How to protect an API key in a .NET application

吃可爱长大的小学妹 提交于 2019-12-08 16:03:39

问题


My application hits a number of web services, such as Twitter and Flickr. It uses API keys from those services, and I'd like to obfuscate them in my binaries. (I'm not really worried about piracy or anything, I just need to keep these keys secret.)

What's the best way to go about it?

If I store them as const SecureString, does that keep them out of memory? The MSDN description says the text is "deleted from computer memory when no longer needed", but isn't a const always in memory?

Will Dotfuscator obscure it in my assembly? (Assuming I can get it to work.)


回答1:


I've recently had to deal with exactly this situation. The problem isn't so much making sure someone can't easily find it using a hex editor but rather when it's sent over the wire to the various APIs. Simply running fiddler and watching requests will show the key regardless. Some APIs will have the benefit of a private/public key which helps a little.

The only solution I could come up with was to create a webservice of my own externally hosted that acted as a proxy between the client and the targeted API. This allowed me to generate individual keys to each terminal that I could activate/deactivate and majority of the sensitive data was stored on my remote proxy application.

Good luck!

~ "Dont't forget to drink your Ovaltine"




回答2:


Anon is correct, there is no way to completely protect data; someone can always get it at.

But you want to make it as difficult as possible. This means not doing the things that make it easy to read:

  • not storing in a registry key (e.g. TwitterAPIKey REG_SZ)
  • not storing in a text file (e.g. twitterkey.txt), or in an ini file
  • not storing in the application's .config file
  • not storing as plain text in the binary
  • not storing unencrypted in the binary

This will leave people who have to have knowledge of a debugger, and (possibly) assembly code.

You've reduced the attack surface a lot.

Follow just the first three suggestions and you'll well on your way.




回答3:


maybe you can ask your user to use their own api keys. They can register themselves to the apis, and then reference their key in your app's settings



来源:https://stackoverflow.com/questions/4938522/how-to-protect-an-api-key-in-a-net-application

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!