tags:

views:

69

answers:

2
+3  Q: 

Use SecureString for credit card numbers

I've been looking into using the System.Security.SecureString class to hold credit card numbers in memory while they are being processed. Has anyone used the SecureString class for holding credit card numbers, or do most just use the normal System.String class?

A: 

I use SecureString for other stuff (not credit cards), if it's going to be cached in memory for an extended time.

The problem I keep encountering is that you still have to marshal it to a normal String in order to actually use it for anything, so it's really limited in its usefulness.

I've created a couple of extension methods to ease working with them a little bit:

    public static unsafe SecureString Secure(this string source)
    {
        if (source == null)
            return null;
        if (source.Length == 0)
            return new SecureString();

        fixed (char* pChars = source.ToCharArray())
        {
            SecureString secured = new SecureString(pChars, source.Length);
            return secured;
        }
    }


    public static string Unsecure(this SecureString source)
    {
        if (source == null)
            return null;

        IntPtr bstr = Marshal.SecureStringToBSTR(source);
        try
        {
            return Marshal.PtrToStringUni(bstr);
        }
        finally
        {
            Marshal.ZeroFreeBSTR(bstr);
        }
    }
Toby  2010-07-22 20:03:41
This defeats the purpose. As soon as you convert from/to System.String, it is no longer secure.
Hans Passant  2010-07-22 20:56:44
@Hans -- I believe I addressed that shortcoming in the second paragraph of my response.
Toby  2010-07-23 12:32:53
+3  A: 

From a PCI-DSS perspective, there is no requirement to protect card numbers stored only in memory.

PCI states only that card numbers persisted to disk, or transmitted across a network must be encrypted. This is a common sense approach to the issue. Using SecureString will ensure that the string is never cached to disk, but as you say - its troublesome to use. This post has some good suggestions though: http://stackoverflow.com/questions/122784/hidden-net-base-class-library-classes#123141

In theory, protecting memory sounds like it would add strength, but in truth if a bad guy has access to the RAM, then its pretty much game over anyway.

PaulG  2010-07-23 12:47:00
The PCI requirements are the right location to look for an answer here^^
cRichter  2010-07-23 12:51:48

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?