aspnet2securityfaq0079

Question: How do I protect sensitive data in memory?

Answer:

You can protect sensitive data in memory by using ProtectedMemory class introduced in .Net Framework 2.0 to store the data. ProtectedMemory class a managed wrapper to Data Protection API (DPAPI). You can also use SecureString type for storing sensitive text values securely in memory. SecureString can store text values similar as string, but additionally the values are encrypted automatically. SecureString can be deleted from computer memory programmatically. The SecureSting class internally uses ProtectedMemory class for encrypting string in memory.
Important: Avoid converting back and forth between vanilla and secure strings since strings are immutable and hence you could end up with clear copies of your secure and sensitive string in other parts of memory
Sensitive data like user names, passwords, database connection strings, and encryption keys should be encrypted in the memory as well when handling by the application, because attackers ca probe your computers memory or make your process to do a memory dump and retrieve the sensitive information.
Note: SecureString does not support inspection, comparison, or conversion functionality hence it can not be manipulated to reveal the data.
Here is how you use ProtectedMemory class for encrypting data in memory, contends of byte array are directly encrypted in the memory.
Here is a sample for using the ProtectedMemory class for encrypting and decrypting data in memory.

		 using System.Security.Cryptography;
		 ….
		 byte[] optionalEntropy = {7,5,4,9,0};
		 byte[] [dataToBeEncrypted] = Encoding.Unicode.GetBytes("Test String 1211");
		 //encrypt the data in memory
		 [ProtectedMemory.Protect(dataToBeEncrypted,] [MemoryProtectionScope.SameLogon);]

		 // decrypt the data in memory
		 [ProtectedMemory.Unprotect(dataToBeEncrypted,] [MemoryProtectionScope.SameLogon);]
		 string originalData = [Encoding.Unicode.GetString(dataToBeEncrypted);]

Return to
HomePage
ASPNET2SecurityFAQs