我正在寻找一种方法来安全地存储在WP7应用程序的API密钥。关键是一个字符串，目前很难codeD插入code（见下文）。我知道，有人用反光程序可以很容易地查看。有没有更好的方式来包装该密钥为我的应用程序的一部分吗？将资源更安全？

I'm looking for a way to securely store an API key in a WP7 application. The key is a string and is currently hard coded into the code (see below). I know that someone with a reflector program could easily view this. Is there a better way to package this key as part of my app? Would a resource be more secure?

string key = "DSVvjankjnersnkaecjnDFSD44VDS23423423rcsedzcadERVSDRFWESDVTsdt";

（这不是实际键））

(This isn't the actually key ;) )

感谢您先进的。

推荐答案

看一看http://msdn.microsoft.com/en-us/magazine/cc164054.aspx,这是一个良好的阅读。你的问题是在一节的应用程序源$ C ​​$ C的隐藏按键。

Have a look at http://msdn.microsoft.com/en-us/magazine/cc164054.aspx, it is a good read. Your question is under the "Hiding Keys in the Application Source Code" section.

节选：

如果你定义了应用的关键，除了混淆集会，尽量不要存储实际的密钥字节的源$ C ​​$ C。相反，使用持久的特征，如加密算法，密钥大小执行密钥生成逻辑，密码短语，初始化向量，和盐（见，例如在加密和解密数据使用对称（Rijndael算法）密钥）。这将间接引入了额外的一层，因此通过简单地从应用程序二进制倾销符号键将无法访问。只要不改变密钥生成逻辑和关键特性，所得到的键被保证是相同的。这也可能是一个好主意，不使用静态字符串作为密钥生成特征，而是建立他们的飞行。另一项建议是将治疗组件中的相同的方式将数据存储应及时治疗，也就是，通过施加适当的ACL。而仅使用此选项作为最后的手段，如果没有其他的数据保护技术的工作和你唯一的选择是离开的敏感数据加密。

If you define the key in the application, in addition to obfuscating the assembly, try not to store the actual key bytes in the source code. Instead, implement key-generation logic using persistent characteristics, such as the encryption algorithm, key size, pass phrase, initialization vector, and salt (see an example at Encrypt and Decrypt Data Using a Symmetric (Rijndael) Key). This will introduce an extra layer of indirection, so the key will not be accessible by simply dumping the symbols from the application binary. As long as you do not change key-generation logic and key characteristics, the resulting key is guaranteed to be the same. It may also be a good idea not to use static strings as key-generation characteristics, but rather build them on the fly. Another suggestion would be to treat the assembly the same way as the data store should be treated, that is, by applying the appropriate ACLs. And only use this option as a last resort, when none of the other data protection techniques work and your only alternative is leaving sensitive data unencrypted.