Wednesday, February 16, 2011

System.Security Namespace

I recently learned about the SecureString class that is available under the System.Security Namespace. This is an interesting class because it allows you to protect text stored in variables in the systems memory. There are open source tools like MDD that allows users to dump the system's memory. This enables hackers to look at data that is stored in variables during runtime. This is problematic when you need to hold passwords in local variables. SecureString will help prevent hackers from snooping at the contents of our variables. When using SecureString, the text is encrypted when being used then is deleted from the systems memory as soon as it is no longer needed.

Here is an example of SecureString:

using System.Security;

getCustomerID(SecureString user, SecureString pass)
{
   DataAccess dl;
   dl = new DataAccess();

   return dl.GetLoginInfo(user, pass);
}


This is using the unsecured string:

getCustomerID(string user, string pass)
{
   DataAccess dl;
   dl = new DataAccess();

   return
dl.GetLoginInfo(user, pass);
}