Question

我想使用Windows Hello存储和检索密码。用户可以在登录时选择是否要手动输入密码，或者是否要使用Windows Hello解锁（然后检索上次使用的密码，并为用户填写）。

如果Windows Hello设置正确，则doc中有两个用例一个刚刚解锁：

UserConsentVerificationResult consentResult = await UserConsentVerifier.RequestVerificationAsync("userMessage");
if (consentResult.Equals(UserConsentVerificationResult.Verified))
{
   // continue
}

和一个来自服务器的消息：

var openKeyResult = await KeyCredentialManager.OpenAsync(AccountId);
if (openKeyResult.Status == KeyCredentialStatus.Success)
{
    var userKey = openKeyResult.Credential;
    var publicKey = userKey.RetrievePublicKey();
    //the message is the challenge from the server
    var signResult = await userKey.RequestSignAsync(message);

    if (signResult.Status == KeyCredentialStatus.Success)
    {
        //the with the private key of the user signed message        
        return signResult.Result;
    }
}

两者对我的用例都不是很有用：我想要一种对称的方式来存储和检索密码。

我的问题简短：
有没有办法用Windows Hello对称存储数据？

相关文件：
https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport

Answer 1

您可以按以下方式使用PasswordVault来设置密码：

    private void SetPassword(string password, string userName)
    {
        PasswordVault myVault = new PasswordVault();
        myVault.Add(new PasswordCredential("Your App ID", userName, password));
    }

删除密码：

    private void RemovePassword(string userName)
    {
        PasswordVault myVault = new PasswordVault();

        var password = myVault.Retrieve("Your App ID", userName);
        if (password != null)
            myVault.Remove(password);
    }

如果要在Windows Hello中使用它：

    public async Task<string> SignInAsync(string userName)
    {
        var result = await UserConsentVerifier.RequestVerificationAsync(requestMessage);
        if (result != UserConsentVerificationResult.Verified)
            return null;

        var vault = new PasswordVault();
        var credentials = vault.Retrieve("Your App ID", userName);

        return credentials?.Password;
    }

这将在访问密码值之前检查Windows Hello

Answer 2

我已经通过使用Windows Hello生成的密码对要存储的秘密进行加密/解密来解决了这个问题。密码是固定消息上的签名。

完整的代码示例（未经测试）以说明我的观点：

const accountId = "A ID for this key";
const challenge = "sign this challenge using Windows Hello to get a secure string";

public async Task<byte[]> GetSecureEncryptionKey() {
    // if first time; we first need to create a key
    if (firstTime) {
        if (!await this.CreateKeyAsync()) {
            return null;
        }
    }

    // get the key using Windows Hellp
    return await this.GetKeyAsync();
}

private async Task<bool> CreateKeyAsync() {
    if (!await KeyCredentialManager.IsSupportedAsync()) {
        return false;
    }

    // if app opened for the first time, we need to create an account first
    var keyCreationResult = await KeyCredentialManager.RequestCreateAsync(AccountId, KeyCredentialCreationOption.ReplaceExisting);
    return keyCreationResult.Status == KeyCredentialStatus.Success);
}

private async Task<byte[]> GetKeyAsync() {
    var openKeyResult = await KeyCredentialManager.OpenAsync(AccountId);

    if (openKeyResult.Status == KeyCredentialStatus.Success)
    {
        // convert our string challenge to be able to sign it 
        var buffer = CryptographicBuffer.ConvertStringToBinary(
            challenge, BinaryStringEncoding.Utf8
        );

        // request a sign from the user
        var signResult = await openKeyResult.Credential.RequestSignAsync(buffer);

        // if successful, we can use that signature as a key
        if (signResult.Status == KeyCredentialStatus.Success)
        {
            return signResult.Result.ToArray();
        }
    }

    return null;
}

full source在github上，显示了如何将这些概念集成到应用程序中。

使用Windows Hello存储密码

2 个答案: