安全框架:敏感数据 | 缓解措施Security Frame: Sensitive Data | Mitigations

产品/服务Product/Service 文章Article
计算机信任边界Machine Trust Boundary
Web 应用程序Web Application
DatabaseDatabase
Web APIWeb API
Azure Document DBAzure Document DB
Azure IaaS VM 信任边界Azure IaaS VM Trust Boundary
Service Fabric 信任边界Service Fabric Trust Boundary
Dynamics CRMDynamics CRM
Azure 存储Azure Storage
移动客户端Mobile Client
WCFWCF

如果二进制文件包含敏感信息,请确保将其模糊处理Ensure that binaries are obfuscated if they contain sensitive information

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 如果二进制文件包含商业机密、不得反向工程的敏感业务逻辑等敏感信息,请确保模糊处理这些文件。Ensure that binaries are obfuscated if they contain sensitive information such as trade secrets, sensitive business logic that should not reversed. 这是为了阻止对程序集进行反向工程。This is to stop reverse engineering of assemblies. 可以使用 CryptoObfuscator 等工具实现此目的。Tools like CryptoObfuscator may be used for this purpose.

考虑使用加密文件系统 (EFS) 来保护用户特定的机密数据Consider using Encrypted File System (EFS) is used to protect confidential user-specific data

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 考虑使用加密文件系统 (EFS) 来保护用户特定的机密数据,防止攻击者物理访问计算机。Consider using Encrypted File System (EFS) is used to protect confidential user-specific data from adversaries with physical access to the computer.

确保应用程序在文件系统中存储的敏感数据经过加密Ensure that sensitive data stored by the application on the file system is encrypted

标题Title 详细信息Details
组件Component 计算机信任边界Machine Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 如果无法强制 EFS,请确保应用程序在文件系统中存储的敏感数据经过加密(例如,使用 DPAPI)Ensure that sensitive data stored by the application on the file system is encrypted (e.g., using DPAPI), if EFS cannot be enforced

确保不要在浏览器中缓存敏感内容Ensure that sensitive content is not cached on the browser

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型、Web 窗体、MVC5、MVC6Generic, Web Forms, MVC5, MVC6
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 浏览器可能会出于缓存和历史记录的目的存储信息。Browsers can store information for purposes of caching and history. 这些缓存的文件存储在某个文件夹中,例如,如果使用的是 Internet Explorer,该文件夹为“Internet 临时文件”。These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. 再次浏览这些页面时,浏览器会从缓存显示这些页面。When these pages are referred again, the browser displays them from its cache. 如果向用户显示了敏感信息(例如,他们的地址、信用卡详细信息、社会安全号码或用户名),那么这些信息可能会存储在浏览器的缓存中,因此可以通过检查浏览器的缓存或直接按浏览器的“后退”按钮来检索。If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored in browser's cache, and therefore retrievable through examining the browser's cache or by simply pressing the browser's "Back" button. 请将所有页面的 cache-control 响应标头值设置为“no-store”。Set cache-control response header value to "no-store" for all pages.

示例Example

<configuration>
  <system.webServer>
   <httpProtocol>
    <customHeaders>
        <add name="Cache-Control" value="no-cache" />
        <add name="Pragma" value="no-cache" />
        <add name="Expires" value="-1" />
    </customHeaders>
  </httpProtocol>
 </system.webServer>
</configuration>

示例Example

这可以通过筛选器来实现。This may be implemented through a filter. 可以使用以下示例:Following example may be used:

public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (filterContext == null || (filterContext.HttpContext != null && filterContext.HttpContext.Response != null && filterContext.HttpContext.Response.IsRequestBeingRedirected))
            {
                //// Since this is MVC pipeline, this should never be null.
                return;
            }

            var attributes = filterContext.ActionDescriptor.GetCustomAttributes(typeof(System.Web.Mvc.OutputCacheAttribute), false);
            if (attributes == null || **Attributes**.Count() == 0)
            {
                filterContext.HttpContext.Response.Cache.SetNoStore();
                filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
                filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
                if (!filterContext.IsChildAction)
                {
                    filterContext.HttpContext.Response.AppendHeader("Pragma", "no-cache");
                }
            }

            base.OnActionExecuting(filterContext);
        }

加密 Web 应用配置文件中包含敏感数据的部分Encrypt sections of Web App's configuration files that contain sensitive data

