How to convert SecureString to System String

Question

All reservations about unsecuring your SecureString by creating a System String out of it aside  how can it be done   How can I convert an ordinary System Security SecureString to System String   I m sure many of you who are familiar with SecureString are going to respond that one should never transform a SecureString to an ordinary  NET string because it removes all security protections   I know   But right now my program does everything with ordinary strings anyway  and I m trying to enhance its security and although I m going to be using an API that returns a SecureString to me I am not trying to use that to increase my security     I m aware of Marshal SecureStringToBSTR  but I don t know how to take that BSTR and make a System String out of it   For those who may demand to know why I would ever want to do this  well  I m taking a password from a user and submitting it as an html form POST to log the user into a web site   So    this really has to be done with managed  unencrypted buffers   If I could even get access to the unmanaged  unencrypted buffer I imagine I could do byte-by-byte stream writing on the network stream and hope that that keeps the password secure the whole way   I m hoping for an answer to at least one of these scenarios

User · Answer

Dang   right after posting this I found the answer deep in this article   But if anyone knows how to access the IntPtr unmanaged  unencrypted buffer that this method exposes  one byte at a time so that I don t have to create a managed string object out of it to keep my security high  please add an answer      static String SecureStringToString SecureString value        IntPtr bstr   Marshal SecureStringToBSTR value        try               return Marshal PtrToStringBSTR bstr             finally               Marshal FreeBSTR bstr

User · Answer

Use the System Runtime InteropServices Marshal class   String SecureStringToString SecureString value      IntPtr valuePtr   IntPtr Zero    try       valuePtr   Marshal SecureStringToGlobalAllocUnicode value       return Marshal PtrToStringUni valuePtr       finally       Marshal ZeroFreeGlobalAllocUnicode valuePtr           If you want to avoid creating a managed string object  you can access the raw data using Marshal ReadInt16 IntPtr  Int32    void HandleSecureString SecureString value      IntPtr valuePtr   IntPtr Zero    try       valuePtr   Marshal SecureStringToGlobalAllocUnicode value       for  int i 0  i  lt  value Length  i            short unicodeChar   Marshal ReadInt16 valuePtr  i 2            handle unicodeChar           finally       Marshal ZeroFreeGlobalAllocUnicode valuePtr

User · Answer

using so that Marshal doesn t have to be qualified using System Runtime InteropServices        using for SecureString using System Security  public string DecodeSecureString  SecureString Convert           convert to IntPtr using Marshal     IntPtr cvttmpst   Marshal SecureStringToBSTR Convert         convert to string using Marshal     string cvtPlainPassword   Marshal PtrToStringAuto cvttmpst         return the now plain string     return cvtPlainPassword

User · Answer

Obviously you know how this defeats the whole purpose of a SecureString  but I ll restate it anyway   If you want a one-liner  try this    NET 4 and above only   string password   new System Net NetworkCredential string Empty  securePassword  Password    Where securePassword is a SecureString

User · Answer

In my opinion  extension methods are the most comfortable way to solve this    I took Steve in CO s excellent answer and put it into an extension class as follows  together with a second method I added to support the other direction  string -  secure string  as well  so you can create a secure string and convert it into a normal string afterwards   public static class Extensions          convert a secure string into a normal plain text string     public static String ToPlainString this System Security SecureString secureStr                String plainStr new System Net NetworkCredential string Empty  secureStr  Password          return plainStr                convert a plain text string into a secure string     public static System Security SecureString ToSecureString this String plainStr                var secStr   new System Security SecureString    secStr Clear            foreach  char c in plainStr ToCharArray                          secStr AppendChar c                     return secStr            With this  you can now simply convert your strings back and forth like so      create a secure string System Security SecureString securePassword    MyCleverPwd123  ToSecureString        convert it back to plain text String plainPassword   securePassword ToPlainString        convert back to normal string   But keep in mind the decoding method should only be used for testing

