I would like to use a SecureString varible within VB.NET and convert that to a SHA1 or SHA512 hash. How would I securely convert the SecureString to the Byte array that HashAlgorithm.ComputeHash will accept?
Asked
Active
Viewed 4,160 times
1 Answers
-1
What about that, if we avoid the only used String instance (output) and replace it with a character array. This would enable us to wipe this array after use:
public static String SecureStringToMD5( SecureString password )
{
int passwordLength = password.Length;
char[] passwordChars = new char[passwordLength];
// Copy the password from SecureString to our char array
IntPtr passwortPointer = Marshal.SecureStringToBSTR( password );
Marshal.Copy( passwortPointer, passwordChars, 0, passwordLength );
Marshal.ZeroFreeBSTR( passwortPointer );
// Hash the char array
MD5 md5Hasher = MD5.Create();
byte[] hashedPasswordBytes = md5Hasher.ComputeHash( Encoding.Default.GetBytes( passwordChars ) );
// Wipe the character array from memory
for (int i = 0; i < passwordChars.Length; i++)
{
passwordChars[i] = '\0';
}
// Your implementation of representing the hash in a readable manner
String hashString = ConvertToHexString( hashedPasswordBytes );
// Return the result
return hashString;
}
Is there anything I missed?
Seven
- 4,353
- 2
- 27
- 30
-
1Yes - see the answer to this question: http://stackoverflow.com/questions/14293344/hashing-a-securestring-in-net – RobSiklos Jan 21 '13 at 21:08