Geeks With Blogs
Blog Moved to http://podwysocki.codebetter.com/ Blog Moved to http://podwysocki.codebetter.com/
A while back, I covered in detail some of the things you could do with SecureString in my post .NET Code Access Security - SecureString.  Dan Sellers of Microsoft had a post about his webcase entitled Least Privilege and New System.Security Features in which the SecureString was used.  The webcast in question can be found here
 
The source code is available for the SecureString demo can be found here.
 
In this webcast, the SecureString is used to read in the password, character by character from the Console.  Not many people use the Console of course for their enterprise level applications.  Have no fear, as a SecurePasswordTextBox has also been created to capture a SecureString in a TextBox.  Paul Glavich has created this custom Windows Control that inherits from TextBox to handle SecureString input.  Note that there is an update to the SecurePasswordTextBox which is available here
 
If you download the source code for the SecurePasswordTextBox, you will notice that it exposes the password in a character array.  This of course then puts the SecureString back in managed memory which must be dealt with immediately.
 
I have seen a few code examples out there using SecureString which translates back and forth from a System.String which doesn't make sense as you have just defeated the purpose of having the SecureString in the first place.  Instead, Bart de Smet covers this topic in much greater detail of how SecureString should be used in his post Talking about System.Security.SecureString.  In here, he lays out a pattern which should be followed:
 
IntPtr bstr = Marshal.SecureStringToBSTR(ss);
try
{
   // use the bstr
}
finally
{
   if (IntPtr.Zero != bstr)
      Marshal.ZeroFreeBSTR(bstr);
}
 
Or the unsafe C# way:
 
unsafe
{
   Char* pDecryptedString;
   try
   {
      // use the string
   }
   finally
   {
      if (null != pDecryptedString)
         Marshal.ZeroFreeCoTaskMemUnicode(pc as IntPtr);
   }
}
Anyhow, I think the SecureString should be elaborated upon in the future just a little bit more.  I think it has potential, but it is still hard to get the data back in a fashion that is easy for the CLR.
Posted on Tuesday, June 20, 2006 1:47 PM .NET , C# | Back to top


Comments on this post: SecurePasswordTextBox and SecureString

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Matthew Podwysocki | Powered by: GeeksWithBlogs.net