开发者

Will SecureString give me any advantage when it comes to MSIL decompilation?

开发者 https://www.devze.com 2023-03-17 03:32 出处:网络
Is it in any way better to do this char[] sec = { \'a\', \'b\', \'c\'}; SecureString s = new SecureString();

Is it in any way better to do this

char[] sec = { 'a', 'b', 'c'};

SecureString s = new SecureString();
foreach (char c in sec) {
    s.AppendChar(c);
}

IntPtr pointerName = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(s);
String secret = System.Runtime.InteropServices.Marshal.PtrToStringBSTR(poin开发者_StackOverflow中文版terName);

than this

String secret = "abc";

or this

char[] sec = { 'a', 'b', 'c'};
String secret = new Secret(sec);

if I want to protect "abc" from beeing detected in decompiled MSIL code?


SecureString will protect your string once in memory, the string compiled into your MSIL will still be there in plain. If you need to hide sensitify information conside something like an encrypted app.config as described here: http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx

HTH Dominik


No. SecureString exists to prevent sensitive text (such as passwords) from being held in memory.

0

精彩评论

暂无评论...
验证码 换一张
取 消