1

Is the contents of the .Net MemoryStream Object secure in Memory?

We have large files that are downloaded from a secure site directly into MemoryStream Objects that contain PCI information. The concern is that the data in the MemoryStream object itself maybe exposed in the system memory to RAM scraping attacks.

William Plander
  • 5
  • 3
  • 3
    content is not secured, you have to encrypt it by yourself – Iłya Bursov Apr 09 '15 at 04:35
  • It's not. It wasn't designed to be secure. – Mitch Wheat Apr 09 '15 at 04:35
  • some suggestion for .Net Secure Memory structures http://stackoverflow.com/q/1166952/1004522 – Ebad Masood Apr 09 '15 at 04:51
  • 2
    Is there anything at all in the description of `MemoryStream` that leads you to believe it has any security functionality at all? Anything at all? – John Saunders Apr 09 '15 at 05:36
  • @Lashane And then you have to protect two pieces of data that are in memory: the encrypted data and the key. You are only splitting the problem (unless you are using "pure" public key encryption and you only have the public key, without having the private key) – xanatos Apr 09 '15 at 07:36
  • The purpose of this application is to scrub the PCI information upon arrival from the SFTP site. But if the initial MemoryStream that the file is downloaded to is exposed, it will defeat the purpose. Even if the file is loaded directly into an encrypted MemoryStream it will still need to be unencrypted in the application to handle the scrubbing process. The whole process takes barely a second or two before the MemoryStream is created and destroyed, but that may not be good enough to fend off possible attackers. – William Plander Apr 09 '15 at 12:32
  • @WilliamPlander then initial pci information on ftp should be encrypted – Iłya Bursov Apr 09 '15 at 18:33

0 Answers0