Geek Answers Handbook

Use SecureString for credit card numbers

I studied the use of the System.Security.SecureString class to store credit card numbers in memory while they are being processed. Has anyone used the SecureString class to store credit card numbers, or did most just use the regular System.String class?

+5
source share
4 answers

From the point of view of PCI-DSS, there is no need to protect card numbers stored only in memory.

PCI only states that card numbers stored on disk or transmitted over the network must be encrypted. This is a common approach to the problem. Using SecureString ensures that the string is never cached to disk, but as you say, it is troublesome to use. This post has some good suggestions: https://stackoverflow.com/questions/122784/hidden-net-base-class-library-classes#123141

In theory, memory protection sounds like it will add strength, but in fact, if the bad guy has access to RAM, then its pretty much a game anyway.

+9
source

A previously accepted answer from 2010 may have been correct at the time, but please pay attention to PCI DSS 3.0 , section 6.5, which states:

, , .

.

, ( ) , .., , .

SecureString, .

, , . , , , . , , , BSTR, , BSTR . "", , .

winform, .

- ASP.NET ... , SO . , MSDN ASP.NET , :

SecureString ASP.NET . , - (, ) SecureString, .

, , , , , .

+2

SecureString ( ), .

, , , , -, .

, :

    public static unsafe SecureString Secure(this string source)
    {
        if (source == null)
            return null;
        if (source.Length == 0)
            return new SecureString();

        fixed (char* pChars = source.ToCharArray())
        {
            SecureString secured = new SecureString(pChars, source.Length);
            return secured;
        }
    }


    public static string Unsecure(this SecureString source)
    {
        if (source == null)
            return null;

        IntPtr bstr = Marshal.SecureStringToBSTR(source);
        try
        {
            return Marshal.PtrToStringUni(bstr);
        }
        finally
        {
            Marshal.ZeroFreeBSTR(bstr);
        }
    }
+1

Do not use securestring. PG condemns this. Watch the video and they will talk about many security issues. https://github.com/dotnet/apireviews/tree/master/2015-07-14-securestring .

0
source

More articles:


All Articles