User · Answer

I derived from This answer by sclarke81   I like his answer and I m using the derivative but sclarke81 s has a bug   I don t have reputation so I can t comment   The problem seems small enough that it didn t warrant another answer and I could edit it   So I did   It got rejected   So now we have another answer   sclarke81 I hope you see this  in finally    Marshal Copy new byte length   0  insecureStringPointer  length     should be   Marshal Copy new byte length   2   0  insecureStringPointer  length   2     And the full answer with the bug fix                     Allows a decrypted secure string to be used whilst minimising the exposure of the         unencrypted string                   Generic type returned by Func delegate          The string to decrypt                   Func delegate which will receive the decrypted password as a string object                  Result of Func delegate                  This method creates an empty managed string and pins it so that the garbage collector         cannot move it around and create copies  An unmanaged copy of the the secure string is         then created and copied into the managed string  The action is then called using the         managed string  Both the managed and unmanaged strings are then zeroed to erase their         contents  The managed string is unpinned so that the garbage collector can resume normal         behaviour and the unmanaged string is freed               public static T UseDecryptedSecureString this SecureString secureString  Func action                int length   secureString Length          IntPtr sourceStringPointer   IntPtr Zero              Create an empty string of the correct size and pin it so that the GC can t move it around          string insecureString   new string   0   length           var insecureStringHandler   GCHandle Alloc insecureString  GCHandleType Pinned            IntPtr insecureStringPointer   insecureStringHandler AddrOfPinnedObject             try                          Create an unmanaged copy of the secure string              sourceStringPointer   Marshal SecureStringToBSTR secureString                   Use the pointers to copy from the unmanaged to managed string              for  int i   0  i  lt  secureString Length  i                                  short unicodeChar   Marshal ReadInt16 sourceStringPointer  i   2                   Marshal WriteInt16 insecureStringPointer  i   2  unicodeChar                              return action insecureString                     finally                          Zero the managed string so that the string is erased  Then unpin it to allow the                GC to take over              Marshal Copy new byte length   2   0  insecureStringPointer  length   2               insecureStringHandler Free                    Zero and free the unmanaged string              Marshal ZeroFreeBSTR sourceStringPointer                                     Allows a decrypted secure string to be used whilst minimising the exposure of the         unencrypted string                   The string to decrypt                   Func delegate which will receive the decrypted password as a string object                  Result of Func delegate                  This method creates an empty managed string and pins it so that the garbage collector         cannot move it around and create copies  An unmanaged copy of the the secure string is         then created and copied into the managed string  The action is then called using the         managed string  Both the managed and unmanaged strings are then zeroed to erase their         contents  The managed string is unpinned so that the garbage collector can resume normal         behaviour and the unmanaged string is freed               public static void UseDecryptedSecureString this SecureString secureString  Action action                UseDecryptedSecureString secureString   s                           action s               return 0