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 如何:使用 DPAPI 加密 ASP.NET 2.0 中的配置部分指定受保护的配置提供程序使用 Azure Key Vault 保护应用程序机密How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI, Specifying a Protected Configuration Provider, Using Azure Key Vault to protect application secrets
步骤Steps Web.config、appsettings.json 等配置文件通常用于保存敏感信息,包括用户名、密码、数据库连接字符串和加密密钥。Configuration files such as the Web.config, appsettings.json are often used to hold sensitive information, including user names, passwords, database connection strings, and encryption keys. 如果不保护此类信息,攻击者或恶意用户可能会利用应用程序的漏洞来获取敏感信息,例如帐户用户名和密码、数据库名称和服务器名称。If you do not protect this information, your application is vulnerable to attackers or malicious users obtaining sensitive information such as account user names and passwords, database names and server names. 请根据部署类型 (azure/on-prem),使用 DPAPI 或 Azure Key Vault 等服务来加密配置文件的敏感部分。Based on the deployment type (azure/on-prem), encrypt the sensitive sections of config files using DPAPI or services like Azure Key Vault.

在敏感窗体和输入中显式禁用自动完成 HTML 属性Explicitly disable the autocomplete HTML attribute in sensitive forms and inputs

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References MSDN:自动完成特性在 HTML 中使用自动完成功能HTML 清理漏洞MSDN: autocomplete attribute, Using AutoComplete in HTML, HTML Sanitization Vulnerability
步骤Steps 自动完成特性指定是要打开还是关闭窗体的自动填充。The autocomplete attribute specifies whether a form should have autocomplete on or off. 如果打开自动完成,浏览器会根据用户以前输入的值自动填充值。When autocomplete is on, the browser automatically complete values based on values that the user has entered before. 例如,如果在窗体中输入新名称和密码,然后提交该窗体,则浏览器会提示是否应保存该密码。此后显示该窗体时,该名称和密码会自动填充,或者在输入名称时自动填充。For example, when a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. 拥有本地访问权限的攻击者可能会通过浏览器缓存获取明文密码。An attacker with local access could obtain the clear text password from the browser cache. 自动完成默认已启用,必须显式将它禁用。By default autocomplete is enabled, and it must explicitly be disabled.

示例Example

<form action="Login.aspx" method="post " autocomplete="off" >
      Social Security Number: <input type="text" name="ssn" />
      <input type="submit" value="Submit" />    
</form>

确保用户屏幕上显示的敏感数据经过屏蔽Ensure that sensitive data displayed on the user screen is masked

标题Title 详细信息Details
组件Component Web 应用程序Web Application
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 在屏幕上显示密码、信用卡号、身份证号等敏感数据时,应该将它们屏蔽。Sensitive data such as passwords, credit card numbers, SSN etc. should be masked when displayed on the screen. 这是为了防止未经授权的人员访问这些数据(例如,使用肩窥技术查看密码,或者支持人员查看用户的身份证号)。This is to prevent unauthorized personnel from accessing the data (e.g., shoulder-surfing passwords, support personnel viewing SSN numbers of users) . 确保不要以明文显示这些数据元素,并将其适当地屏蔽。Ensure that these data elements are not visible in plain text and are appropriately masked. 接受使用这些数据作为输入(例如,This has to be taken care while accepting them as input (e.g,. input type="password")以及在屏幕上显示这些数据时,必须多加小心(例如,仅显示信用卡号的最后 4 位数)。input type="password") as well as displaying back on the screen (e.g., display only the last 4 digits of the credit card number).

