none
Storing and using secrets in memory RRS feed

  • Question

  • Hi,

    I have a scenario where I will be receiving some confidential information on https. And yes, we are talking true confidential data.

    My first thought was to copy the content of the InputStream into either a SecureString, ProtectedMemory or ProtectedData structure - and then dispose the InputStream.

    But would it matter? And if yes, which of the above 3 to use (if any)?

    I will be processing the data in memory and I do not have to create a single variable to hold the data  - I can pass it as method arguments only. But the execution of the code could last 20 seconds or so. So first question is: Do I need to protect this data (if they only exists as method arguments)?

    If yes, then which is the best way? I like SecureString but I can't find anything about what type of DPAPI protection it uses - process protection?

    And lastly there is the question about: Are these options good enough? I do not have access to a database that is separated from this service - so I can't benefit from "correct" encryption routines (or at least any crypto key would have to be in some configuration).

    Comments?

    --
    Werner

    Thursday, September 26, 2013 1:44 PM

Answers

  • Hi Werner,

    >But would it matter? And if yes, which of the above 3 to use (if any)?

    I was not familiar with ProtectedData structure, so I will chose to use SecureString. Because ProtectedMemory is a service that is provided by the operating system and does not require additional libraries. However, we could find many solutions about SecureString.

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.protectedmemory.aspx

    > So first question is: Do I need to protect this data (if they only exists as method arguments)?

    Per my understanding, I think you should not do that. If your data only exists as method arguments, they only stay in Stack, and will terminated when the method ends.

    > Are these options good enough?

    I recommend you have a look at virtual machines and cloud computing. These are the hottest technology.

    I pick up an article about memory safe, I think it’s great. Enjoy it.

    http://security.stackexchange.com/questions/29019/are-passwords-stored-in-memory-safe

    Hope useful to you.

    Best Regards,


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 30, 2013 9:26 AM
    Moderator
  • Hi Werner,

    Please refer to this reference http://www.techrepublic.com/blog/10things/10-reasons-to-use-azure-for-your-cloud-apps/1282 to see the benefit of using Azure (Microsoft Cloud Computing).

    Have a nice day.

    Best Regards,


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, October 4, 2013 5:32 AM
    Moderator

All replies

  • Hi Werner,

    >But would it matter? And if yes, which of the above 3 to use (if any)?

    I was not familiar with ProtectedData structure, so I will chose to use SecureString. Because ProtectedMemory is a service that is provided by the operating system and does not require additional libraries. However, we could find many solutions about SecureString.

    http://msdn.microsoft.com/en-us/library/system.security.cryptography.protectedmemory.aspx

    > So first question is: Do I need to protect this data (if they only exists as method arguments)?

    Per my understanding, I think you should not do that. If your data only exists as method arguments, they only stay in Stack, and will terminated when the method ends.

    > Are these options good enough?

    I recommend you have a look at virtual machines and cloud computing. These are the hottest technology.

    I pick up an article about memory safe, I think it’s great. Enjoy it.

    http://security.stackexchange.com/questions/29019/are-passwords-stored-in-memory-safe

    Hope useful to you.

    Best Regards,


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Monday, September 30, 2013 9:26 AM
    Moderator
  • Uh nice discussion! Thanks.

    But I don't think I understand you suggestion about cloud usage. How would that help me here?

    Tuesday, October 1, 2013 7:30 AM
  • Hi Werner,

    Please refer to this reference http://www.techrepublic.com/blog/10things/10-reasons-to-use-azure-for-your-cloud-apps/1282 to see the benefit of using Azure (Microsoft Cloud Computing).

    Have a nice day.

    Best Regards,


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, October 4, 2013 5:32 AM
    Moderator