Any way to use SecureString with SFTP Login Credentials

0 votes
asked Jan 22, 2013 by Paul Keister (150 points)
edited Jan 30, 2013

What I would like to do is use SecureString to protect the SFTP password. I know it is possible to get at the value of a SecureSting instance by using the Marshall class to convert it to a standard string, but this compromises the value of using SecureString. Is there any way to use SecureString directly in credentials?

Applies to: Rebex SFTP

1 Answer

0 votes
answered Jan 23, 2013 by Lukas Pokorny (92,750 points)
edited Jan 23, 2013
 
Best answer

Unfortunately, this is not possible.

Reason: When performing password-based authentication, we actually have to construct an SSH message that contains the password. It is represented by an array of bytes, which is encrypted before being sent to the server. However, before the encryption, the array of bytes actually contains the password in plain text, compromising the value of using SecureString (we would have to use the Marshal class ourselves). Unfortunately, we can't do anything about this - we have to represent use an array of bytes to represent SSH messages because byte[] is the only input .NET's SymmetricAlgorithm accept.

commented Jan 23, 2013 by Paul Keister (150 points)
edited Jan 23, 2013

Thanks, sometimes knowing something is impossible is the most valuable information.

...