问题
The scenario is this: There is a desktop Java application running on a random computer, out of the developer's control. That application connects to a MySQL server installed on the same computer.
Is there a way to keep the database login credentials secure from the local user?
I can imagine that, being the admin of the local pc with both the client and the database, it might be futile to demand total security, since the credentials need to be somewhere on the system. I'm wondering if having the password hard-coded in the desktop app might be the best bet. I know it's a big no-no but are there better alternatives in a case like this?
回答1:
You could keep them in a symmetrically encrypted file and hard code the key into the application. That is at least a compromise between being able to change the password and having some basic protection against lazy local tinkerers.
回答2:
Is there a way to keep the database login credentials secure from the local user?
The short answer is no.
No matter what you do1, the username and password (or any other form of credentials) are going to be accessible by the local user, assuming that he/she has the skill and the motivation.
1 - Even the trusted platform module approach is not entirely secure. IIRC, someone succeeded in breaking TPM security using an electron microscope. While this is not a practical attack under normal circumstances, the flip-side is that building a system on TPM that wrests control of the machine from the user is not going to be acceptable in most environments.
来源:https://stackoverflow.com/questions/13812609/how-to-store-database-credentials-in-a-desktop-application