473,775 Members | 2,576 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Getting password for encryption without storing it in the memory.

Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.

So I wrote this method for getting a password from the console and
converting it to an array of bytes for later use in the encryption
algorithm.

The weak point as I see it is the storage of the password - it will be
stored in the memory as an array of chars/bytes. I fill it with junk
but still: what worries me is what List.ToArray() does - is a new
instance created and then lost somewhere? (see sample below)

* Is there a better way to do this?
* Is the textbox with stars instead of plain text safe (for GUI use
instead of console use)?

Thanks,

Per Erik Strandberg
Linear or Nonlinear optimization in .NET?
see http://tomopt.com/tomnet/

-----

/// <summary>
/// Generate hash value (key) from the console (from the password).
/// </summary>
/// <param name="Message"> Message to prompt</param>
/// <param name="one">True if it is the first key, false if second.</
param>
/// <returns>The key: a byte array of length 16 or 32.</returns>
public static byte[] GetKeyFromConso le(string Message, bool one)
{
// we use bytes/chars here - pretty bad since ĺäö will get lost
List<bytepass = new List<byte>();

// prompt
Console.Write(" {0}>", Message);

// read one key and store in list
char c = Console.ReadKey (true).KeyChar;
while (!(c == Environment.New Line[0] || c == '\n'))
{
Console.Write(' *');
pass.Add((byte) c);
c = Console.ReadKey (true).KeyChar;
}
Console.WriteLi ne();

byte[] b;
// get hash value of the keypunches
if (one)
{
// first key using sha
// or some secret native hash function
SHA256Managed sha = new SHA256Managed() ;
b = sha.ComputeHash (pass.ToArray() );
sha.Clear();
}
else
{
// second key using md5
// or some secret native hash function
MD5CryptoServic eProvider md = new MD5CryptoServic eProvider();
b = md.ComputeHash( pass.ToArray()) ;
md.Clear();
}

// clear temp char and chararr
c = '*';
for (int i = 0; i < pass.Count; i++)
pass[i] = (byte)'*';

// return hashvalue
return b;
}

Feb 23 '07 #1
5 2867
On 22 Feb 2007 23:12:52 -0800, "per9000" <pe*****@gmail. comwrote:
>Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.

So I wrote this method for getting a password from the console and
converting it to an array of bytes for later use in the encryption
algorithm.

The weak point as I see it is the storage of the password - it will be
stored in the memory as an array of chars/bytes. I fill it with junk
but still: what worries me is what List.ToArray() does - is a new
instance created and then lost somewhere? (see sample below)

* Is there a better way to do this?
* Is the textbox with stars instead of plain text safe (for GUI use
instead of console use)?

Thanks,

Per Erik Strandberg
Linear or Nonlinear optimization in .NET?
see http://tomopt.com/tomnet/
This is not an uncommon problem. Unfortunately is is a difficult one
to solve in an operating system that is not built with security on
mind - there is no way to clear the swapfile for instance.

You might like to look at System.Security .SecureString which solves
some of the problems - it is kept encrypted in memory for instance.
The main problem with SecureString is that so few other functions will
accept it as a parameter. For instance I have not found a way to pass
one directly to SHA256 to get a hash value.

Sometimes it is easier to work with System.String and to explicitly
clear it yourself in unsafe code:

unsafe void OverwriteString (string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
}
}
}

Alternatively you can work with arrays of bytes which are much easier
to clear yourself without having to drop into unsafe code.

rossum

Feb 23 '07 #2
rossum <ro******@coldm ail.comwrote:

<snip>
Sometimes it is easier to work with System.String and to explicitly
clear it yourself in unsafe code:

unsafe void OverwriteString (string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
}
}
}
Just make sure you never call OverwriteString with a reference which is
interned - otherwise every string literal with the same value will be
clobbered!

--
Jon Skeet - <sk***@pobox.co m>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
Feb 25 '07 #3
On Sun, 25 Feb 2007 12:17:16 -0000, Jon Skeet [C# MVP]
<sk***@pobox.co mwrote:
>rossum <ro******@coldm ail.comwrote:

<snip>
>Sometimes it is easier to work with System.String and to explicitly
clear it yourself in unsafe code:

unsafe void OverwriteString (string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
}
}
}

Just make sure you never call OverwriteString with a reference which is
interned - otherwise every string literal with the same value will be
clobbered!
Agreed. Things would be a lot easier if SecureString were more
practical to use, then cludges like my OverwriteString would not be
needed. It is frustrating that SecureString provides securityt, but
at the cost of almost all of its usability.

rossum

Feb 25 '07 #4
Hi,

SecureString is something new to me - I will make sure I look into it.
Having the string encrypted sounds excellent - I had no idea .NET had
it build it.

Thanks,
Per

-----

Per Erik Strandberg
Linear or Nonlinear optimization in .NET?
see http://tomopt.com/tomnet/

YAB?
see http://www.pererikstrandberg.se/blog/
On 25 Feb, 14:29, rossum <rossu...@coldm ail.comwrote:
On Sun, 25 Feb 2007 12:17:16 -0000, Jon Skeet [C# MVP]

<s...@pobox.com wrote:
rossum <rossu...@coldm ail.comwrote:
<snip>
Sometimes it is easier to work with System.String and to explicitly
clear it yourself in unsafe code:
unsafe void OverwriteString (string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
}
}
}
Just make sure you never call OverwriteString with a reference which is
interned - otherwise every string literal with the same value will be
clobbered!

