views:

82

answers:

4

Can serialization be used as a secure means to store the state of program?

+4  A: 

No, Serialization is just a technology to allow you to convert in-memory representations of objects or object graphs into a stream of bytes that can later (with the type definitions), be reconstituted back into the in-memory representation of the same objects. If you want some kind of security you could encrypt the stream of bytes before you persist (store) it to disk or to a database, and then decrypt it again before you de-serialize it, but the Serialzation/Deserialization process itself provides no security.

Charles Bretana
+1  A: 

Nice excerpt from wikipedia:

Serialization, however, breaks the opacity of an abstract data type by potentially exposing private implementation details. To discourage competitors from making compatible products, publishers of proprietary software often keep the details of their programs' serialization formats a trade secret. Some deliberately obfuscate or even encrypt the serialized data.

Another words, serialization in itself is not secure at all, since it can potentially expose data rather than obfuscate or hide data. Human-readable serialization probably makes this dilemma worse.

As a totally side note, may I suggest looking at protocol buffers rather than serialization?

http://code.google.com/apis/protocolbuffers/docs/faq.html

Protobuf-net

Also: Jon Skeet's C# port of the protocol buffers (from Java, I believe...)

code4life
A: 

+1 for @Charles' explanation.

If you're saving application settings on a per-user basis you should use the ProtectedData class from the System.Security.Cryptography namespace to securely store the serialized data; use the DataProtectionScope.CurrentUser scope for per-user data.

The ProtectedData class encrypts the data using the user's login password; the underlying DPAPI code handles password changes so the data can still be accessed.

devstuff
+1  A: 

Thanks a lot guys!!

arhsim