On Thu, 22 Mar 2007 23:47:10 -0500, <ne*********@hotmail.comwrote:
>I've written code for encrpting files, but I can't seem to find
examples where the password is secure from user input to wiping it from
memory after decryption. Is this atually possible in c#? Sorry,
but I've tried msdn to google.
This is a very difficult question on any computer or language that is
not designed for security from the start. For instance you have no
control on when your program, including the password, is swapped to
disk by the paging system.
System.Security.SecureString is of some use in that its contents are
automatically encrypted. Another thing that you might need to do is
to explicitly wipe a String:
public static unsafe void OverwriteString(string text) {
const char overwriteChar = 'X';
fixed (char* cp = text) {
for (int i = 0; i < text.Length; ++i) {
cp[i] = overwriteChar;
} // end for
} // end fixed
} // end OverwriteString()
Be careful using this, if there is more than one reference to the
string than all references will be overwritten.
There is no overall solution short of using an operating system
specifically designed for security (Orange Book and so forth). All
you can do is to take as many precautions as reasonably possible so as
to slow down any attacker.
rossum
