FEDDEVOSS.SecureStringHelper

A .NET Standard class library for conversion to and from SecureString class objects with an encryption component improving protection of memory contents with sensitive data. This class library can be used in any Windows .NET Standard 2.0+, .NET Framework 4.6.1+, or .NET/.NET Core 2.0+ based projects.

SECURITY NOTICE

A SecureString object is similar to a String object in that it has a text value. However, the value of a SecureString object is pinned in memory, may use a protection mechanism, such as encryption, provided by the underlying operating system, can be modified until your application marks it as read-only, and can be deleted from computer memory either by your application calling the Dispose method or by the .NET Framework garbage collector.

It is very important to understand that by converting string to SecureString (and vice-versa) the security benefits in your code are immediately compromised. For example, if the data you are converting contains a password, then a plain text copy of the password will be hanging around in managed memory for an unpredictable length of time.

SecureString merely reduces the window during which the plain text can be accessed rather than providing complete security.

The encryption component merely is an attempt to add an extra security layer of obscuration when handling sensitive data.

Table of Contents

• Project Members
• Getting Started
• Local Development
• Code Examples
• Dependencies

Project Members

• Maintainers:
  • @jamesperrin

Getting Started

1. Clone the repository to your computer.
2. Or, Download the files to your computer.
3. Or, Download package from NuGet.org.

Local Development

1. Using Visual Studio 2022 or higher, open project solution .
2. On the menu, click Build > Build Solution
3. After the solution builds successfully.

Code Examples

Converting a SSN to and from SecureString

string ssn = "0123456789";
SecureString secureStringSsn = ssn.ConvertToSecureString();

Console.WriteLine($"SSN: {ssn}");
Console.WriteLine($"Secure String SSN: {secureStringSsn}");
Console.WriteLine($"Unsecure String SSN: {secureStringSsn.ConvertToString()}");

/*
This sample produces the following output:

SSN: 0123456789
Secure String SSN: System.Security.SecureString
Unsecure String SSN: 0123456789
*/

Converting a SSN to and from an encrypted SecureString (RECOMMENDED)

string ssn = "0123456789";
SecureString encryptedSecureSsn = SecureStringEncryptionHelper.CreateEncryptedSecureString(ssn);

Console.WriteLine($"SSN: {ssn}");
Console.WriteLine($"Encrypted Secure SSN: {encryptedSecureSsn}");
Console.WriteLine($"Decrypted SSN: {SecureStringEncryptionHelper.ConvertToString(encryptedSecureSsn)}");

/*
This sample produces the following output:

SSN: 123456789
Encrypted Secure SSN: System.Security.SecureString
Decrypted SSN: 123456789
*/

Converting a password to and from an encrypted SecureString (RECOMMENDED)

string password = "P@ssw0rd123";
SecureString encryptedSecurePassword = SecureStringEncryptionHelper.CreateEncryptedSecureString(password);

Console.WriteLine($"Password: {password}");
Console.WriteLine($"Encrypted Secure Password: {encryptedSecurePassword}");
Console.WriteLine($"Decrypted password: {SecureStringEncryptionHelper.ConvertToString(encryptedSecurePassword)}");

/*
This sample produces the following output:

Password: P@ssw0rd123
Encrypted Secure Password: System.Security.SecureString
Decrypted password: P@ssw0rd123
*/

References

• Working with SecureString in .NET applications (jonathancrozier.com)
• Breaking C# SecureString (thesecurityvault.com)
• SecureString Class (learn.microsoft.com)
• System.Security.SecureString class (learn.microsoft.com)
• DE0001: SecureString shouldn't be used (github.com)

Dependencies

• .Net Stanard 2.0