实施动态数据屏蔽,限制透露给非特权用户的敏感数据Implement dynamic data masking to limit sensitive data exposure non privileged users

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies SQL Azure、OnPremSql Azure, OnPrem
属性Attributes SQL 版本 - V12,SQL 版本 - MsSQL2016SQL Version - V12, SQL Version - MsSQL2016
参考References 动态数据掩码Dynamic Data Masking
步骤Steps 动态数据屏蔽旨在限制敏感数据的公开,防止没有访问权限的用户查看敏感数据。The purpose of dynamic data masking is to limit exposure of sensitive data, preventing users who should not have access to the data from viewing it. 动态数据屏蔽并不是要防止数据库用户直接连接到数据库并运行可以公开敏感数据的详尽查询。Dynamic data masking does not aim to prevent database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data. 动态数据屏蔽是其他 SQL Server 安全功能(审核、加密、行级别安全性…)的补充。强烈建议将这些功能与动态数据屏蔽结合使用,以便更好地保护数据库中的敏感数据。Dynamic data masking is complementary to other SQL Server security features (auditing, encryption, row level security…) and it is highly recommended to use this feature in conjunction with them in addition in order to better protect the sensitive data in the database. 请注意,此功能仅受 SQL Server 2016 及更高版本以及 Azure SQL 数据库的支持。Please note that this feature is supported only by SQL Server starting with 2016 and Azure SQL Database.

确保以加盐哈希格式存储密码Ensure that passwords are stored in salted hash format

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 使用 .NET 加密 API 的密码哈希Password Hashing using .NET Crypto APIs
步骤Steps 不应将密码存储在自定义用户存储数据库中。Passwords should not be stored in custom user store databases. 应该改为使用 salt 值存储密码哈希。Password hashes should be stored with salt values instead. 确保用户的 salt 始终唯一,并在存储密码之前应用 b-crypt、s-crypt 或 PBKDF2,使用 150,000 次循环的最小工作系数迭代计数,消除暴力破解的可能性。Make sure the salt for the user is always unique and you apply b-crypt, s-crypt or PBKDF2 before storing the password, with a minimum work factor iteration count of 150,000 loops to eliminate the possibility of brute forcing.

确保数据库列中的敏感数据经过加密Ensure that sensitive data in database columns is encrypted

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes SQL 版本 - 所有SQL Version - All
参考References 加密 SQL Server 中的敏感数据如何:加密 SQL Server 中数据列使用证书进行加密Encrypting sensitive data in SQL server, How to: Encrypt a Column of Data in SQL Server, Encrypt by Certificate
步骤Steps 信用卡号等敏感数据必须在数据库中加密。Sensitive data such as credit card numbers has to be encrypted in the database. 可以使用列级加密,或者使用加密函数通过应用程序函数将数据加密。Data can be encrypted using column-level encryption or by an application function using the encryption functions.

确保启用数据库级加密 (TDE)Ensure that database-level encryption (TDE) is enabled

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 了解 SQL Server 透明数据加密 (TDE)Understanding SQL Server Transparent Data Encryption (TDE)
步骤Steps SQL Server 中的透明数据加密 (TDE) 功能可帮助加密数据库中的敏感数据,并使用证书保护用于加密数据的密钥。Transparent Data Encryption (TDE) feature in SQL server helps in encrypting sensitive data in a database and protect the keys that are used to encrypt the data with a certificate. 这样就可以防止没有密钥的人使用这些数据。This prevents anyone without the keys from using the data. TDE 保护“处于休眠状态”的数据,即数据和日志文件。TDE protects data "at rest", meaning the data and log files. 它提供了遵从许多法律、法规和各个行业建立的准则的能力。It provides the ability to comply with many laws, regulations, and guidelines established in various industries.

