我正在尝试理解 .NET 的 SecureString 的用途。来自 MSDN:
An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.
A SecureString object is similar to a String object in that it has a text value. However, the value of a SecureString object is automatically encrypted, can be modified until your application marks it as read-only, and can be deleted from computer memory by either your application or the .NET Framework garbage collector.
The value of an instance of SecureString is automatically encrypted when the instance is initialized or when the value is modified. Your application can render the instance immutable and prevent further modification by invoking the MakeReadOnly method.
自动加密是巨大的返回吗?
为什么我不能直接说:
SecureString password = new SecureString("password");
而不是
SecureString pass = new SecureString();
foreach (char c in "password".ToCharArray())
pass.AppendChar(c);
我缺少 SecureString 的哪些方面?
最佳答案
当前使用的框架的某些部分SecureString :
- WPF
System.Windows.Controls.PasswordBox控件在内部将密码保留为 SecureString(通过PasswordBox::SecurePassword作为副本公开) System.Diagnostics.ProcessStartInfo::Password属性是SecureStringX509Certificate2的构造函数需要SecureString密码
主要目的是减少攻击面,而不是消除它。 SecureStrings被“固定”在 RAM 中,因此垃圾收集器不会移动它或复制它。它还确保纯文本不会写入交换文件或核心转储中。加密更像是混淆,但不会阻止坚定的黑客,他们能够找到 symmetric key用于加密和解密。
正如其他人所说,您必须创建 SecureString 的原因逐个字符是因为否则的第一个明显缺陷:您可能已经将 secret 值作为纯字符串,那么有什么意义呢?
SecureString是解决先有鸡还是先有蛋问题的第一步,因此,尽管当前大多数情况都需要将它们转换回常规字符串才能使用它们,但它们在框架中的存在现在意味着对它们的更好支持 future - 至少到了你的程序不必成为薄弱环节的程度。
关于.net - 我什么时候需要 .NET 中的 SecureString?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/141203/