Suppose there is a WPF program that runs the client through a network connection. The user of the program entered his name: password and in response from the server, the program received a secret key or token, which is used to further work the program with the server. Is there a possibility in .Net to create some kind of protected memory area in which this key can be stored for the duration of the program's session? This is necessary in order to exclude the possibility of "spying" this key during step-by-step decompilation.

  • one
    It's not entirely clear who you want to protect from? Describe your threat model, provide a script that you would like to avoid. - VladD
  • 3
    securestring? msdn.microsoft.com/ru-ru/library/… - Leonid Malyshev
  • one
    It is possible that this will be useful cyberforum.ru/csharp-beginners/thread1728117.html - Alexander Muksimov
  • 2
    @Bulson: Understood nothing. What is your problem scenario? Are you afraid that the user, who owns his car and can run the program under the emulator, knows the state of its variables? Well, this can not be prevented, he is still the complete owner of his car. - VladD
  • 2
    The idea of SecureString is that you, as a developer, control the life of such a string (this type is not made disposable for nothing), and its contents are encrypted, while a regular String can hang in memory for an arbitrarily long time, so an attacker can save a dump to a file, say, on a flash drive, and then pull out the password in clear text using WinDbg and SOS. That is why SecureString does not have a constructor that accepts a string. Step-by-step decompilation has nothing to do with it. - Raider

0