我想使用Windows Hello存储和检索密码。用户可以在登录时选择是否要手动输入密码,或者是否要使用Windows Hello解锁(然后检索上次使用的密码,并为用户填写)。
如果Windows Hello设置正确,则doc中有两个用例
一个刚刚解锁:
UserConsentVerificationResult consentResult = await UserConsentVerifier.RequestVerificationAsync("userMessage");
if (consentResult.Equals(UserConsentVerificationResult.Verified))
{
// continue
}
和一个来自服务器的消息:
var openKeyResult = await KeyCredentialManager.OpenAsync(AccountId);
if (openKeyResult.Status == KeyCredentialStatus.Success)
{
var userKey = openKeyResult.Credential;
var publicKey = userKey.RetrievePublicKey();
//the message is the challenge from the server
var signResult = await userKey.RequestSignAsync(message);
if (signResult.Status == KeyCredentialStatus.Success)
{
//the with the private key of the user signed message
return signResult.Result;
}
}
两者对我的用例都不是很有用:我想要一种对称的方式来存储和检索密码。
我的问题简短:
有没有办法用Windows Hello对称存储数据?
相关文件:
https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport
答案 0 :(得分:1)
您可以按以下方式使用PasswordVault来设置密码:
private void SetPassword(string password, string userName)
{
PasswordVault myVault = new PasswordVault();
myVault.Add(new PasswordCredential("Your App ID", userName, password));
}
删除密码:
private void RemovePassword(string userName)
{
PasswordVault myVault = new PasswordVault();
var password = myVault.Retrieve("Your App ID", userName);
if (password != null)
myVault.Remove(password);
}
如果要在Windows Hello中使用它:
public async Task<string> SignInAsync(string userName)
{
var result = await UserConsentVerifier.RequestVerificationAsync(requestMessage);
if (result != UserConsentVerificationResult.Verified)
return null;
var vault = new PasswordVault();
var credentials = vault.Retrieve("Your App ID", userName);
return credentials?.Password;
}
这将在访问密码值之前检查Windows Hello
答案 1 :(得分:0)
我已经通过使用Windows Hello生成的密码对要存储的秘密进行加密/解密来解决了这个问题。密码是固定消息上的签名。
完整的代码示例(未经测试)以说明我的观点:
const accountId = "A ID for this key";
const challenge = "sign this challenge using Windows Hello to get a secure string";
public async Task<byte[]> GetSecureEncryptionKey() {
// if first time; we first need to create a key
if (firstTime) {
if (!await this.CreateKeyAsync()) {
return null;
}
}
// get the key using Windows Hellp
return await this.GetKeyAsync();
}
private async Task<bool> CreateKeyAsync() {
if (!await KeyCredentialManager.IsSupportedAsync()) {
return false;
}
// if app opened for the first time, we need to create an account first
var keyCreationResult = await KeyCredentialManager.RequestCreateAsync(AccountId, KeyCredentialCreationOption.ReplaceExisting);
return keyCreationResult.Status == KeyCredentialStatus.Success);
}
private async Task<byte[]> GetKeyAsync() {
var openKeyResult = await KeyCredentialManager.OpenAsync(AccountId);
if (openKeyResult.Status == KeyCredentialStatus.Success)
{
// convert our string challenge to be able to sign it
var buffer = CryptographicBuffer.ConvertStringToBinary(
challenge, BinaryStringEncoding.Utf8
);
// request a sign from the user
var signResult = await openKeyResult.Credential.RequestSignAsync(buffer);
// if successful, we can use that signature as a key
if (signResult.Status == KeyCredentialStatus.Success)
{
return signResult.Result.ToArray();
}
}
return null;
}
full source在github上,显示了如何将这些概念集成到应用程序中。