User · Answer

I think it would be best for SecureString dependent functions to encapsulate their dependent logic in an anonymous function for better control over the decrypted string in memory  once pinned    The implementation for decrypting SecureStrings in this snippet will    Pin the string in memory  which is what you want to do but appears to be missing from most answers here   Pass its reference to the Func Action delegate  Scrub it from memory and release the GC in the finally block    This obviously makes it a lot easier to  standardize  and maintain callers vs  relying on less desirable alternatives    Returning the decrypted string from a string DecryptSecureString      helper function  Duplicating this code wherever it is needed    Notice here  you have two options    static T DecryptSecureString lt T gt  which allows you to access the result of the Func delegate from the caller  as shown in the DecryptSecureStringWithFunc test method   static void DecryptSecureString is simply a  void  version which employ an Action delegate in cases where you actually don t want need to return anything  as demonstrated in the DecryptSecureStringWithAction test method     Example usage for both can be found in the StringsTest class included   Strings cs  using System  using System Runtime InteropServices  using System Security   namespace SecurityUtils       public partial class Strings                    lt summary gt              Passes decrypted password String pinned in memory to Func delegate scrubbed on return               lt  summary gt               lt typeparam name  T  gt Generic type returned by Func delegate lt  typeparam gt               lt param name  action  gt Func delegate which will receive the decrypted password pinned in memory as a String object lt  param gt               lt returns gt Result of Func delegate lt  returns gt          public static T DecryptSecureString lt T gt  SecureString secureString  Func lt string  T gt  action                        var insecureStringPointer   IntPtr Zero              var insecureString   String Empty              var gcHandler   GCHandle Alloc insecureString  GCHandleType Pinned                try                               insecureStringPointer   Marshal SecureStringToGlobalAllocUnicode secureString                   insecureString   Marshal PtrToStringUni insecureStringPointer                    return action insecureString                             finally                                 clear memory immediately - don t wait for garbage collector                 fixed char  ptr   insecureString                                         for int i   0  i  lt  insecureString Length  i                                                  ptr i      0                                                            insecureString   null                   gcHandler Free                    Marshal ZeroFreeGlobalAllocUnicode insecureStringPointer                                         lt summary gt              Runs DecryptSecureString with support for Action to leverage void return type              lt  summary gt               lt param name  secureString  gt  lt  param gt               lt param name  action  gt  lt  param gt          public static void DecryptSecureString SecureString secureString  Action lt string gt  action                        DecryptSecureString lt int gt  secureString   s    gt                                action s                   return 0                                      StringsTest cs  using Microsoft VisualStudio TestTools UnitTesting  using System Security   namespace SecurityUtils Test        TestClass      public class StringsTest                TestMethod          public void DecryptSecureStringWithFunc                            Arrange             var secureString   new SecureString                 foreach  var c in  UserPassword123  ToCharArray                    secureString AppendChar c                secureString MakeReadOnly                    Act             var result   Strings DecryptSecureString lt bool gt  secureString   password    gt                                return password Equals  UserPassword123                                    Assert             Assert IsTrue result                       TestMethod          public void DecryptSecureStringWithAction                            Arrange             var secureString   new SecureString                 foreach  var c in  UserPassword123  ToCharArray                    secureString AppendChar c                secureString MakeReadOnly                    Act             var result   false               Strings DecryptSecureString secureString   password    gt                                result   password Equals  UserPassword123                                    Assert             Assert IsTrue result                       Obviously  this doesn t prevent abuse of this function in the following manner  so just be careful not to do this    TestMethod  public void DecryptSecureStringWithAction            Arrange     var secureString   new SecureString         foreach  var c in  UserPassword123  ToCharArray            secureString AppendChar c        secureString MakeReadOnly            Act     string copyPassword   null       Strings DecryptSecureString secureString   password    gt                copyPassword   password     Please don t do this                  Assert     Assert IsNull copyPassword      Fails     Happy coding

User · Answer

If you use a StringBuilder instead of a string  you can overwrite the actual value in memory when you are done  That way the password won t hang around in memory until garbage collection picks it up   StringBuilder Append plainTextPassword   StringBuilder Clear       overwrite with reasonably random characters StringBuilder Append New Guid   ToString

User · Answer

Final working solution according to sclarke81 solution and John Flaherty fixes is       public static class Utils                    lt remarks gt              This method creates an empty managed string and pins it so that the garbage collector             cannot move it around and create copies  An unmanaged copy of the the secure string is             then created and copied into the managed string  The action is then called using the             managed string  Both the managed and unmanaged strings are then zeroed to erase their             contents  The managed string is unpinned so that the garbage collector can resume normal             behaviour and the unmanaged string is freed               lt  remarks gt          public static T UseDecryptedSecureString lt T gt  this SecureString secureString  Func lt string  T gt  action                        int length   secureString Length              IntPtr sourceStringPointer   IntPtr Zero                  Create an empty string of the correct size and pin it so that the GC can t move it around              string insecureString   new string   0   length               var insecureStringHandler   GCHandle Alloc insecureString  GCHandleType Pinned                IntPtr insecureStringPointer   insecureStringHandler AddrOfPinnedObject                 try                                  Create an unmanaged copy of the secure string                  sourceStringPointer   Marshal SecureStringToBSTR secureString                       Use the pointers to copy from the unmanaged to managed string                  for  int i   0  i  lt  secureString Length  i                                          short unicodeChar   Marshal ReadInt16 sourceStringPointer  i   2                       Marshal WriteInt16 insecureStringPointer  i   2  unicodeChar                                      return action insecureString                             finally                                  Zero the managed string so that the string is erased  Then unpin it to allow the                    GC to take over                  Marshal Copy new byte length   2   0  insecureStringPointer  length   2                   insecureStringHandler Free                        Zero and free the unmanaged string                  Marshal ZeroFreeBSTR sourceStringPointer                                         lt summary gt              Allows a decrypted secure string to be used whilst minimising the exposure of the             unencrypted string               lt  summary gt               lt param name  secureString  gt The string to decrypt  lt  param gt               lt param name  action  gt              Func delegate which will receive the decrypted password as a string object              lt  param gt               lt returns gt Result of Func delegate lt  returns gt               lt remarks gt              This method creates an empty managed string and pins it so that the garbage collector             cannot move it around and create copies  An unmanaged copy of the the secure string is             then created and copied into the managed string  The action is then called using the             managed string  Both the managed and unmanaged strings are then zeroed to erase their             contents  The managed string is unpinned so that the garbage collector can resume normal             behaviour and the unmanaged string is freed               lt  remarks gt          public static void UseDecryptedSecureString this SecureString secureString  Action lt string gt  action                        UseDecryptedSecureString secureString   s    gt                                action s                   return 0

