So the .NET framework provides the SecureString class for storing strings in a secure fashion. But to read the information and work with it you have to return it to a standard string. See this implementation example.
As you can see from the example using the pointer we return an unencrypted string. How to do we now manage that "insecure" instance of the string? What is the most secure way to work with the value once it has been set?
Edit
The purpose of this question was to discuss methods to REDUCE the surface area of potential attack when using SecureStrings and then working with the values. Not the "why" as to the "duplicate" link.
The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner.
We don't recommend that you use the SecureString class for new development. For more information, see SecureString shouldn't be used on GitHub. SecureString is a string type that provides a measure of security. It tries to avoid storing potentially sensitive strings in process memory as plain text.
There is no alternative to the SecureString class. The 'alternative' Microsoft encourages is found here: The general approach of dealing with credentials is to avoid them and instead rely on other means to authenticate, such as certificates or Windows authentication.
In placing the contents of a SecureString
back into a String
, you reintroduce the problems of using strings that are listed out here:
http://blogs.msdn.com/shawnfa/archive/2004/05/27/143254.aspx
With SecureString
, there are options that are provided to marshal the contents into unmanaged memory so you can access the data and then dispose of the data when done with it.
These are options you just don't have with managed code. In working with unmanaged bytes, you can zero out the memory, make sure it's not paged to disk, etc, etc, which is exactly what you want to do to reduce the attack surface here.
The key here is to not make another instance of String
and work with the data in a way where security is easier to manage when dealing with this data (which unfortunately, is unmanaged code right now).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With