0

Let assume I've hardcoded my RSA key in string const:

 private const String rsaXmlKey = "<RSAKeyValue>something</RSAKeyValue>

Then I can use it with RSACryptoServiceProvider in that way:

 RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
 csp .FromXmlString(rsaXmlKey);

But I want to do it better and keep RSA key in SecureString. I know that are some issues with initializing SecureString, but it doesn't matter. I wonder to know how to pass SecureString to the RSACryptoServiceProvider?

Does it support SecureString ?

I don't want to convert SecureString to String, because it would be reasonless.

chaqol
  • 71
  • 1
  • 4
  • No, `RSACryptoServiceProvider` doesn't support `SecureString`. What are you actually attempting to do? There should be no good reason to distribute a private key with your application, and if you're only including the public key, then it should not require protecting (since it is expected to be public) – Iridium Jun 03 '16 at 12:22

1 Answers1

2

No, there is no way to import a private key (in the ToXmlString format) via a SecureString.

Your assumption also makes very little sense.

For one, you shouldn't ever have a private key embedded in an application. It will get extracted by someone, which now means you have false security, and that's worse than no security.

For two, you can't have a literal string be loaded into a SecureString safely. A constant string will have been written to the interned string table, which means it's discoverable; defeating your presumed desire. Hard-coding the sequential calls to AppendChar means that the IL still spells out your private key, leading back to point 1. Or, to quote MSDN:

A SecureString object should never be constructed from a String, because the sensitive data is already subject to the memory persistence consequences of the immutable String class. The best way to construct a SecureString object is from a character-at-a-time unmanaged source, such as the Console.ReadKey method.

bartonjs
  • 30,352
  • 2
  • 71
  • 111