I know the .NET library offers a way of storing a string in a protected/secure manner = SecureString.
My question is, if I would like to store a byte array, what would be the best, most secure container to hold this?
+1
A:
You could use SecureString to store the byte array.
SecureString testString = new SecureString();
// Assign the character array to the secure string.
foreach (byte b in bytes)
testString.AppendChar((char)b);
then you just reverse the process to get the bytes back out.
This isn't the only way, you can always use a MemoryBuffer and and something out of System.Security.Cryptography. But this is the only thing specifically designed to be secure in this way. All others you would have to create with the System.Security.Cryptography, which is probably the best way for you to go.
Nick Berardi
2009-07-22 17:41:21
So this is the only "Secure" structure in the .NET library?
Nick
2009-07-22 17:42:35
This can lead to problems if the bytes have 0 values - since you're going to be putting them into a null terminated string.
Reed Copsey
2009-07-22 17:43:11
Is SecureString null-terminated?
John Saunders
2009-07-22 17:44:00
I don't believe so. No .NET string is null terminated.
Randolpho
2009-07-22 17:47:41
No this isn't the only way, you can always use a MemoryBuffer and and something out of System.Security.Cryptography. But this is the only thing specifically designed to be secure in this way. All others you would have to create with the System.Security.Cryptography, which is probably the best way for you to go.
Nick Berardi
2009-07-22 18:15:49
Note that this is not magically secure as some people might think. You can easily attach to the process and read the value. It just raises the bar.
Mehrdad Afshari
2009-07-22 18:41:30
A:
One option:
You could store the bytes in a memory stream, encrypted using any of the providers in the System.Security.Cryptography namespace.
Reed Copsey
2009-07-22 17:42:14
True - but that's the case using any technique - If it's static, you can encrypt it in advance, and read in the encrypted bytes - but if it's dynamic, it's always going to exist at some point unprotected (including if you feed it into a SecureString). It's about reducing your vulnerable window more than eliminating it.
Reed Copsey
2009-07-22 17:58:18
A:
encrypt your byte array with any of cryptographic methods for example RijndaelManaged , and than store wherever you like :)
ArsenMkrt
2009-07-22 17:44:42
+1
A:
There is no "best" way to do this - you need to identify the threat you are trying to protect against in order to decide what to do or indeed if anything needs to be done.
One point to note is that, unlike a string which is immutable, you can zero out the bytes in a byte array after you've finished with them, so you won't have the same set of problems that SecureString is designed to solve.
Encrypting data could be appropriate for some set of problems, but then you will need to identify how to protect the key from unauthorized access.
I find it difficult to imagine a situation where encrypting a byte array in this way would be useful. More details of exactly what you're trying to do would help.
Joe
2009-07-22 17:48:00