This web site uses cookies. By using the site you accept the cookie policy.This message is for compliance with the UK ICO law.

.NET 2.0

Creating Secure Strings

Highly confidential information, such as passwords or banking details, should be encrypted in memory during use to reduce the risk that it may be revealed to malware or forensic examination. The SecureString class provides this encryption automatically.

Confidential Data and Strings

Sensitive information, such as user credentials, passwords or banking and credit card details, are a desirable target for malware. To reduce the risk that this information is revealed, it should not be held in an unencrypted format unless absolutely necessary. If decrypted for an operation, the clear text should be removed from memory as soon as the process is complete. This minimises the window of opportunity of attack.

The String class does not lend itself to holding this type of critical information. Strings are not encrypted and cannot be removed from memory programmatically. Attempting to overwrite a string actually creates a new instance, leaving the previous value in memory. You cannot predict when the garbage collector will remove this information. Additionally, it is possible that a string be copied in memory, increasing the risk that its contents could be found.

The .NET framework version 2.0 introduced a new class, named "SecureString", to address these risks. The SecureString class holds confidential information in an encrypted format in memory and allows that information to be cleared. Unlike a standard string, the contents are mutable and are held at a fixed location in memory, allowing many changes without creating copies of the data. Additionally, when a SecureString is disposed, either manually or during garbage collection, the contents are cleared from memory. Disposal is guaranteed for SecureStrings, even if the thread terminates abnormally.

To keep the information within a SecureString safe, there are no methods or properties of the class that allow a clear text version of the contained information to be obtained. There are ways to convert a SecureString into a standard string. However, this introduces a security threat so is inadvisable. SecureStrings can be used to pass information to some .NET framework classes without compromising security. They can also be marshalled into basic strings (BSTR's) that are unencrypted but can be zeroed in memory once used.

You cannot create a SecureString from an existing standard string. Again, this would be a security issue, as the original string would hold the information in an unencrypted form. Instead, SecureStrings are generated character-by-character using several provided members.

Using SecureStrings

The SecureString class includes a number of methods that allow the contents to be built up, character-by-character. The key methods are as follows:

  • AppendChar. Adds a single character to the end of the SecureString. This is possibly the most common method used for building SecureStrings and is used in the sample code below. The method accepts a single char parameter.
  • InsertAt. Inserts a character at a specified location within the SecureString. The first argument is an integer specifying the position. The second parameter is the character to insert. Inserting at position zero places the new character at the start of the string. If the location value is the same as the SecureString's length, the character is appended to the end of the string. Existing characters are relocated to allow insertion.
  • SetAt. This method is similar to InsertAt. However, the existing character at the specified location is overwritten with the new character.
  • RemoveAt. This member accepts a single integer parameter specifying the location of a character to be removed from the string.
  • Clear. The Clear method removes the contents of the SecureString.

Two other members are of special interest. The MakeReadOnly method, which has no parameters, makes the SecureString immutable. Any attempts to modify a read-only SecureString cause an exception to be thrown. You can check if a SecureString is set as read-only by examining the Boolean IsReadOnly property.

Creating a SecureString

The remainder of this article provides sample code for working with SecureStrings. To create the examples, start a new Console Application project and add the following using directive to the generated class.

using System.Security;

The most common way to populate a SecureString is using the AppendChar method. You can try this by adding the following code to the Main method of the project. This creates a new SecureString containing the text, "BlackWasp".

var ss = new SecureString();
15 June 2010