Using SecureString now

Have you heard about SecureString in Whidbey/VS 2005? This was built to help solve some of the problems of storing sensitive and secret information in System.String:

It's not pinned, so the garbage collector can move it around at will leaving several copies in memory
It's not encrypted, so anyone who can read your process' memory will be able to see the value of the string easily. Also, if your process gets swapped out to disk, the unencrypted contents of the string will be sitting in your swap file.
It's not mutable, so whenever you need to modify it, there will be the old version and the new version both in memory
Since it's not mutable, there's no effective way to clear it out when you're done using it [by way of Shawn Farkcas]

Hernan de Lahitte has put together a sample class that works in a similar way as SecureString for .Net 1.1.

Published Wednesday, July 07, 2004 5:41 PM by RHurlbut

Filed under: .NET, Security

Comments

Wednesday, July 07, 2004 6:50 PM by TrackBack

# SecureString in NET v1.1

Now this was an interesting find. I just read on Robert Hurlbut's .Net Blog an interesting post about how Hernan de Lahitte has put together a sample class that works in a similar way as SecureString for .Net 1.1. If you recall, I blogged about SecureString in Whidbey back in May. I'm really looking forward to Whidbey because of things like this. Looks like I don't have to wait... at least for this feature....

Robert Hurlbut's .NET Blog

This Blog

Syndication

Search

Navigation

.Company / Other Sites / Other Blogs

.NET Links

.NET Local Boston Events

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

Indigo Resources

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

Tags

Recent Posts

Archives