3

The Rfc2898DeriveBytes class derives a new cryptographic key from a given string password. As I understand it, this is supposed to increase the security of the given keys as you never have to store the key permanently - it can always be derived from a value known to the user. However, since it only takes a string value as input the original password stays around in memory until it's GC'd. It seems to me that this is a potential security issue just as dangerous as storing the key itself on the system. The .NET framework provides a SecureString implementation to protect the password in memory. But Rfc2898DeriveBytes does not accept a secure string.

Is there any way to generate a crypto key from a SecureString?

Paul Alexander
  • 31,970
  • 14
  • 96
  • 151
  • Dup: http://stackoverflow.com/questions/9734043/rfc2898derivebytes-pbkdf2-securestring-is-it-possible-to-use-a-secure-string – Maarten Bodewes Mar 27 '12 at 01:09
  • Or, to answer the question: if there is no platform API that does the derivation, it is useless to create `SecureString` instances. – Maarten Bodewes Mar 27 '12 at 01:11
  • Yep - it's an exact dupe. Wonder why it didn't come up when I searched for it on SO. Rfc2898DeriveBytes is a rare enough class I would expect it to have found that :( – Paul Alexander Mar 27 '12 at 03:54

1 Answers1

-1

What's wrong with just using SecureString.ToString() when initializing the crypto class? When the method ends, the return value of .ToString() won't be accessible anymore, right?

Edit: in other words, something like

var crypto = new Rfc...(secureString.ToString());
hehewaffles
  • 582
  • 5
  • 17
  • 2
    For one, that wouldn't solve his problem, as the `string` instance still may not be GC'd for an undefined amount of time. For two, no doubt he does not want to use `System.Security.SecureString` as the password every time (since `SecureString` does not provide an overload of `ToString`). –  Mar 27 '12 at 01:45
  • The System.Security.SecureString.ToString method simply returns "System.Security.SecureString" no matter which string is actually stored in it. So the ToString method **cannot** be used to get the actual value of the SecureString instance. The System.Security.SecureString class does not override the Object.ToString method, so when you call ToString on a System.Security.SecureString object you are actually calling Object.ToString which simply returns the name of the Type on which it was called ("return this.GetType().ToString();"). – Michael Geller Feb 23 '17 at 16:47