securestring

Hashing a SecureString in .NET

冷暖自知 提交于 2019-11-27 07:16:56
In .NET, we have the SecureString class, which is all very well until you come to try and use it, as to (for example) hash the string, you need the plaintext. I've had a go here at writing a function that will hash a SecureString, given a hash function that takes a byte array and outputs a byte array. private static byte[] HashSecureString(SecureString ss, Func<byte[], byte[]> hash) { // Convert the SecureString to a BSTR IntPtr bstr = Marshal.SecureStringToBSTR(ss); // BSTR contains the length of the string in bytes in an // Int32 stored in the 4 bytes prior to the BSTR pointer int length =

Is there any benefit to using SecureString in ASP.NET?

一世执手 提交于 2019-11-27 04:14:16
问题 If I understand correctly, this is for keeping plain text out of memory, so that the app is secure against esoteric attacks on memory, the garbage heap, or memory paged to disk. The SecureString is fed unmanaged bytes and consumed one unmanaged byte at at time--then the string is erased from memory. (Correct me if I way off!) In ASP.NET, the secret is collected in a webform, which post back in HTTPS. But then the Request object turns all the request values from the form into name value pairs

Hashing a SecureString in .NET

China☆狼群 提交于 2019-11-27 03:59:21
问题 In .NET, we have the SecureString class, which is all very well until you come to try and use it, as to (for example) hash the string, you need the plaintext. I've had a go here at writing a function that will hash a SecureString, given a hash function that takes a byte array and outputs a byte array. private static byte[] HashSecureString(SecureString ss, Func<byte[], byte[]> hash) { // Convert the SecureString to a BSTR IntPtr bstr = Marshal.SecureStringToBSTR(ss); // BSTR contains the

How is SecureString “encrypted” and still usable?

非 Y 不嫁゛ 提交于 2019-11-27 01:14:16
问题 According to MSDN SecureString contents is encrypted for additional safety so that if the program is swapped to disk the string contents can't be sniffed. How is such encryption possible I wonder? The algorithm would be fixed and therefore either well-known or deductible (say one of seven widely used in industry algorithms) and there must be a key somewhere in the program. So the attacker could fetch the encrypted string, fetch the key and decrypt the data. How can such encryption be useful?

Secure random token in Node.js

馋奶兔 提交于 2019-11-26 22:14:12
问题 In this question Erik needs to generate a secure random token in Node.js. There's the method crypto.randomBytes that generates a random Buffer. However, the base64 encoding in node is not url-safe, it includes / and + instead of - and _ . Therefore, the easiest way to generate such token I've found is require('crypto').randomBytes(48, function(ex, buf) { token = buf.toString('base64').replace(/\//g,'_').replace(/\+/g,'-'); }); Is there a more elegant way? 回答1: Try crypto.randomBytes():

Convert a secure string to plain text

二次信任 提交于 2019-11-26 11:59:46
问题 I\'m working in PowerShell and I have code that successfully converts a user entered password into plain text: $SecurePassword = Read-Host -AsSecureString \"Enter password\" | convertfrom-securestring | out-file C:\\Users\\tmarsh\\Documents\\securePassword.txt I\'ve been tried several ways to convert it back, but none of them seem to work properly. Most recently, I\'ve tried with the following: $PlainPassword = Get-Content C:\\Users\\tmarsh\\Documents\\securePassword.txt #convert the

C# SecureString Question

戏子无情 提交于 2019-11-26 10:28:34
问题 Is there any way to get the value of a SecureString without comprising security? For example, in the code below as soon as you do PtrToStringBSTR the string is no longer secure because strings are immutable and garbage collection is non-deterministic for strings. IntPtr ptr = Marshal.SecureStringToBSTR(SecureString object); string value = Marshal.PtrToStringBSTR(ptr); What if there were a way to get a char[] or byte[] of the unmanaged BSTR string? Would that mean garbage collection is more
订阅 securestring