What is SecureString ?

In this post, we are going to discuss a class SecureString. Although this class is available since .NET 2.0, but I am sure, many of us would not be knowing or using it. Even I was not aware of this fantastic class few weeks ago. This class can be very useful for you if you are more concerned about your application security.

This class belongs to the namespace System.Security . This class should be used to store the data which is confidential. The text assigned to this string is by default encrypted. This data is also removed as soon as it is not required which in-turn reduces the chances of misuse.

There are many drawbacks of storing confidential information in System.String class because as we know it is immutable, it means whenever we modify it a new instance string is created. And we cannot control the garbage collection to delete it from memory or even cannot predict it that when it’ll take place. So it shows that the data that is stored in String variable is vulnerable and prone to be accessed by unwanted persons.

While System.SecureString (Sealed Class) works in almost same way as string but provides more control over it. The data that is stored in it by default encrypted while initialization and on every modification. It also enables us to make it read-only as well. It is deleted from memory as soon as it is no longer required or can be deleted programmatically as well.

As this text stored by this class is encrypted it cannot be compared or converted etc operation cannot be done with it. In a way it helps in protecting the data. There are many methods available to modify the data using methods like AppendChar(), InsertAt(), RemoveAt(), and SetAt(). This string can be made read only using method MakeReadOnly().

The data accepted by SecureString is character by character only. So let’s see how to use it. Say if we are using it in from console application then it could be used as

<br />static void Main(string[] args)<br />{<br />    Process.Start("mspaint.exe", "Brij", GetUserPassword(), string.Empty);<br />    Console.ReadKey();<br />}<br /><br />private static SecureString GetUserPassword()<br />{<br />    SecureString securePassword = new SecureString();<br />    do<br />    {<br />        ConsoleKeyInfo consoleKeyInfo = Console.ReadKey(true);<br />        if (consoleKeyInfo.Key == ConsoleKey.Enter)<br />        {<br />            break;<br />        }<br />        else if (consoleKeyInfo.Key == ConsoleKey.Backspace)<br />        {<br />            securePassword.RemoveAt(securePassword.Length - 1);<br />            Console.Write("\b \b");<br />        }<br />        else<br />        {<br />            securePassword.AppendChar(consoleKeyInfo.KeyChar);<br />            Console.Write("*");<br />        }<br />    } while(true);<br /><br />    securePassword.MakeReadOnly();<br />    return securePassword;<br />}<br />

Similarly, you should convert the password in SecureString in web application before sending it next layers. As this can be done at server side only but if your application is hosted on SSL server then you do not need to worry about about traveling data from Client and Server. So to convert it in SecureString,

<br />    SecureString securePassword = new SecureString();<br />    txtPassword.Text.ToCharArray().ToList().ForEach(p =&gt; securePassword.AppendChar(p));<br />    securePassword.MakeReadOnly();<br />

One question, that I am sure that must have came in your mind that the string is required to be in plain text at the time of using it. But normally we put the data in string and send between different layers to use and modify it. SecureString actually reduces the chances to temper and misuse the secured data.

Hope you have enjoyed the post!!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s