确保数据库备份经过加密Ensure that database backups are encrypted

标题Title 详细信息Details
组件Component 数据库Database
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies SQL Azure、OnPremSQL Azure, OnPrem
属性Attributes SQL 版本 - V12,SQL 版本 - MsSQL2014SQL Version - V12, SQL Version - MsSQL2014
参考References SQL 数据库备份加密SQL database backup encryption
步骤Steps SQL Server 能够在创建备份时加密数据。SQL Server has the ability to encrypt the data while creating a backup. 可以通过在创建备份指定加密算法和加密器(证书或非对称密钥),创建加密的备份文件。By specifying the encryption algorithm and the encryptor (a Certificate or Asymmetric Key) when creating a backup, one can create an encrypted backup file.

确保不要在浏览器的存储中存储与 Web API 相关的敏感数据Ensure that sensitive data relevant to Web API is not stored in browser's storage

标题Title 详细信息Details
组件Component Web APIWeb API
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies MVC 5、MVC 6MVC 5, MVC 6
属性Attributes 标识提供者 - ADFS,标识提供者 - Azure ADIdentity Provider - ADFS, Identity Provider - Azure AD
参考References 空值N/A
步骤Steps

在某些实现中,与 Web API 身份验证相关的敏感项目存储在浏览器的本地存储中。In certain implementations, sensitive artifacts relevant to Web API's authentication are stored in browser's local storage. 例如,adal.idtoken、adal.nonce.idtoken、adal.access.token.key、adal.token.keys、adal.state.login、adal.session.state、adal.expiration.key 等 Azure AD 身份验证项目。E.g., Azure AD authentication artifacts like adal.idtoken, adal.nonce.idtoken, adal.access.token.key, adal.token.keys, adal.state.login, adal.session.state, adal.expiration.key etc.

即使注销或关闭浏览器,所有这些项目也仍会保留。All these artifacts are available even after sign out or browser is closed. 如果攻击者获取了对这些项目的访问权限,他们可以重复使用这些项目来访问受保护的资源 (API)。If an adversary gets access to these artifacts, he/she can reuse them to access the protected resources (APIs). 确保不要在浏览器的存储中存储所有与 Web API 相关的敏感项目Ensure that all sensitive artifacts related to Web API is not stored in browser's storage. 如果不可避免地要使用客户端存储(例如,利用隐式 OpenIdConnect/OAuth 流的单页应用程序 (SPA) 需要在本地存储访问令牌),请使用不会持久保存数据的存储选项。In cases where client-side storage is unavoidable (e.g., Single Page Applications (SPA) that leverage Implicit OpenIdConnect/OAuth flows need to store access tokens locally), use storage choices with do not have persistence. 例如,优先使用 SessionStorage 而不是 LocalStorage。e.g., prefer SessionStorage to LocalStorage.

示例Example

以下 JavaScript 代码片段摘自某个自定义身份验证库,它会将身份验证项目存储在本地存储中。The below JavaScript snippet is from a custom authentication library which stores authentication artifacts in local storage. 应避免使用此类实现。Such implementations should be avoided.

ns.AuthHelper.Authenticate = function () {
window.config = {
instance: 'https://login.chinacloudapi.cn/',
tenant: ns.Configurations.Tenant,
clientId: ns.Configurations.AADApplicationClientID,
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', // enable this for IE, as sessionStorage does not work for localhost.
};

加密 Cosmos DB 中存储的敏感数据Encrypt sensitive data stored in Cosmos DB

标题Title 详细信息Details
组件Component Azure Document DBAzure Document DB
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 在文档数据库中存储敏感数据之前在应用程序级别将其加密,或者将敏感数据存储在 Azure 存储或 Azure SQL 等其他存储解决方案中Encrypt sensitive data at application level before storing in document DB or store any sensitive data in other storage solutions like Azure Storage or Azure SQL

使用 Azure 磁盘加密来加密虚拟机所用的磁盘Use Azure Disk Encryption to encrypt disks used by Virtual Machines

标题Title 详细信息Details
组件Component Azure IaaS VM 信任边界Azure IaaS VM Trust Boundary
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 使用 Azure 磁盘加密来加密虚拟机所用的磁盘Using Azure Disk Encryption to encrypt disks used by your virtual machines
步骤Steps

