HighTechTalks DotNet Forums  

How to convert a SecureString into an encrypted String in a secure manner?

Go Back HighTechTalks DotNet Forums Dotnet Dotnet Security How to convert a SecureString into an encrypted String in a secure manner?

Dotnet Security microsoft.public.dotnet.security


Discuss How to convert a SecureString into an encrypted String in a secure manner? in the Dotnet Security forum.



Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old   
spam@brandt-lassen.dk
 
Posts: n/a

Default How to convert a SecureString into an encrypted String in a secure manner? - 08-28-2007 , 06:28 AM





<p><span>I'm designing a system for Windows
initiated Single Sign-On against RACF. </span></p>

<p><span>I keep my RACF-passwords in fields of the
new .net 2.0 type System.Security.SecureString. I need to store these
passwords
in a SQL server 2005 database between user sessions. Hence, I need to
convert
the SecureString into an encrypted string. </span></p>

<p><span>I could of course convert the SecureString
into a string before encryption, but this would compromise the
security of the
system. </span></p>

<p><span>My suggestion is to read the bytes of the
SecureString byte by byte, writing the each byte directly into a
CryptoStream
like this:</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New";color:blue'>private</
span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> <span
style='color:blue'>static</span> <span style='color:blue'>string</
span>
SecurePassword2EncryptedPassword(<span
style='color:#2B91AF'>SecureString</span>
password)</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>{</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier
New";color:#2B91AF'> SymmetricAlgorithm</span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'>
cryptoAlg =
GetCryptoAlg();</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier
New";color:#2B91AF'> ICryptoTransform</span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'>
encryptor =
cryptoAlg.CreateEncryptor();</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier
New";color:#2B91AF'> MemoryStream</span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'>
outStream = <span
style='color:blue'>new</span> <span
style='color:#2B91AF'>MemoryStream</span>();</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New";color:blue'> using</
span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> (<span
style='color:#2B91AF'>CryptoStream</span> encryptStream = <span
style='color:blue'>new</span> <span
style='color:#2B91AF'>CryptoStream</span>(outStream,
encryptor, <span style='color:#2B91AF'>CryptoStreamMode</
span>.Write))</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> {</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:#2B91AF'>IntPtr</span> bstr = <span
style='color:#2B91AF'>Marshal</span>.SecureStringToBSTR(password);</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:blue'>try</span></span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> {</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:blue'>byte</span> b;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:blue'>for</span> (<span style='color:blue'>int</span>
ofset = 0;
ofset &lt; password.Length * 2; ofset = ofset + 2)</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
{</span></p>

<p style='text-autospace:none'><b><span
style='font-size:10.0pt;font-family:"Courier
New"'> b = <span
style='color:#2B91AF'>Marshal</span>.ReadByte(bstr, ofset);</span></
b></p>

<p style='text-autospace:none'><b><span
style='font-size:10.0pt;font-family:"Courier
New"'>
encryptStream.WriteByte(b);</span></b></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier
New"'> }</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
b = 0;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
encryptStream.FlushFinalBlock();</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> }</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:blue'>finally</span></span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> {</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>
<span
style='color:#2B91AF'>Marshal</span>.ZeroFreeBSTR(bstr);</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> }</
span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New";color:blue'> return</
span><span
lang=EN-GB style='font-size:8.0pt;font-family:"Courier New"'> <span
style='color:#2B91AF'>Convert</
span>.ToBase64String(outStream.ToArray());</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</span></p>

<p style='text-autospace:none'><span
style='font-size:8.0pt;font-family:"Courier New"'> </span><span
style='font-size:8.0pt;font-family:"Courier New"'>}</span></p>

<p><span style='font-size:8.0pt;font-family:"Courier New"'>}</span></
p>

<p><span style='font-size:8.0pt;font-family:"Courier New"'>&nbsp;</
span></p>

<p><span>Is my way, <i>the</i> secure way of
converting a SecureString into an encrypted string? Or should I do
something
else?</span></p>

<p><span>&nbsp;</span></p>

<p><span>Best regards</span></p>

<p><span>&nbsp;</span></p>

<p><span>Michael Brandt Lassen</span></p>

<p><span>3F</span><span>, Denmark</span></p>

<p><span style='font-size:8.0pt'>&nbsp;</span></p>
</body>
</html>


Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.


Contact Us - HighTechTalks DotNet Forums - Archive - Top