Secure data in VB.NET?

问题

My VB.NET application has a very important boolean variable. I need to be able to save it "somewhere" and read it back in the future (even if the application is closed).

Currently, I store the variable as a .bin file somewhere. But I fear that the user can simply grab the file and do some magic to edit the value.

I need to make this value completely unavailable from the user's eyes. Or at least, make it impossible to edit. What is the best way to hide such value?

I managed to store the variable in my online MySQL database. But honestly, that doesn't work very well for my purposes. I need to store it locally...

Any ideas?

回答1:

Theoretically, you can never hide this variable at all. However, you can make it harder to find or read. To know how to hide the variable, you must first know some common ways of retrieving it.

Typical problems and solutions

How others could theoretically retrieve your variable value

1. Decompiling your program with a single click using .NET Reflector or any other .NET Decompilation program.
2. Analyze the memory of the PC while the program is running, and retrieve the value from there.
3. If your value was saved in a file, the user could easily find it by analyzing harddrive IO activity through a hook or a dump comparison.
4. If your value was saved in the registry, a simple registry hook or registry dump comparison tool could figure out where the value is stored.
5. If your value is encrypted, method #1 (decompiling the program) could be used to figuring out how a decryption could be done.

Solving the possible issues above

1. A general obfuscation program can be used to make it harder to decompile applications. For this, I suggest SmartAssembly. Other than that, there's a tool called Spoon Studio (previously called PostBuild) which will recompile your application into assembly code (and also make it run without the .NET Framework installed).
2. The SecureString class could be used to make it harder to find and decrypt the value while it's in the memory. This class also cleans itself up after usage, but is generally slightly slower to use than a normal string.
3. Storing things in a file is not nescessarily a bad idea (even if people can sniff file activity), since you can always store the variable in a non-pretty way. For instance, you could have a file called IsFullScreen.bin, that contained the value of your boolean variable (1 or 0, or true or false), even though it has nothing to do with full-screen rendering. This would make it a bit confusing, but also not very pretty programming-wise.
4. For the registry, everything in solution #3 still applies.
5. Encryption is not a bad idea either, and it is hard to decrypt some encryption types (for instance public/private key encryption if you have a server), or hashing (such as MD5 or SHA1).
6. In your scenario, could you store the value on a server instead?

So to summarize ...

You can't protect your application entirely. But you can use some of the solutions above (or combine them) for a better protection making it harder.

Of course, premature security is bad. If that boolean isn't VERY important, then some simple encryption would be fine too in my opinion.

There's more ...

Edit 1

I just noticed that you've commented on your own answer saying that the file should not be "valid" after copying it to another computer and reading it from there.

If that's the case, you could use some key-based encryption such as XOR encryption, and then use the MAC-address of the PC or the motherboard serial number as key for that encryption.

Being on the computer that the file was created on would then be needed to read the file as well. If you're interested in this, add a comment and I'll give you a code example.

回答2:

I would store it in the registry in a non-obvious way. For example, make the name of the registry entry appear to be important and store a random numeric value then ensure it ends in 0 or 1 or contains a 0 or 1 embedded at a fixed position in the number.

You can then read the value from the registry and extract the 0 or 1 from the appropriate location.

回答3:

Encrypt the value before storing it. Use .NET Cryptography Model. For more on how to implement something using that model see

来源：https://stackoverflow.com/questions/8682497/secure-data-in-vb-net