Azure 磁盘加密是一项新功能,目前以预览版提供。Azure Disk Encryption is a new feature that is currently in preview. 此功能允许加密 IaaS 虚拟机使用的 OS 磁盘和数据磁盘。This feature allows you to encrypt the OS disks and Data disks used by an IaaS Virtual Machine. 对于 Windows,驱动器是使用行业标准 BitLocker 加密技术加密的。For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. 对于 Linux,磁盘是使用 DM-Crypt 技术加密的。For Linux, the disks are encrypted using the DM-Crypt technology. 它与 Azure 密钥保管库集成,可用于控制和管理磁盘加密密钥。This is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys. Azure 磁盘加密解决方案支持以下三种客户加密方案:The Azure Disk Encryption solution supports the following three customer encryption scenarios:

  • 在通过客户加密的 VHD 文件和客户提供的加密密钥(存储在 Azure 密钥保管库中)创建的新 IaaS VM 上启用加密。Enable encryption on new IaaS VMs created from customer-encrypted VHD files and customer-provided encryption keys, which are stored in Azure Key Vault.
  • 在通过 Azure 市场创建的新 IaaS VM 上启用加密。Enable encryption on new IaaS VMs created from the Azure Marketplace.
  • 在 Azure 中已运行的现有 IaaS VM 上启用加密。Enable encryption on existing IaaS VMs already running in Azure.

加密 Service Fabric 应用程序中的机密Encrypt secrets in Service Fabric applications

标题Title 详细信息Details
组件Component Service Fabric 信任边界Service Fabric Trust Boundary
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 环境 - AzureEnvironment - Azure
参考References 管理 Service Fabric 应用程序中的机密Managing secrets in Service Fabric applications
步骤Steps 机密可以是任何敏感信息,例如存储连接字符串、密码或其他不应以明文形式处理的值。Secrets can be any sensitive information, such as storage connection strings, passwords, or other values that should not be handled in plain text. 使用 Azure Key Vault 管理 Service Fabric 应用程序中的密钥和机密。Use Azure Key Vault to manage keys and secrets in service fabric applications.

根据需要执行安全建模并使用业务单位/团队Perform security modeling and use Business Units/Teams where required

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 根据需要执行安全建模并使用业务单位/团队Perform security modeling and use Business Units/Teams where required

尽量避免访问关键实体的共享功能Minimize access to share feature on critical entities

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 尽量避免访问关键实体的共享功能Minimize access to share feature on critical entities

为用户提供有关 Dynamics CRM 共享功能的风险与良好安全做法的培训Train users on the risks associated with the Dynamics CRM Share feature and good security practices

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 为用户提供有关 Dynamics CRM 共享功能的风险与良好安全做法的培训Train users on the risks associated with the Dynamics CRM Share feature and good security practices

制定开发标准规则,禁止显示异常管理中的配置详细信息Include a development standards rule proscribing showing config details in exception management

标题Title 详细信息Details
组件Component Dynamics CRMDynamics CRM
SDL 阶段SDL Phase 部署Deployment
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References 空值N/A
步骤Steps 制定开发标准规则,禁止在开发环境外部显示异常管理中的配置详细信息。Include a development standards rule proscribing showing config details in exception management outside development. 在代码评审或定期检查过程中测试此规则。Test for this as part of code reviews or periodic inspection.

使用静态数据的 Azure 存储服务加密 (SSE)(预览版)Use Azure Storage Service Encryption (SSE) for Data at Rest (Preview)

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes StorageType - BlobStorageType - Blob
参考References 静态数据的 Azure 存储服务加密(预览版)Azure Storage Service Encryption for Data at Rest (Preview)
步骤Steps

静态数据的 Azure 存储服务加密 (SSE) 可用于保护数据,使组织能够信守在安全性与合规性方面所做的承诺。Azure Storage Service Encryption (SSE) for Data at Rest helps you protect and safeguard your data to meet your organizational security and compliance commitments. 使用此功能,Azure 存储可以先自动加密数据,再将数据保存到存储,并在检索之前解密数据。With this feature, Azure Storage automatically encrypts your data prior to persisting to storage and decrypts prior to retrieval. 加密、解密和密钥管理对于用户而言是完全透明的。The encryption, decryption and key management is totally transparent to users. SSE 仅适用于块 Blob、页 Blob 以及追加 Blob。SSE applies only to block blobs, page blobs, and append blobs. 其他类型的数据(包括表、队列和文件)不会加密。The other types of data, including tables, queues, and files, will not be encrypted.

