SecureString的byte[]等效物(我从PasswordBox中获取)?CryptoStream将这些字节写入文件,而该类的Write方法需要一个byte[]输入,因此我想将SecureString转换为byte[],以便可以用它与CryptoStream一起使用。SecureString的意义。假设你想使用字节数组,并在完成后将其删除,那么你应该封装整个操作,以便在完成后进行清理:
public static T Process<T>(this SecureString src, Func<byte[], T> func)
{
IntPtr bstr = IntPtr.Zero;
byte[] workArray = null;
GCHandle? handle = null; // Hats off to Tobias Bauer
try
{
/*** PLAINTEXT EXPOSURE BEGINS HERE ***/
bstr = Marshal.SecureStringToBSTR(src);
unsafe
{
byte* bstrBytes = (byte*)bstr;
workArray = new byte[src.Length * 2];
handle = GCHandle.Alloc(workArray, GCHandleType.Pinned); // Hats off to Tobias Bauer
for (int i = 0; i < workArray.Length; i++)
workArray[i] = *bstrBytes++;
}
return func(workArray);
}
finally
{
if (workArray != null)
for (int i = 0; i < workArray.Length; i++)
workArray[i] = 0;
handle.Free();
if (bstr != IntPtr.Zero)
Marshal.ZeroFreeBSTR(bstr);
/*** PLAINTEXT EXPOSURE ENDS HERE ***/
}
}
以下是一个用例的样例:
private byte[] GetHash(SecureString password)
{
using (var h = new SHA256Cng()) // or your hash of choice
{
return password.Process(h.ComputeHash);
}
}
无需繁琐的步骤,无需在内存中留下明文。
请注意,传递给func()的字节数组包含纯Unicode格式的明文,对于大多数加密应用程序来说,这不应该是一个问题。
我从原始答案进行修改,以处理Unicode
IntPtr unmanagedBytes = Marshal.SecureStringToGlobalAllocUnicode(password);
byte[] bValue = null;
try
{
byte* byteArray = (byte*)unmanagedBytes.GetPointer();
// Find the end of the string
byte* pEnd = byteArray;
char c='\0';
do
{
byte b1=*pEnd++;
byte b2=*pEnd++;
c = '\0';
c= (char)(b1 << 8);
c += (char)b2;
}while (c != '\0');
// Length is effectively the difference here (note we're 2 past end)
int length = (int)((pEnd - byteArray) - 2);
bValue = new byte[length];
for (int i=0;i<length;++i)
{
// Work with data in byte array as necessary, via pointers, here
bValue[i] = *(byteArray + i);
}
}
finally
{
// This will completely remove the data from memory
Marshal.ZeroFreeGlobalAllocUnicode(unmanagedBytes);
}
由于我没有足够的声望在Eric的答案下评论,所以我不得不发布这篇文章来发表我的观点。
在我看来,Eric的代码存在问题,因为GCHandle.Alloc(workArray, ...)的操作不正确。它不应该固定workArray的null值,而是应该固定稍后将创建的实际数组。
此外,handle.Free()可能会抛出InvalidOperationException异常,因此我建议将其放在Marshal.ZeroFreeBSTR(...)之后,保证至少二进制字符串bstr指向的位置被清零。
修改后的代码应该是这样的:
public static T Process<T>(this SecureString src, Func<byte[], T> func)
{
IntPtr bstr = IntPtr.Zero;
byte[] workArray = null;
GCHandle? handle = null; // Change no. 1
try
{
/*** PLAINTEXT EXPOSURE BEGINS HERE ***/
bstr = Marshal.SecureStringToBSTR(src);
unsafe
{
byte* bstrBytes = (byte*)bstr;
workArray = new byte[src.Length * 2];
handle = GCHandle.Alloc(workArray, GCHandleType.Pinned); // Change no. 2
for (int i = 0; i < workArray.Length; i++)
workArray[i] = *bstrBytes++;
}
return func(workArray);
}
finally
{
if (workArray != null)
for (int i = 0; i < workArray.Length; i++)
workArray[i] = 0;
if (bstr != IntPtr.Zero)
Marshal.ZeroFreeBSTR(bstr);
handle?.Free(); // Change no. 3 (Edit: no try-catch but after Marshal.ZeroFreeBSTR)
/*** PLAINTEXT EXPOSURE ENDS HERE ***/
}
}
byte数组被固定在内存中(更改1和2)。此外,它们避免了在handle?.Free()引发异常的情况下仍在内存中加载未加密的二进制字符串(更改3)。GCHandle.Alloc(...) 的使用很好。如果您没有对其运行单元测试,会发生什么?我将更新我的答案以匹配。但是,除非您确实要处理失败,否则永远不要吞咽异常。 - Eric LloydMarshal.ZeroFreeBSTR(...)之后放置handle?.Free(),因为后者在失败时不会抛出异常,并确保bstr数组被清零。我会相应地调整我的答案。 - Tobias Bauer这个100%托管代码对我来说似乎有效:
var pUnicodeBytes = Marshal.SecureStringToGlobalAllocUnicode(secureString);
try
{
byte[] unicodeBytes = new byte[secureString.Length * 2];
for( var idx = 0; idx < unicodeBytes.Length; ++idx )
{
bytes[idx] = Marshal.ReadByte(pUnicodeBytes, idx);
}
return bytes;
}
finally
{
Marshal.ZeroFreeGlobalAllocUnicode(pUnicodeBytes);
}
static string SecureStringToString( SecureString value )
{
string s ;
IntPtr p = Marshal.SecureStringToBSTR( value );
try
{
s = Marshal.PtrToStringBSTR( p ) ;
}
finally
{
Marshal.FreeBSTR( p ) ;
}
return s ;
}
Marshal.ReadByte和Marshal.ReadInt16在IntPtr上获取所需内容。SecureString 的目的,即允许安全地在内存中存储敏感字符串数据,例如密码。 - Adrianstring,那么是否有其他方法可以保持密码安全并完成相同的事情? - inixsoftware