Agreed. Things would be a lot easier if SecureString were more
practical to use, then cludges like my OverwriteString would not be
needed. It is frustrating that SecureString provides securityt, but
at the cost of almost all of its usability.

rossum

Feb 26 '07 #5
Just for the record:
A beta of the encryption software I built is found in my blog
http://www.pererikstrandberg.se/blog...age=TextToTxet or
www.txet.org, thanks for your inputs.

/Per
Geequs Suedecius
www.pererikstrandberg.se

On 23 Feb, 08:12, "per9000" <per9...@gmail. comwrote:
Hi all,
I want to create an encryption program and started thinking about not
storing sensitive information in the memory since I guess someone
might steal my computer an scan my memory.

So I wrote this method for getting a password from the console and
converting it to an array of bytes for later use in the encryption
algorithm.

The weak point as I see it is the storage of the password - it will be
stored in the memory as an array of chars/bytes. I fill it with junk
but still: what worries me is what List.ToArray() does - is a new
instance created and then lost somewhere? (see sample below)

* Is there a better way to do this?
* Is the textbox with stars instead of plain text safe (for GUI use
instead of console use)?

Thanks,

Per Erik Strandberg
Linear or Nonlinear optimization in .NET?
seehttp://tomopt.com/tomnet/

-----

/// <summary>
/// Generate hash value (key) from the console (from the password).
/// </summary>
/// <param name="Message"> Message to prompt</param>
/// <param name="one">True if it is the first key, false if second.</
param>
/// <returns>The key: a byte array of length 16 or 32.</returns>
public static byte[] GetKeyFromConso le(string Message, bool one)
{
// we use bytes/chars here - pretty bad since ĺäö will get lost
List<bytepass = new List<byte>();

// prompt
Console.Write(" {0}>", Message);

// read one key and store in list
char c = Console.ReadKey (true).KeyChar;
while (!(c == Environment.New Line[0] || c == '\n'))
{
Console.Write(' *');
pass.Add((byte) c);
c = Console.ReadKey (true).KeyChar;
}
Console.WriteLi ne();

byte[] b;

// get hash value of the keypunches
if (one)
{
// first key using sha
// or some secret native hash function
SHA256Managed sha = new SHA256Managed() ;
b = sha.ComputeHash (pass.ToArray() );
sha.Clear();
}
else
{
// second key using md5
// or some secret native hash function
MD5CryptoServic eProvider md = new MD5CryptoServic eProvider();
b = md.ComputeHash( pass.ToArray()) ;
md.Clear();
}

// clear temp char and chararr
c = '*';
for (int i = 0; i < pass.Count; i++)
pass[i] = (byte)'*';

// return hashvalue
return b;
}

Mar 5 '07 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
12517
MD5 Password encryption across linux and windows
by: Ronald Evers | last post by:
Hey all, I want to store passwords in a postgresql database. Currently I use the MD5Password class below and I've been developing on windows. I ran into problems when running my application on linux. Linux and Windows, with same JDK's (1.5.0), create different encrypted password strings. So when testing a password created on one platform on the other, it will fail :(
Java
5
4514
Where/How to Securely Store ID and Password?
by: Guadala Harry | last post by:
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different than the one the user enters for ASP.NET forms authentication. The ID/password in question is used by the application, itself, for accessing the SQL Server. Thanks in advance.
ASP.NET
9
1950
Check Network Password
by: henrycortezwu | last post by:
Hi all, For example you have 2 text boxes: tbxUsername = Environment.UserName.ToString tbxPassword = ******** How do you check if the password entered by the user matches the same network(windows) password of ther user? Thanks, Henry :)
Visual Basic .NET
10
668
How to save PASSWORD in SQL Server with bit or binary type data
by: Niyazi | last post by:
Hi, I developed an application and I am using SQL Server 2000 developer edition. I create my database and I have also created tbl_USER table. I have an ID, RealName, UserName, and UserPassword fields. I want to save UserName and UserPassword using bit or binary data type with VB.NET. Then ofcourse I have to retrive them to compare it later and if I find match than user can enter the MAIN forum.
.NET Framework
12
4171
Index for username/password
by: Cecil | last post by:
Does this make sense for a logon table: CREATE TABLE Logon ( ID INT NOT NULL IDENTITY PRIMARY KEY, name VARCHAR(15) NOT NULL, password VARCHAR(15) NOT NULL ) GO CREATE UNIQUE INDEX IX_Logon_Name ON Logon(name)
Microsoft SQL Server
3
3769
Password Protect
by: Miro | last post by:
Why Password protect an MDB when someone can google and get a hack? Wondering if anyone else has thought of this and just said "oh well"... I plan to password protect an MDB where I have some system/program variables and data. But looking in google, there are plenty of programs a user can download to hack and crack that password.
Visual Basic .NET
4
4162
Secure password storage
by: Alvaro G. Vicario | last post by:
I’m writing a web application that needs to keep passwords in a database. These passwords are for third-party services and are different from the regular login passwords. I don’t like storing this sensitive info as plain text and one-way hashing is not an option because I need the actual passwords. I’ve done some quick research and it seems that symmetric encryption algorithms (blowfish, AES…) provide a reasonable solution—I...
PHP
3
1924
How to use GET method to encrypted the password to transfer?
by: phforum | last post by:
I have no ideas to encrypt the user input password from the text box.....
PHP
22
5822
Password protect access DB?
by: teejayem | last post by:
Hi, I am new to programming with databases and was wanting some help. Is there any way to password protect an access database and access sent sql commands to it via vb.net code? Any help would be much appreciated. Thanks in advanced.
Visual Basic .NET
0
9454
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10268
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
10048
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8939
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7464
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5360
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5486
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4017
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2853
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us