加密和解密工作流:Encryption and Decryption Workflow:

  • 客户对存储帐户启用加密The customer enables encryption on the storage account
  • 当客户将新数据(PUT Blob、PUT 块、PUT 页等等)写入 Blob 存储时,每个写入将使用 256 位 AES 加密(可用的最强块加密法之一)进行加密When the customer writes new data (PUT Blob, PUT Block, PUT Page, etc.) to Blob storage; every write is encrypted using 256-bit AES encryption, one of the strongest block ciphers available
  • 当客户需要访问数据(GET Blob 等)时,数据会在返回给用户之前自动解密When the customer needs to access data (GET Blob, etc.), data is automatically decrypted before returning to the user
  • 如果已禁用加密,则不会再加密新的写入,现有加密数据在用户重新写入之前将保持加密。If encryption is disabled, new writes are no longer encrypted and existing encrypted data remains encrypted until rewritten by the user. 启用加密时,向 Blob 存储的写入会加密。While encryption is enabled, writes to Blob storage will be encrypted. 数据状态在用户启用/禁用存储帐户的加密之间切换时不会更改The state of data does not change with the user toggling between enabling/disabling encryption for the storage account
  • 所有加密密钥由 Microsoft 存储、加密和管理All encryption keys are stored, encrypted, and managed by Microsoft

请注意,用于加密的密钥目前由 Microsoft 管理。Please note that at this time, the keys used for the encryption are managed by Microsoft. Microsoft 最初将生成密钥,管理密钥的安全存储,并根据 Microsoft 内部策略的定义定期轮转密钥。Microsoft generates the keys originally, and manage the secure storage of the keys as well as the regular rotation as defined by internal Microsoft policy. 将来,客户能够管理自己的加密密钥,并提供从 Microsoft 管理的密钥到客户管理的密钥的迁移路径。In the future, customers will get the ability to manage their own >encryption keys, and provide a migration path from Microsoft-managed keys to customer-managed keys.

使用客户端加密在 Azure 存储中存储敏感数据Use Client-Side Encryption to store sensitive data in Azure Storage

标题Title 详细信息Details
组件Component Azure 存储Azure Storage
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References Microsoft Azure 存储的客户端加密和 Azure Key Vault教程:在 Microsoft Azure 存储中使用 Azure Key Vault 加密和解密 Blob使用 Azure 加密扩展在 Azure Blob 存储中安全存储数据Client-Side Encryption and Azure Key Vault for Microsoft Azure Storage, Tutorial: Encrypt and decrypt blobs in Microsoft Azure Storage using Azure Key Vault, Storing Data Securely in Azure Blob Storage with Azure Encryption Extensions
步骤Steps

用于 .NET 的 Azure 存储客户端库 Nuget 包支持在上传到 Azure 存储之前加密客户端应用程序中的数据,并在下载到客户端时解密数据。The Azure Storage Client Library for .NET Nuget package supports encrypting data within client applications before uploading to Azure Storage, and decrypting data while downloading to the client. 此库还支持与 Azure 密钥保管库集成,以便管理存储帐户密钥。The library also supports integration with Azure Key Vault for storage account key management. 下面是客户端加密的工作原理的简要说明:Here is a brief description of how client side encryption works:

