How to handle very sensible data between methods and in memory? RRS feed

  • Question

  • Hi,

    I really need some help with this design. I have asked several questions that touches these topics and learned a lot. However As I'm doing the implementation, new questions arise. So I need to take a step back and ask Again - this time within the scope of the real application and not just snippets.

    I need to create a web service that must be PCI certified. It must accept an order with credit card data in a http stream, the bytes in the stream can be read as XML. The CC part of that XML must be replaced with a Token. After replace, the XML must be send to another PCI certified partner.

    The goal here (in this context) is not to have the credit Card data in memory as clear text. Obviously, at some point this will happen, so I want to make sure that I'm doing my best to avoid the amount of time its visible.

    So this is the task and what I have started out with, is this:

    1. Read the http-stream into a SecureString object.
    2. Dispose the http-stream.
    3. Pass SecureString object to the Replacer method.
    4. The Replacer method will unwrap the XML and feed it to an XmlDocument or RegEx.Replace
    5. Create Token (this takes 2-3 seconds!) from CC data read.
    6. Replace the sensitive part of either the string or the XmlDocument with the Token.

    To begin with, I'm not sure what is best here: Replacing the data using "RegEx.Replace" or using the XmlDocument. Does it matter?

    Should I paste "GC.Collect()" at certain Places when I know stuff isn't used anymore?

    Is the above Construction of passing a SecureString better than just passing an XmlDocument or a string? I mean, at some point, the SecureString will have to be unwrapped - and exist that way for at least the duration of the Token-creator (2-3 seconds). Is it safer that the sensible data only exists as local method variables?

    Please advice...


    Friday, October 18, 2013 11:17 AM


  • I don't think SecureString is useful in the scenario you are describing. In general, the usefulness of SecureString is elusive, you can't use its encrypted content directly so sooner or later you have to decrypt its content as you have already noted near the end of your post.

    XmlDocumend vs. RegEx.Replace is really irrelevant from this point of view, both need the unencrypted data and both may produce additional strings that contain part of the original data.

    You can call GC.Collect but that may have a negative performance impact and it doesn't really guarantee that your string will be erased from memory.

    Friday, October 18, 2013 11:38 AM