{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 旧时光的记忆 的问题《When would I need a SecureString in .NET?》','https://www.manongdao.com/q-17120.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to grok the purpose of .NET's SecureString. From MSDN:
An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.
A SecureString object is similar to a String object in that it has a text value. However, the value of a SecureString object is automatically encrypted, can be modified until your application marks it as read-only, and can be deleted from computer memory by either your application or the .NET Framework garbage collector.
The value of an instance of SecureString is automatically encrypted when the instance is initialized or when the value is modified. Your application can render the instance immutable and prevent further modification by invoking the MakeReadOnly method.
Is the automatic encryption the big payoff?
And why can't I just say:
SecureString password = new SecureString("password");
instead of
SecureString pass = new SecureString();
foreach (char c in "password".ToCharArray())
pass.AppendChar(c);
What aspect of SecureString am I missing?
There are very few scenarios where you can sensibly use SecureString in the current version of the Framework. It's really only useful for interacting with unmanaged APIs - you can marshal it using Marshal.SecureStringToGlobalAllocUnicode.
As soon as you convert it to/from a System.String, you've defeated its purpose.
The MSDN sample generates the SecureString a character at a time from console input and passes the secure string to an unmanaged API. It's rather convoluted and unrealistic.
You might expect future versions of .NET to have more support for SecureString that will make it more useful, e.g.:
SecureString Console.ReadLineSecure() or similar to read console input into a SecureString without all the convoluted code in the sample.
WinForms TextBox replacement that stores its TextBox.Text property as a secure string so that passwords can be entered securely.
Extensions to security-related APIs to allow passwords to be passed as SecureString.
Without the above, SecureString will be of limited value.
One of the big benefits of a SecureString is that it is supposed avoid the possibility of your data being stored to disk due to page caching. If you have a password in memory and then load a large program or data set, your password may get written to the swap file as your program is paged out of memory. With a SecureString, at least the data will not be sitting around indefinitely on your disk in clear text.
I guess it's because the string is meant to be secure, i.e. a hacker should not be able to read it. If you initialize it with a string, the hacker could read the original string.
I believe the reason why you have to do character appending instead of one flat instantiation is because in the background passing "password" to the constructor of SecureString puts that "password" string in memory defeating the purpose of secure string.
By appending you are only putting a character at a time into memory which is likley not to be adjacent to each other physically making it much harder to reconstruct the original string. I could be wrong here but that's how it was explained to me.
The purpose of the class is to prevent secure data from being exposed via a memory dump or similar tool.
Some parts of the framework that currently use
SecureString:System.Windows.Controls.PasswordBoxcontrol keeps the password as a SecureString internally (exposed as a copy throughPasswordBox::SecurePassword)System.Diagnostics.ProcessStartInfo::Passwordproperty is aSecureStringX509Certificate2takes aSecureStringfor the passwordThe main purpose is to reduce the attack surface, rather than eliminate it.
SecureStringsare "pinned" in RAM so the Garbage Collector won't move it around or make copies of it. It also makes sure the plaintext won't get written to the Swap file or in core dumps. The encryption is more like obfuscation and won't stop a determined hacker, though, who would be able to find the symmetric key used to encrypt and decrypt it.As others have said, the reason you have to create a
SecureStringcharacter-by-character is because of the first obvious flaw of doing otherwise: you presumably have the secret value as a plain string already, so what's the point?SecureStrings are the first step in solving a Chicken-and-Egg problem, so even though most current scenarios require converting them back into regular strings to make any use of them at all, their existence in the framework now means better support for them in the future - at least to a point where your program doesn't have to be the weak link.Well, as the description states, the value is stored encrypted, with means that a memory dump of your process won't reveal the string's value (without some fairly serious work).
The reason you can't just construct a SecureString from a constant string is because then you would have an unencrypted version of the string in memory. Limiting you to creating the string in pieces reduces the risk of having the whole string in memory at once.