Like, when and why use "Securestring" in C#?

Asked

Viewed 165 times

11

I once heard about the class SecureString from C# and it seemed interesting to me, so I think it’s interesting content that can yield good answers from more experienced professionals.

Some questions might be asked:

  • Someone has worked with this class, it is used in large projects?
  • When would it really be necessary to use this class and than it protects?
  • It is most recommended its use for that type of project: ASP.NET, WPF, Windows Forms?
  • 1

    Murilo, follow the post original in the English OS.

  • I’ll take a look, but it would be good to have an answer here in Portuguese. It even has in MSDN, but here the guys explains in a very cool way

  • @Rodrigo translates and puts an answer.

  • 2

    This way, I recommend this post of the OS in Portuguese: http://answall.com/a/7425/59662

  • Good link, but I will keep my question, because I am asking specifically about Securestring, in the question quoted another question led to it. I don’t think it would be duplicated.

1 answer

11


Someone has worked with this class, it is used in large projects?

No, I don’t know a lot of great projects to say. I don’t know if that’s relevant. Either the feature is useful or not, whether it is used in large or small projects is not the case.

The . NET itself uses a lot. All these places consider that a text under safe conditions is important in its context.

When it would really be necessary to use this class and what it protects?

It basically ensures that it will be used in a very restricted context and will be erased as soon as possible, and will not allow it to go outside the scope of the application’s memory. Obviously it is encrypted.

But it is not completely safe, after all it needs to be manipulated and in those moments it is discovered. It hinders naive attempts of improper access. It helps enough the programmer himself not disclose the data somewhere by his own slip.

Many people do not know that at the end of the application the data stays there in memory, they are not erased and can be viewed by third parties with the appropriate knowledge. Even while running it is possible to access all data even from outside it. It is very easy to grab everything that is in memory. On a compromised machine, either by a hacker, is by a person with privileged access who is malicious.

If the intention is total protection, forget it. In general it is only used for data that really needs to be protected in memory, such as passwords, credit card numbers and things like that. If all the rest of the chain is flawed, it doesn’t do much good.

It is most recommended its use for that type of project: ASP.NET, WPF, Windows Forms?

No matter, use when you need this security. WPF has a control PasswordBox who uses the SecureString internally, then eliminates a point of insecurity where the data can be captured.

It seems that in Mono it is not so well implemented, but this can change soon with the project taking parts of .NET Core.

Has a question that deals with it here.

Microsoft article on the subject. And the continuation.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.