I'm designing a system for Windows initiated Single Sign-On against
RACF.

I keep my RACF-passwords in fields of the new .net 2.0 type
System.Security.SecureString. I need to store these passwords in a SQL
server 2005 database between user sessions. Hence, I need to convert
the SecureString into an encrypted string.

I could of course convert the SecureString into a string before
encryption, but this would compromise the security of the system.

My suggestion is to read the bytes of the SecureString byte by byte,
writing the each byte directly into a CryptoStream like this:

private static string SecurePassword2EncryptedPassword(SecureString
password)
{

SymmetricAlgorithm cryptoAlg = GetCryptoAlg();
ICryptoTransform encryptor = cryptoAlg.CreateEncryptor();

MemoryStream outStream = new MemoryStream();
using (CryptoStream encryptStream = new CryptoStream(outStream,
encryptor, CryptoStreamMode.Write))
{

IntPtr bstr = Marshal.SecureStringToBSTR(password);

try
{
byte b;
for (int ofset = 0; ofset < password.Length * 2;
ofset = ofset + 2)
{
b = Marshal.ReadByte(bstr, ofset);
encryptStream.WriteByte(b);

}
b = 0;

encryptStream.FlushFinalBlock();

}
finally
{
Marshal.ZeroFreeBSTR(bstr);
}


return Convert.ToBase64String(outStream.ToArray());

}
}

Is my way, the secure way to converte a SecureString into an encrypted
string? Or should I do something else?

Best regards

Michael Brandt Lassen
3F, Denmark