问题
Good Afternoon Guys and Girls,
Hopefully this will be a quick and easy question.
I am building an App that requires the user to input their login details for an online service that it links to. Multiple login details can be added and saved as the user may have several accounts that they would like to switch between.
These details will be stored in an SQLite database and will contain their passwords. Now the questions are:
1: Should these passwords be encrypted in the database? My instinct would say yes but then I do not know how secure the device and system is and if this is necessary.
2: If they should be encrypted what should I use? I think encrypting the whole database file sounds a bit over-kill so should I just encrypt the password before saving it to the database? If this is case what could I use to achieve this? I have found reference to a "crypt(3)" but am having trouble finding much about it or how to implement it.
I eagerly await your replies!
EDIT: As you will see from the chosen answer and comments KeyChain is what I went with. Any one interested in using it there is some useful source code here:
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code
回答1:
Don't implement your own crypto; just use the keychain.
回答2:
1) Yes. The passwords should be encrypted.
2) You should encrypt the password to the database. Do you have to reuse the passwords elsewhere once they are stored, or are you only using them as a check against the login credentials the user supplies?
If you're only using them as a check, then you could use a one-way hashing function like MD5 or SHA-1 or something like that (with some random characters thrown in).
Otherwise, you need to use some reversible encryption method to retrieve your stored values. I'd consider using the keychain if at all possible. It's something that Apple is offering to devs so it's their responsibility for export compliance.
EDIT
Also, you might want to check out this link if you are going for the latter route. It includes a @category in the comments on NSMutableData that allows you to sidestep having to fill out a CCATS form:
http://iphonedevelopment.blogspot.com/2009/02/strong-encryption-for-cocoa-cocoa-touch.html
来源:https://stackoverflow.com/questions/3017581/iphone-sqlite-password-field-encryption