安全性Security

本節包含與建置適用於 Windows 10 的安全通用 Windows 平台 (UWP) 應用程式相關的文章。This section contains articles on building secure Universal Windows Platform (UWP) apps for Windows 10.

簡介Introduction

如果您是 Windows 或 UWP 開發的新手,請先參閱開發安全的 Windows 應用程式簡介If you're new to Windows or UWP development, start with the Intro to secure Windows app development. 這篇簡介等級的文章提供您應用程式的安全性考量,以及 Windows 10 中各種可用功能的概觀。This introductory-level article provides an overview of security considerations for apps and the various features available in Windows 10.

驗證和使用者識別Authentication and user identity

驗證和使用者識別一節包含與使用者登入和身分識別相關之案例的逐步解說。The authentication and user identity section contains walkthroughs for scenarios related to user login and identity. App 有數個使用者驗證選項,涵蓋範圍從使用 Web 驗證代理人的簡單單一登入 (SSO) 到高度安全的雙因素驗證。Apps have several options for user authentication, ranging from simple single sign-on (SSO) using Web authentication broker to highly secure two-factor authentication.

主題Topic描述Description
認證保險箱Credential locker本文說明 App 如何使用認證保險箱來安全地儲存和擷取使用者認證,並透過使用者的 Microsoft 帳戶在裝置之間進行漫遊。This article describes how apps can use the Credential Locker to securely store and retrieve user credentials, and roam them between devices with the user's Microsoft account
指紋生物識別技術 Fingerprint biometrics 本文將說明如何在您的應用程式中新增指紋生物識別技術。This article explains how to add fingerprint biometrics to your app. 包括使用者必須同意特定動作時的指紋驗證要求,以增強 app 的安全性。Including a request for fingerprint authentication when the user must consent to a particular action increases the security of your app. 例如,您可以在授權 app 內購買之前或授與限制資源的存取權之前要求指紋驗證。For example, you could require fingerprint authentication before authorizing an in-app purchase, or access to restricted resources. 指紋驗證是使用 Windows.Security.Credentials.UI 命名空間中的 UserConsentVerifier 類別所管理。Fingerprint authentication is managed using the UserConsentVerifier class in the Windows.Security.Credentials.UI namespace.
Microsoft Passport 及 Windows HelloMicrosoft Passport and Windows Hello這篇文章說明新的 Windows 10 Microsoft Passport 技術,並討論開發人員如何實作這項技術來保護自己的應用程式及後端服務。This article describes the new Windows 10 Microsoft Passport technology, and discusses how developers can implement this technology to protect their apps and backend services. 文章強調該技術的幾個特定功能,以協助您減少傳統認證所帶來的威脅;它還提供指南來引導您設計及部署該技術,來做為您 Windows 10 首度發行的一部分。It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about designing and deploying these technologies as part of your Windows 10 rollout.
建立 Microsoft Passport 登入應用程式Create a Microsoft Passport login app如何建立使用 Microsoft Passport 取代傳統使用者名稱及密碼驗證系統的 Windows 10 UWP(通用 Windows 平台) app 之完整逐步解說的第 1 部分。Part 1 of a complete walkthrough on how to create a Windows 10 UWP (Universal Windows Platform) app that uses Microsoft Passport as an alternative to traditional username and password authentication systems.
建立 Microsoft Passport 登入服務Create a Microsoft Passport login service在 Windows 10 UWP (通用 Windows 平台) app 中使用 Microsoft Passport 取代傳統的使用者名稱及密碼驗證系統之完整逐步解說的第 2 部分。Part 2 of a complete walkthrough on how to use Microsoft Passport as an alternative to traditional username and password authentication systems in Windows 10 UWP (Universal Windows platform) apps.
智慧卡Smart cards此主題說明應用程式如何使用智慧卡將使用者連接到安全的網路服務,包括如何存取實體智慧卡讀卡機、建立虛擬智慧卡、與智慧卡通訊、驗證使用者、重設使用者 PIN 和移除或中斷智慧卡的連線。This topic explains how apps can use smart cards to connect users to secure network services, including how to access physical smart card readers, create virtual smart cards, communicate with smart cards, authenticate users, reset user PINs, and remove or disconnect smart cards.
在應用程式之間共用憑證Share certificates between apps針對需要比使用者識別碼和密碼組合更安全之驗證方式的 UWP app,即可使用憑證驗證。UWP apps that require secure authentication beyond a user Id and password combination can use certificates for authentication. 憑證驗證可在驗證使用者時提供高階的信任層級。Certificate authentication provides a high level of trust when authenticating a user. 在某些情況下,會有一組服務想驗證多個 app 的某位使用者。In some cases, a group of services will want to authenticate a user for multiple apps. 本文說明如何使用相同的憑證來驗證多個 app,以及如何提供便利的程式碼,讓使用者匯入用來存取受保護 Web 服務的憑證。This article shows how you can authenticate multiple apps using the same certificate, and how you can provide convenient code for a user to import a certificate that was provided to access secured web services.
使用隨附 IoT 裝置的 Windows 解除鎖定Windows Unlock with companion IoT devices隨附裝置是可與您的 Windows 10 Desktop 搭配使用,以增強使用者驗證體驗的裝置。A companion device is a device that can act in conjunction with your Windows 10 desktop to enhance the user authentication experience. 透過「隨附裝置架構」,即使在 Windows Hello 無法使用時 (例如,如果 Windows 10 桌面缺少可進行臉部驗證的相機或指紋辨識器裝置),隨附裝置還是可以提供豐富的 Microsoft Passport 體驗。Using the Companion Device Framework, a companion device can provide a rich experience for Microsoft Passport even when Windows Hello is not available (for example, if the Windows 10 desktop lacks a camera for face authentication or fingerprint reader device, for example).
Web 帳戶管理員Web Account Manager本文說明如何使用 Windows 10 Web 帳戶管理員 API 顯示 AccountsSettingsPane,並將您的通用 Windows 平台 (UWP) 應用程式連線到外部身份識別提供者 (例如 Microsoft 或 Facebook)。This article describes how to show the AccountsSettingsPane and connect your Universal Windows Platform (UWP) app to external identity providers, like Microsoft or Facebook, using the Windows 10 Web Account Manager APIs. 您將了解如何要求使用者的權限以使用其 Microsoft 帳戶,取得存取權杖,並利用它來執行基本操作 (例如取得個人檔案資料,或上傳檔案到他們的 OneDrive)。You'll learn how to request a user's permission to use their Microsoft account, obtain an access token, and use it to perform basic operations (like get profile data or upload files to their OneDrive).
Web 驗證代理人Web authentication broker本文說明如何將您的 app 連接到使用授權通訊協定 (如 OpenID 或 OAuth) 的線上身分識別提供者,例如 Facebook、Twitter、Flickr、Instagram 等。This article explains how to connect your app to an online identity provider that uses authentication protocols like OpenID or OAuth, such as Facebook, Twitter, Flickr, Instagram, and so on. AuthenticateAsync 方法會將要求傳送到線上身分識別提供者,然後取得說明 app 存取之提供者資源的存取權杖。The AuthenticateAsync method sends a request to the online identity provider and gets back an access token that describes the provider resources to which the app has access.

