in

Redwerb

Tools, tips, and techniques for software developers.

Redwerb

Tools, tips, and techniques for software developers.

Securing Text Data

Perhaps it's just me, but trying to figure out how to secure text data is confusing. Based on all of the articles available, if you are creating an application that uses passwords or other sensitive information, you should use a SecureString, that much is clear. However, a SecureString isn't very useful since it is encrypted (you can't compare a SecureString against a database value, pass it to your credit card processing, etc).


After many hours of research, I was able to find a single example of how to secure text in an MSDN article (of course, it's only mentioned in passing). How to encrypt and decrypt a file by using Visual Basic .NET or Visual Basic 2005 contains a reference to the ZeroMemory API that allows you to clear a string from memory and GCHandle to make sure you don't end up with a bunch of copies of the string.


The following code will create a string, pin it in memory using GCHandle (to make sure it doesn't get moved or have multiple copies made), then destroy the contents of the string so that it can't be held in memory.


    Sub Main()
        Dim str As String = "HI"
        Dim gh As GCHandle = GCHandle.Alloc(str)
        Console.WriteLine(str)
        ZeroMemory(str, str.Length * 2)
        gh.Free()
        Console.WriteLine(str)
    End Sub

    Private Declare Sub ZeroMemory Lib "kernel32.dll" _
            Alias "RtlZeroMemory" _
            (ByVal Destination As String, _
             ByVal Length As Integer)



The idea behind this is to leave the text in memory for a very short period of time to make it very difficult for a hacker to get. The sensitive text can be stored in a SecureString until you are ready to use it.


Before I found the ZeroMemory solution, I had written another one that I'm going to post here just because it seems interesting. Basically, I use reflection to call a method on System.String that is intended to be used by StringBuilder that will replace a char without making a copy of the string (typically Strings are immutable, any changes to it result in a copy of the string). 



    Public Shared Sub DestroyString(ByVal str As String)
        Dim mi As MethodInfo
        mi = GetType(String).GetMethod( _
                "ReplaceCharInPlace", _
                BindingFlags.NonPublic _
                    Or BindingFlags.Instance)

        For i As Integer = 0 To str.Length - 1
            Dim ch As Char = str(i)
            Dim args() As Object
            args = New Object() {ch, ChrW(0), i, 1, 0}
            mi.Invoke(str, args)
        Next
    End Sub

I am currently working on another article for Code Project on securing text data, complete with a PasswordBox WinForm control, SecurePassword class, and more. Once it is available, I will post a link to it here.

Published Nov 18 2006, 01:14 AM by Brian Brewder
Filed under:

Comments

No Comments

Leave a Comment

(required)  
(optional)
(required)  
Add

About Brian Brewder

I'm a software engineer in Kirkland, WA. I have been developing with .Net since 2002. My main area of focus has been designing and implementing a UI framework for an ERP system. Before I got into .Net, I developed for several years in a variety of languages and platforms including mostly ASP, though I've also developed applications for both Palm and Pocket PC devices.

I received my degree in Computing and Software System from the University of Washington in 1999. I have also completed a certificate course in Object-Oriented Analysis and Design Using UML, also from the University of Washington, in 2005.

Copyright Brian Brewder, 2007. All rights reserved.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems