回到密码。这仅对验证输入密码而不是再次取回密码非常有用。我从来没有实际使用过它,所以我将无法为您提供帮助。
You could also use the Rfc2898DeriveBytes class, this uses a pseudo-random number generator to decrypt your password. It's safer than most decrypters since there is no practical way to go back from the result back to the password. This is only really useful for verifying the input password and not retrieving it back again. I have never actually used this myself so I would not be able to help you.
另请参阅这篇文章,它给出了比我更好的解释方式。
如何安全保存用户名/密码(本地)?
see also this post which gives a way better explanation than I can. How to securely save username/password (local)?
如果我以某种方式误解了这个问题,请告诉我,我将尝试更新答案。
If I misunderstood the question in some way, tell me, I will try to update the answer.
请注意,尽管现代/地铁应用程序仍可以通过其他方式访问,但不存在此问题。
NOTE that modern/metro apps do not have this problem, although they still are accessible in other ways.