Jeff Griffin

SecureString: Soup to Nuts, Part I

Posted on April 4, 2011

Motivation:

Using the SecureString class in .NET is a great way to protect your users' sensitive data from malicious code, intended to pull said data right out of memory. It is already supported by framework classes that Internet enabled applications use often, like NetworkCredential, making its addition to your existing code fairly straightforward.

That's great, but since nothing is ever easy I want to point out that there are two scenarios where it wasn't so easy to accomplish requested functionality and maintain the proper use of SecureString:

  1. implementing secure local storage of a password, and
  2. preserving MVVM design without exposing the password in an insecure managed object.

There is quite a bit of widely accepted advice to be found on community support forums that seeks to fit each of these scenarios, but defeats the point of using SecureString at all.

As I understand it, there are two commandments one should follow if one intends to use them without sabotaging one's own efforts. The first is to dispose of the SecureString when processing is complete, the other is never to allow the unprotected contents of the SecureString to find its way into a CLR object, like a string or byte array. It just isn't clear how long they will be hanging around in memory, and heck, if you wanted to store your secret in a CLR string, you could have saved yourself a lot of time by doing so to begin with.

In part I and II of this article I will address my method of implementing solutions for these two scenarios, respectively.

Secure Local Storage:

Finally getting to the point.  This guy is first, because it's useful regardless of what design patterns or frameworks you're using to implement your interface, or whether you're implementing a GUI at all. If you've ever written a program that needs to utilize local storage for any data placed in a SecureString, you've run into this problem. The last thing you want to do is store it out in clear text, so you know it needs to be encrypted. DPAPI to the rescue. Great, but there's good news and bad news.

First the bad. The ProtectedData's Protect/Unprotect methods are staring us in the face, just begging us to use them, with their single parameter overloads, and be done. Alas, the second commandment of SecureStrings prevents us from placing our secret in a CLR byte array, so we're going to have to make the unmanaged calls to CryptoAPI.

The good news is that we can use P/Invokes and marshaling to accomplish the necessary unmanaged calls to CryptProtectData and CryptUnprotectData, zero out and free any sensitive data immediately without actually writing any unmanaged code.

Now for some code. Moving from an existing SecureString instance into some processing code is always going to look pretty similar to this...

IntPtr unmanagedString = Marshal.SecureStringToBSTR(self);
try
{
//Processing code here. Resist the urge to Marshal.PtrToStringBSTR.
}
finally
{
Marshal.ZeroFreeBSTR(unmanagedString); //free the buffer holding our secret
}

The rest of the solution is pretty plug-and-chug. I wrapped the CryptoAPI calls in SecureString extension methods GetProtectedData and AppendProtectedData found in this file. In the interest of leaving the method of storage as an implementation detail, the extension methods above export and import a byte array (encrypted of course). It's simple to place them in user.config, for example by using the *.settings file designer to make a user setting called “Password” and doing the following in code...

Properties.Settings.Default.Password = Convert.ToBase64String(securePassword.GetProtectedData());

...and to reverse it...

string encPassword = Properties.Settings.Default.Password;
if (!string.IsNullOrEmpty(encPassword))
{
SecureString passwordString = new SecureString();
passwordString.AppendProtectedData(Convert.FromBase64String(encPassword));
}

Thanks to pinvoke.net for P/Invoke signatures.