How To: Use SecureString in .NET 2.0

From Guidance Share
Jump to navigationJump to search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe

Summary of Steps

  • Step 1. Create a SecureString
  • Step 2. Retrieve Data from a Secure String

Step 1. Create a SecureString

You can create a SecureString by supplying a pointer to a character array and supplying the length of that array. When constructed this way, the SecureString type takes a copy of your array. You should replace your source array with zeros as soon as the SecureString is constructed. A SecureString can also be constructed without an existing character array, and data can be copied one character at a time. The following code sample shows how to use the AppendChar method to create a secure string one character at a time.

using System.Security;
SecureString securePassword = new SecureString(); 
Console.WriteLine("Enter Password...."); 
while (true) 
 ConsoleKeyInfo conKeyInfo = Console.ReadKey(true);
 if (conKeyInfo.Key == ConsoleKey.Enter)
 else if (conKeyInfo.Key == ConsoleKey.Escape)
 else if (conKeyInfo.Key == ConsoleKey.Backspace)
    if (securePassword.Length != 0)
       securePassword.RemoveAt(securePassword.Length - 1);

Step 2. Retrieve Data from a Secure String

You retrieve data from a SecureString by using the marshaller. The Marshal class has been extended to provide methods that convert a SecureString into a BSTR data type or a raw block of ANSI or Unicode memory. When you have finished using the unprotected string, you should erase that copy by calling Marshal.ZeroFreeBSTR, as shown in the following example.

using System.Security;
using System.Runtime.InteropServices;
void UseSecretData(SecureString secret)
 IntPtr bstr = Marshal.SecureStringToBSTR(secret);
   // Use the bstr here
   // Make sure that the clear text data is zeroed out

Why Not Use System.String?

Using System.String for storing sensitive information is not recommended for the following reasons:

  • It is not pinned, which means that the garbage collector can move it around and leave the data in memory for indeterminate amounts of time.
  • It is not encrypted; therefore, the data can be read from process memory or from the swap file.
  • It is immutable; therefore, there is no effective way of clearing the data after use. Modification leaves both the old copy and a new copy in memory.