Menu
Can serialization be used as a secure means to store the state of program?
309
asked Nov 28 '25 19:11
No, Serialization is just a technology to allow you to convert in-memory representations of objects or object graphs into a stream of bytes that can later (with the type definitions), be reconstituted back into the in-memory representation of the same objects. If you want some kind of security you could encrypt the stream of bytes before you persist (store) it to disk or to a database, and then decrypt it again before you de-serialize it, but the Serialzation/Deserialization process itself provides no security.
166
Nice excerpt from wikipedia:
Serialization, however, breaks the opacity of an abstract data type by potentially exposing private implementation details. To discourage competitors from making compatible products, publishers of proprietary software often keep the details of their programs' serialization formats a trade secret. Some deliberately obfuscate or even encrypt the serialized data.
Another words, serialization in itself is not secure at all, since it can potentially expose data rather than obfuscate or hide data. Human-readable serialization probably makes this dilemma worse.
As a totally side note, may I suggest looking at protocol buffers rather than serialization?
http://code.google.com/apis/protocolbuffers/docs/faq.html
Protobuf-net
Also: Jon Skeet's C# port of the protocol buffers (from Java, I believe...)
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