  • Azure 存储客户端 SDK 生成内容加密密钥 (CEK),这是一次性使用的对称密钥The Azure Storage client SDK generates a content encryption key (CEK), which is a one-time-use symmetric key
  • 可使用此 CEK 将客户数据加密Customer data is encrypted using this CEK
  • 然后,使用密钥加密密钥 (KEK) 对此 CEK 进行包装(加密)。The CEK is then wrapped (encrypted) using the key encryption key (KEK). KEK 由密钥标识符标识,可以是非对称密钥对或对称密钥,还可以在本地托管或存储在 Azure 密钥保管库中。The KEK is identified by a key identifier and can be an asymmetric key pair or a symmetric key and can be managed locally or stored in Azure Key Vault. 存储空间客户端本身永远无法访问 KEK。The Storage client itself never has access to the KEK. 它只能调用密钥保管库提供的密钥包装算法。It just invokes the key wrapping algorithm that is provided by Key Vault. 客户可根据需要选择使用自定义提供程序进行密钥包装/解包Customers can choose to use custom providers for key wrapping/unwrapping if they want
  • 然后,将已加密的数据上传到 Azure 存储服务。The encrypted data is then uploaded to the Azure Storage service. 请参阅参考部分中的链接,了解低级别实施详细信息。Check the links in the references section for low-level implementation details.

加密写入到手机本地存储的敏感或 PII 数据Encrypt sensitive or PII data written to phones local storage

标题Title 详细信息Details
组件Component 移动客户端Mobile Client
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 通用、XamarinGeneric, Xamarin
属性Attributes 空值N/A
参考References 使用 Microsoft Intune 策略管理设备上的设置和功能Keychain ValetManage settings and features on your devices with Microsoft Intune policies, Keychain Valet
步骤Steps

如果应用程序在手机文件系统中写入用户 PII 等敏感信息(电子邮件、电话号码、名字、姓氏、首选项等),则在写入本地文件系统之前应将这些信息加密。If the application writes sensitive information like user's PII (email, phone number, first name, last name, preferences etc.)- on mobile's file system, then it should be encrypted before writing to the local file system. 如果应用程序是企业应用程序,请使用 Windows Intune 来探索发布应用程序的可能性。If the application is an enterprise application, then explore the possibility of publishing application using Windows Intune.

示例Example

可以使用以下安全策略来配置 Intune,以保护敏感数据:Intune can be configured with following security policies to safeguard sensitive data:

Require encryption on mobile device    
Require encryption on storage cards
Allow screen capture

示例Example

如果应用程序不是企业应用程序,请使用平台提供的密钥存储和密钥链来存储加密密钥,这样就可以在文件系统中执行加密操作。If the application is not an enterprise application, then use platform provided keystore, keychains to store encryption keys, using which cryptographic operation may be performed on the file system. 以下代码片段演示如何使用 xamarin 访问密钥链中的密钥:Following code snippet shows how to access key from keychain using xamarin:

        protected static string EncryptionKey
        {
            get
            {
                if (String.IsNullOrEmpty(_Key))
                {
                    var query = new SecRecord(SecKind.GenericPassword);
                    query.Service = NSBundle.MainBundle.BundleIdentifier;
                    query.Account = "UniqueID";

                    NSData uniqueId = SecKeyChain.QueryAsData(query);
                    if (uniqueId == null)
                    {
                        query.ValueData = NSData.FromString(System.Guid.NewGuid().ToString());
                        var err = SecKeyChain.Add(query);
                        _Key = query.ValueData.ToString();
                    }
                    else
                    {
                        _Key = uniqueId.ToString();
                    }
                }

                return _Key;
            }
        }

向最终用户分发生成的二进制文件之前将它模糊处理Obfuscate generated binaries before distributing to end users

标题Title 详细信息Details
组件Component 移动客户端Mobile Client
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型Generic
属性Attributes 空值N/A
参考References Crypto Obfuscation For .NetCrypto Obfuscation For .Net
步骤Steps 应该模糊处理生成的二进制文件(apk 中的程序集),以阻止对程序集进行反向工程。可以使用 CryptoObfuscator 等工具实现此目的。Generated binaries (assemblies within apk) should be obfuscated to stop reverse engineering of assemblies.Tools like CryptoObfuscator may be used for this purpose.

