I'm wondering, if there is some good implementation of some kind of counterpart of the C# SecureString class?
I already found some stuff, using XOR operations on bytes, but that seems too vulnerable to me.
Asked
Active
Viewed 2,648 times
1 Answers
3
At least the C++ crypto libraries crypto++ and botan both provide helpers for 'secure strings'. There are probably more libraries with that functionality out there.
In crypto++ you could for example use:
#include <string>
#include <cryptopp/secblock.h>
using secure_string = std::basic_string<char, std::char_traits<char>, CryptoPP::AllocatorWithCleanup<char>>;
Any secure_string you create afterwards, (which are declared basically just like any other regular std::string, i.e. secure_string str("secret");), will (in practise*) get their memory zeroed out on destruction.
Botan has a secure allocator, that you would use the same way the crypto++ allocator is used in the previous example, which also zeroes out the memory on free.
There is also a very similar question here on SO, that covers the topic on how you would implement your own secure allocator, if, for some reason, you don't want to include external libraries.
* std::string wasn't designed with security in mind. I recommend reading the linked answer and related material on how and why it may fail.
nada
- 2,109
- 2
- 16
- 23