NoobTom NoobTom - 6 months ago 47
C# Question

Rfc2898DeriveBytes + PBKDF2 + SecureString is it possible to use a secure string instead of a string?

I've a function

GetPassword
, that returns a
SecureString
type.

When I pass this secure string to
Rfc2898DeriveBytes
to generate a key, Visual Studio shows an error. My limited knowledge tells me that it is because
Rfc2898DeriveBytes
accepts only a string and not a secure string. Is there a workaround to this?

//read the password from terminal
Console.Write("Insert password");
securePwd = myCryptography.GetPassword();

//dont know why the salt is initialized like this
byte[] salt = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0xF1, 0xF0, 0xEE, 0x21, 0x22, 0x45 };
try
{ //PBKDF2 standard
Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(securePwd, salt, iterationsPwd);

Answer Source

After doing some research and looking at previous answers on stackoverflow mentioning SecureString, that answer is almost certainly: "No". Only the creators of the API can accept SecureString and handle it correctly internally. And they can only do that with help of the platform.

If you - as a user - could retrieve the plain text String, you would have negated most of the advantages of using SecureString in the first place. It would even be a bit dangerous as you would create secure looking code, that would not actually be secure at all.