User · Answer

I created the following extension methods based on the answer from rdev5  Pinning the managed string is important as it prevents the garbage collector from moving it around and leaving behind copies that you re unable to erase   I think the advantage of my solution has is that no unsafe code is needed        lt summary gt      Allows a decrypted secure string to be used whilst minimising the exposure of the     unencrypted string       lt  summary gt       lt typeparam name  T  gt Generic type returned by Func delegate  lt  typeparam gt       lt param name  secureString  gt The string to decrypt  lt  param gt       lt param name  action  gt      Func delegate which will receive the decrypted password as a string object      lt  param gt       lt returns gt Result of Func delegate lt  returns gt       lt remarks gt      This method creates an empty managed string and pins it so that the garbage collector     cannot move it around and create copies  An unmanaged copy of the the secure string is     then created and copied into the managed string  The action is then called using the     managed string  Both the managed and unmanaged strings are then zeroed to erase their     contents  The managed string is unpinned so that the garbage collector can resume normal     behaviour and the unmanaged string is freed       lt  remarks gt  public static T UseDecryptedSecureString lt T gt  this SecureString secureString  Func lt string  T gt  action        int length   secureString Length      IntPtr sourceStringPointer   IntPtr Zero          Create an empty string of the correct size and pin it so that the GC can t move it around      string insecureString   new string   0   length       var insecureStringHandler   GCHandle Alloc insecureString  GCHandleType Pinned        IntPtr insecureStringPointer   insecureStringHandler AddrOfPinnedObject         try                  Create an unmanaged copy of the secure string          sourceStringPointer   Marshal SecureStringToBSTR secureString               Use the pointers to copy from the unmanaged to managed string          for  int i   0  i  lt  secureString Length  i                          short unicodeChar   Marshal ReadInt16 sourceStringPointer  i   2               Marshal WriteInt16 insecureStringPointer  i   2  unicodeChar                      return action insecureString             finally                  Zero the managed string so that the string is erased  Then unpin it to allow the            GC to take over          Marshal Copy new byte length   0  insecureStringPointer  length           insecureStringHandler Free                Zero and free the unmanaged string          Marshal ZeroFreeBSTR sourceStringPointer                 lt summary gt      Allows a decrypted secure string to be used whilst minimising the exposure of the     unencrypted string       lt  summary gt       lt param name  secureString  gt The string to decrypt  lt  param gt       lt param name  action  gt      Func delegate which will receive the decrypted password as a string object      lt  param gt       lt returns gt Result of Func delegate lt  returns gt       lt remarks gt      This method creates an empty managed string and pins it so that the garbage collector     cannot move it around and create copies  An unmanaged copy of the the secure string is     then created and copied into the managed string  The action is then called using the     managed string  Both the managed and unmanaged strings are then zeroed to erase their     contents  The managed string is unpinned so that the garbage collector can resume normal     behaviour and the unmanaged string is freed       lt  remarks gt  public static void UseDecryptedSecureString this SecureString secureString  Action lt string gt  action        UseDecryptedSecureString secureString   s    gt                action s           return 0

User · Answer

This C  code is what you want    ProjectPath  SecureStringsEasy cs  using System  using System Security  using System Runtime InteropServices  namespace SecureStringsEasy       public static class MyExtensions               public static SecureString ToSecureString string input                        SecureString secureString   new SecureString                foreach  var item in input                                secureString AppendChar item                             return secureString                    public static string ToNormalString SecureString input                        IntPtr strptr   Marshal SecureStringToBSTR input               string normal   Marshal PtrToStringBSTR strptr               Marshal ZeroFreeBSTR strptr               return normal

[c#] How to convert SecureString to System.String?

Examples related to c#

Examples related to .net

Examples related to security

Examples related to encryption