28.4. Miscellaneous
So far, this chapter has covered the principles and algorithms that make up the primary support for cryptography within the .NET Framework. To round out this discussion, the following sections describe both how to use the SecureString class and how to use a key container to store a private key.
28.4.1. SecureString
It's often necessary to prompt users for a password, which is typically held in a String variable. Any information held in this variable will be contained within the String table. Because the information is stored in an unencrypted format, it can potentially be extracted from memory. To compound the problem, the immutable nature of the String class means that there is no way to programmatically remove the information from memory. Using the String class to work with private encryption keys can be considered a security weakness.
An alternative is to use the SecureString class. Unlike the String class, the SecureString class is not immutable, so the information can be modified and cleared after use. The information is also encrypted, so it can be retrieved from memory. Because you never want the unencrypted form of the information to be visible, there is no way to retrieve a String representation of the encrypted data. The following sample code inherits from the standard TextBox control to create the SecureTextbox class that will ensure that the password entered is never available as an unencrypted string in memory. This code should be placed into ...
Get Professional Visual Studio® 2008 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.