我使用的是Windows DPAPI一些敏感的数据进行加密，对我来说。密码被存储在注册表中。这一切运作良好，但我想知道如果有人能澄清我都（可选），提供给ProtectedData.Protect（）在.NET中的熵字节的了解。

I'm using the Windows DPAPI to encrypt some sensitive data for me. The cipher is stored in the registry. This all works well, but I was wondering if someone could clarify my understanding of the 'entropy' bytes that are (optionally) supplied to ProtectedData.Protect() in .NET.

在熵的字节数组似乎是类似于一个初始化向量或与其他加密方案中使用的盐，但我看不出熵一个很好的说明在MSDN字节。在code样品我在熵字节看到只是很难code！

The 'entropy' byte array appears to be analogous to an initialization vector or salt used with other cryptography schemes, but I could not see a good description of the entropy bytes in MSDN. The code samples I've seen just hard code in the entropy bytes!

提供给ProtectedData.Protect（）及熵字节; ProtectedData.Unprotect类似于静脉注射或盐？可以熵字节，因此可以安全地存储旁边的密码，或将妥协的安全性？

Are the entropy bytes supplied to ProtectedData.Protect() & ProtectedData.Unprotect analogous to an IV or salt? Can the entropy bytes therefore be stored safely alongside the cipher, or would that compromise security?

推荐答案

熵是二级密钥特定于被保护数据的应用程序。总的想法，如果我没记错的话，是允许多个应用程序的数据下一个用户账户进行加密，但仍保持相互之间的安全。例如，你的应用程序可能在用户A加密数据。如果我的应用程序希望用户A根据该数据进行解密，确实没有任何事来阻止我这样做，因为DPAPI使用用户的关键。但是，如果你在一个应用程序特定的熵的因素，那么我就需要知道您的信息熵来解密任何数据保护的用户a。

Entropy is a secondary key that is specific to the application that is protecting data. The general idea, if I remember correctly, was to allow multiple applications to encrypt data under a single user account, but still maintain security between each other. For example, Your application may encrypt data under UserA. If My application wished to decrypt that data under UserA, there really isn't anything to stop my from doing so, as the DPAPI uses the users key. However, if you factor in an application specific "entropy", then I would need to know your entropy to decrypt any data to protect for UserA.

熵可以考虑类似的盐，因为它是用于进一步抽象加密的内容的附加密钥或秘密的。与盐，应用程序的熵需要指定凭证下保持相同的每个加密操作。随着盐，它通常最好经常你可以改变它。

Entropy could be considered analogous to salt, in that it is an additional key or secret used to further abstract the encrypted content. Unlike salt, your application's entropy would need to remain the same for every encryption operation under a given credential. With salt, its generally best to change it as often as you can.

熵本质上是一个附加的键，并且它应该像任何其他密码密钥进行处理。保持隐私和安全。

Entropy is essentially an additional key, and it should be treated like any other cryptographic key. Keep it private and secure.

顺便说一句，我认为熵是一个穷凶极恶的词来用于此目的。像这样'区别'，甚至可能是压印像'distinctifier一个字，会比较好。 ：P。非常混乱长期使用

BTW, I think 'entropy' was an atrocious word to use for this purpose. Something like 'differentiator', or perhaps even coining a word like 'distinctifier', would have been better. :P Very confusing term use.