密碼編譯Cryptography

密碼編譯一節包含更複雜的密碼編譯相關主題資訊。The cryptography section contains information on more complex, cryptographic related topics.

主題Topic 描述Description
憑證簡介Intro to certificates 本文討論應用程式中的憑證使用方式。This article discusses the use of certificates in apps. 數位憑證用於公開金鑰密碼編譯,將公開金鑰繫結至個人、電腦或組織。Digital certificates are used in public key cryptography to bind a public key to a person, computer, or organization. 這種繫結身分常被用來在實體之間互相驗證。The bound identities are most often used to authenticate one entity to another. 例如,憑證通常是用來向使用者驗證網頁伺服器,或是向網頁伺服器驗證使用者。For example, certificates are often used to authenticate a web server to a user and a user to a web server. 您可以建立憑證要求並安裝或匯入已發出的憑證。You can create certificate requests and install or import issued certificates. 您也可以在憑證階層中註冊憑證。You can also enroll a certificate in a certificate hierarchy.
密碼編譯金鑰Cryptographic keys 本文說明如何使用標準金鑰衍生函式來衍生金鑰,以及如何使用對稱和非對稱金鑰來加密內容。This article shows how to use standard key derivation functions to derive keys and how to encrypt content using symmetric and asymmetric keys.
資料保護Data protection 本文說明如何使用 Windows.Security.Cryptography.DataProtection 命名空間中的 DataProtectionProvider 類別,來加密和解密 UWP 應用程式中的數位資料。This article explains how to use the DataProtectionProvider class in the Windows.Security.Cryptography.DataProtection namespace to encrypt and decrypt digital data in a UWP app.
MAC、雜湊以及簽章MACs, hashes, and signatures 本文討論如何在應用程式中使用訊息驗證碼 (MAC)、雜湊及簽章來偵測訊息是否遭竄改。This article discusses how message authentication codes (MACs), hashes, and signatures can be used in apps to detect message tampering.
密碼編譯的出口限制Export restrictions on cryptography 使用這項資訊判斷您的應用程式使用密碼編譯的方式,是否會阻止其列在 Windows 市集中。Use this info to determine if your app uses cryptography in a way that might prevent it from being listed in the .
常見的密碼編譯工作Common cryptography tasks 下列文章提供常見的密碼編譯工作範例程式碼,例如建立隨機數字、比較緩衝區、在字串與二進位資料間轉換、複製到位元組陣列和從位元組陣列中複製,以及編碼和解碼資料。These articles provide example code for common cryptography tasks, such as creating random numbers, comparing buffers, converting between strings and binary data, copying to and from byte arrays, and encoding and decoding data.