 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / August 2007How to convert a SecureString into an encrypted String in a secure manner?
<p><span>I'm designing a system for Windows initiated Single Sign-On against RACF. </span></p> <p><span>I keep my RACF-passwords in fields of the new .net 2.0 type System.Security.SecureString. I need to store these passwords in a SQL server 2005 database between user sessions. Hence, I need to convert the SecureString into an encrypted string. </span></p> <p><span>I could of course convert the SecureString into a string before encryption, but this would compromise the security of the system. </span></p> <p><span>My suggestion is to read the bytes of the SecureString byte by byte, writing the each byte directly into a CryptoStream like this:</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:blue'>private</ span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:blue'>static</span> <span style='color:blue'>string</ span> SecurePassword2EncryptedPassword(<span style='color:#2B91AF'>SecureString</span> password)</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'>{</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:#2B91AF'> SymmetricAlgorithm</span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> cryptoAlg = GetCryptoAlg();</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:#2B91AF'> ICryptoTransform</span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> encryptor = cryptoAlg.CreateEncryptor();</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:#2B91AF'> MemoryStream</span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> outStream = <span style='color:blue'>new</span> <span style='color:#2B91AF'>MemoryStream</span>();</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:blue'> using</ span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> (<span style='color:#2B91AF'>CryptoStream</span> encryptStream = <span style='color:blue'>new</span> <span style='color:#2B91AF'>CryptoStream</span>(outStream, encryptor, <span style='color:#2B91AF'>CryptoStreamMode</ span>.Write))</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> {</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:#2B91AF'>IntPtr</span> bstr = <span style='color:#2B91AF'>Marshal</span>.SecureStringToBSTR(password);</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:blue'>try</span></span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> {</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:blue'>byte</span> b;</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:blue'>for</span> (<span style='color:blue'>int</span> ofset = 0; ofset < password.Length * 2; ofset = ofset + 2)</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> {</span></p> <p style='text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New"'> b = <span style='color:#2B91AF'>Marshal</span>.ReadByte(bstr, ofset);</span></ b></p> <p style='text-autospace:none'><b><span style='font-size:10.0pt;font-family:"Courier New"'> encryptStream.WriteByte(b);</span></b></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> }</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> b = 0;</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> encryptStream.FlushFinalBlock();</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> }</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:blue'>finally</span></span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> {</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:#2B91AF'>Marshal</span>.ZeroFreeBSTR(bstr);</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> }</ span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New";color:blue'> return</ span><span lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> <span style='color:#2B91AF'>Convert</ span>.ToBase64String(outStream.ToArray());</span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span></p> <p style='text-autospace:none'><span style='font-size:8.0pt;font-family:"Courier New"'> </span><span style='font-size:8.0pt;font-family:"Courier New"'>}</span></p> <p><span style='font-size:8.0pt;font-family:"Courier New"'>}</span></ p> <p><span style='font-size:8.0pt;font-family:"Courier New"'> </ span></p> <p><span>Is my way, <i>the</i> secure way of converting a SecureString into an encrypted string? Or should I do something else?</span></p> <p><span> </span></p> <p><span>Best regards</span></p> <p><span> </span></p> <p><span>Michael Brandt Lassen</span></p> <p><span>3F</span><span>, Denmark</span></p> <p><span style='font-size:8.0pt'> </span></p> </body> </html> Sorry about the HTML, I've deleted the post, but it's still here!? I've reposted without the HTML. Best regards Michael Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.