将 clientCredentialType 设置为 Certificate 或 WindowsSet clientCredentialType to Certificate or Windows

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies .NET Framework 3.NET Framework 3
属性Attributes 空值N/A
参考References FortifyFortify
步骤Steps 通过未加密的通道使用包含明文密码的 UsernameToken 会向探查 SOAP 消息的攻击者透露密码。Using a UsernameToken with a plaintext password over an unencrypted channel exposes the password to attackers who can sniff the SOAP messages. 使用 UsernameToken 的服务提供程序可能会接受以明文形式发送的密码。Service Providers that use the UsernameToken might accept passwords sent in plaintext. 通过未加密的通道发送明文密码会向探查 SOAP 消息的攻击者透露凭据。Sending plaintext passwords over an unencrypted channel can expose the credential to attackers who can sniff the SOAP message.

示例Example

以下 WCF 服务提供程序配置使用 UsernameToken:The following WCF service provider configuration uses the UsernameToken:

<security mode="Message"> 
<message clientCredentialType="UserName" />

请将 clientCredentialType 设置为 Certificate 或 Windows。Set clientCredentialType to Certificate or Windows.

WCF - 安全模式未启用WCF-Security Mode is not enabled

标题Title 详细信息Details
组件Component WCFWCF
SDL 阶段SDL Phase 构建Build
适用的技术Applicable Technologies 泛型、.NET Framework 3Generic, .NET Framework 3
属性Attributes 安全模式 - 传输,安全模式 - 消息Security Mode - Transport, Security Mode - Message
参考References MSDN巩固王国WCF 安全基础知识 - CoDe 杂志MSDN, Fortify Kingdom, Fundamentals of WCF Security CoDe Magazine
步骤Steps 未定义任何传输或消息安全性。No transport or message security has been defined. 在未定义传输或消息安全性的情况下传输消息的应用程序无法保证消息的完整性或机密性。Applications that transmit messages without transport or message security cannot guarantee the integrity or confidentiality of the messages. 如果 WCF 安全绑定设置为 None,将同时禁用传输和消息安全性。When a WCF security binding is set to None, both transport and message security are disabled.

示例Example

以下配置将安全模式设置为 None。The following configuration sets the security mode to None.

<system.serviceModel> 
  <bindings> 
    <wsHttpBinding> 
      <binding name=""MyBinding""> 
        <security mode=""None""/> 
      </binding> 
  </bindings> 
</system.serviceModel> 

示例Example

安全模式。在所有服务绑定中,有五种可能的安全模式:Security Mode Across all service bindings there are five possible security modes:

  • 无。None. 关闭安全性。Turns security off.
  • 传输。Transport. 使用传输安全性进行相互身份验证和消息保护。Uses transport security for mutual authentication and message protection.
  • 消息。Message. 使用消息安全性进行相互身份验证和消息保护。Uses message security for mutual authentication and message protection.
  • 两者。Both. 允许提供传输和消息级安全性的设置(只有 MSMQ 支持此模式)。Allows you to supply settings for transport and message-level security (only MSMQ supports this).
  • TransportWithMessageCredential。TransportWithMessageCredential. 通过消息传递凭据,消息保护和服务器身份验证由传输层提供。Credentials are passed with the message and message protection and server authentication are provided by the transport layer.
  • TransportCredentialOnly。TransportCredentialOnly. 通过传输层传递客户端凭据,不应用消息保护。Client credentials are passed with the transport layer and no message protection is applied. 使用传输和消息安全性保护消息的完整性和保密性。Use transport and message security to protect the integrity and confidentiality of messages. 以下配置告知服务要对消息凭据使用传输安全性。The configuration below tells the service to use transport security with message credentials.
    <system.serviceModel>
    <bindings>
      <wsHttpBinding>
      <binding name=""MyBinding""> 
      <security mode=""TransportWithMessageCredential""/> 
      <message clientCredentialType=""Windows""/> 
      </binding> 
    </bindings> 
    </system.serviceModel>