0

Very closely related: How to protect strings without SecureString?

Also closely related: When would I need a SecureString in .NET?

Extremely closely related (OP there is trying to achieve something very similar): C# & WPF - Using SecureString for a client-side HTTP API password

The .NET Framework has class called SecureString. However, even Microsoft no longer recommends its use for new development. According to the first linked Q&A, at least one reason for that is that the string will be in memory in plaintext anyway for at least some amount of time (even if it's a very short amount of time). At least one answer also extended the argument that, if they have access to the server's memory anyway, in practice security's probably shot anyway, so it won't help you. (The second linked Q&A implies that there was even discussion of dropping this from .NET Core entirely).

That being said, Microsoft's documentation on SecureString does not recommend a replacement, and the consensus on the linked Q&A seems to be that that kind of a measure wouldn't be all that useful anyway.

My application, which is an ASP.NET Core application, makes extensive use of API Calls to an external vendor using the HttpClient class. The generally-recommended best practice for HttpClient is to use a single instance rather than creating a new instance for each call.

However, our vendor requires that all API Calls include our API Key as a header with a specific name. I currently store the key securely, retrieve it in Startup.cs, and add it to our HttpClient instance's headers.

Unfortunately, this means that my API Key will be kept in plaintext in memory for the entire lifecycle of the application. I find this especially troubling for a web application on a server; even though the server is maintained by corporate IT, I've always been taught to treat even corporate networks as semi-hostile environments and not to rely purely on corporate firewalls for application security in such cases.

Does Microsoft have a recommended best practice for cases like this? Is this a potential exception to their recommendation against using SecureString? (Exactly how that would work is a separate question). Or is the answer on the other Q&A really correct in saying that I shouldn't be worried about plaintext strings living in memory like this?

Note: Depending on responses to this question, I may post a follow-up question about whether it's even possible to use something like SecureString as part of HttpClient headers. Or would I have to do something tricky like populate the header right before using it and then remove it from memory right afterwards? (That would create an absolute nightmare for concurrent calls though). If people think that I should do something like this, I would be glad to create a new question for that.

EJoshuaS - Stand with Ukraine
  • 11,977
  • 56
  • 49
  • 78
  • 1
    That's just half of the truth. Thing is, `SecureString` is encrypted on windows, on unix it's not. And once released the buffer containing it is released rather quickly (plus you could use unsafe code to zero out a string even w/o it). The actual problem with `SecureString` is, that there is no easy way to construct it. You only have parameterless constructor (for constructing char by char) or via a `char*` or by another `SecureString`. Classical use case was to deserialize it from configuration file directly into it or char by char from UI. – Tseng Mar 07 '20 at 04:09
  • 1
    `*.App.Config` supported encrypted strings/secrets, but the feature heavily relied on having specific certificates installed on the local machines certificate store (for encrypting/decrypting) which doesn't really well translate to Linux and docker Containers, so that feature isn't there on Non-Windwos OS'. If you really worry about it, you can create a string extension method that uses unsafe code to obtain a pointer and zero out the memory where the password was contained, you just need be really sure you never access that string again. – Tseng Mar 07 '20 at 04:12
  • 1
    Zeroing out strings doesn't really guarantee you that the secret won't be somewhere else (i.e. if some concatinations have been done somewhere or copies of the string were made such as `string newString = new string(oldString)`. But imho its more trouble than its worth, better protect yourserver from people geetting there. You still gotta be careful when making dumps and sending these (to external companies for debugging) since these may appear in the dumps – Tseng Mar 07 '20 at 04:14
  • @Tseng Can you add this as an answer so that I can upvote it? – EJoshuaS - Stand with Ukraine Oct 21 '20 at 14:36

1 Answers1

6

You are being WAY too paranoid.

Firstly, if a hacker gets root access to your web server, you have WAY bigger problems than your super-secret web app credentials being stolen. Way, way, way bigger problems. Once the hackers are on your side of the airtight hatchway, it is game over.

Secondly, once your infosec team detects the intrusion (if they don't, again, you've got WAY bigger problems) they're going to tell you and the first thing you're going to do is change every key and password you know of.

Thirdly, if a hacker does get root access to your webserver, their first thought isn't going to be "let's take a memory dump for later analysis". A dumpfile is rather large (will take time to transfer over the wire, and the network traffic might well be noticed) and (at least on Windows) hangs the process until it's complete (so you'd notice your web app was unresponsive) - both of which are likely to raise some red flags.

No, hackers are there to grab as much valuable information in the least amount of time, because they know their access could be discovered at any second. So they're going to go for the low-hanging fruit first - usernames and passwords. Then they'll move on to trying to find out what's connected to that server, and since your DB credentials are likely in a config file on that server, they will almost certainly switch their attentions to that far more interesting target.

So all things considered, your API key is pretty darn unlikely to be compromised - and even if it is, it won't be because of something you did or didn't do. There are far more productive ways of focusing your time than trying to secure something that already is (or should be) incredibly secure. And, at the end of the day, no matter how many layers of security you put in place... that API or SSL key is going to be raw, in memory, at some stage.

Ian Kemp
  • 28,293
  • 19
  • 112
  • 138