在我的Objective C代碼中,我的代碼中有一個使用者密鑰和密碼,用於SHA-1加密。我想知道的是我是否可以避免硬編碼來提高安全性。我發現有以下幾種到目前爲止,如何避免硬編碼加密密鑰(目標C)?
損害了在源代碼中聲明的靜態密鑰。磁盤上的這些密鑰應該被破壞,以防止對手分析和攔截原始密鑰;
接下來,應用程序應在需要密鑰的代碼使用之前修復密鑰;
緊接在使用密鑰之前,應用程序應執行密鑰值的校驗和以驗證未損壞的密鑰與代碼在構建時聲明的值相匹配;和
最後,應用程序應該立即重新損壞內存中的密鑰後,應用程序已完成使用它的特定呼叫。
找到2 https://github.com/UrbanApps/UAObfuscatedString
有人可以幫我嗎?
示例代碼:
+ (NSString *) getOauthHeaderForRequestString:(NSString *)requestString {
NSString *oauthConsumerKey = @"<consumer key which I want avoid hardcoding>";
NSString *oauthConsumerSecret = @"<consumer secret which I want to avoid hardcoding>";
NSString *oauthSignatureMethod = @"HMAC-SHA1";
NSString *oauthVersion = @"1.0";
NSString *oauthNonce = [self generateNonce];
NSString *oauthtimestamp = [NSString stringWithFormat:@"%d", (int)[[NSDate date] timeIntervalSince1970]];
NSArray * params = [NSArray arrayWithObjects:
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_consumer_key", oauthConsumerKey],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_nonce", oauthNonce],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_signature_method", oauthSignatureMethod],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_timestamp", oauthtimestamp],
[NSString stringWithFormat:@"%@%%3D%@", @"oauth_version", oauthVersion],
[NSString stringWithFormat:@"%@%%3D%@", @"request", [requestString stringByAddingPercentEscapesUsingEncoding:NSUTF8StringEncoding]],
nil];
params = [params sortedArrayUsingSelector:@selector(compare:)];
NSString *parameters = [params componentsJoinedByString:@"%26"];
NSString *postURL = @"<my post url>";
NSArray * baseComponents = [NSArray arrayWithObjects:
@"POST",
[self encodeString:postURL],
parameters,
nil];
NSString * baseString = [baseComponents componentsJoinedByString:@"&"];
NSArray *signingKeyComponents = [NSArray arrayWithObjects:oauthConsumerSecret, @"", nil];
NSString *signingKey = [signingKeyComponents componentsJoinedByString:@"&"];
NSData *signingKeyData = [signingKey dataUsingEncoding:NSUTF8StringEncoding];
NSData *baseData = [baseString dataUsingEncoding:NSUTF8StringEncoding];
uint8_t digest[20] = {0};
CCHmac(kCCHmacAlgSHA1, signingKeyData.bytes, signingKeyData.length, baseData.bytes, baseData.length, digest);
NSData *signatureData = [NSData dataWithBytes:digest length:20];
NSString *oauthSignature = [self base64forData:signatureData];
// final request build
NSString *oauthHeader = @"OAuth ";
oauthHeader = [oauthHeader stringByAppendingFormat:@"oauth_consumer_key=\"%@\"",oauthConsumerKey];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_nonce=\"%@\"",oauthNonce];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_signature=\"%@\"",[self encodeString:oauthSignature]];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_signature_method=\"%@\"",oauthSignatureMethod];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_timestamp=\"%@\"",oauthtimestamp];
oauthHeader = [oauthHeader stringByAppendingFormat:@",oauth_version=\"1.0\""];
return oauthHeader;
}
你是什麼意思「破壞」一個關鍵?假設密鑰是一個字符串:如何「損害」一個字符串? – Sajjon
如果您正在尋找一種在iOS應用程序中安全存儲密鑰(例如字符串)的方法,則應將其存儲在「KeyChain」中。請參閱https://www.raywenderlich.com/92667/securing-ios-data-keychain-touch-id-1password或者可能是開源框架:https://github.com/kishikawakatsumi/KeychainAccess – Sajjon
,你應該清楚你究竟在試圖抵禦自己的攻擊,你害怕什麼類型的攻擊。 – luk2302