Any way to use SecureString with SFTP Login Credentials

0 votes
asked Jan 22, 2013 by Paul Keister (150 points)
edited Jan 30, 2013

What I would like to do is use SecureString to protect the SFTP password. I know it is possible to get at the value of a SecureSting instance by using the Marshall class to convert it to a standard string, but this compromises the value of using SecureString. Is there any way to use SecureString directly in credentials?

Applies to: Rebex SFTP

1 Answer

0 votes
answered Jan 23, 2013 by Lukas Pokorny (126,870 points)
edited Jan 23, 2013
Best answer

Unfortunately, this is not possible.

Reason: When performing password-based authentication, we actually have to construct an SSH message that contains the password. It is represented by an array of bytes, which is encrypted before being sent to the server. However, before the encryption, the array of bytes actually contains the password in plain text, compromising the value of using SecureString (we would have to use the Marshal class ourselves). Unfortunately, we can't do anything about this - we have to represent use an array of bytes to represent SSH messages because byte[] is the only input .NET's SymmetricAlgorithm accept.

Update: SecureString class should no longer be used. It's only secure if properly created and properly used (which is not possible with managed SFTP/SSH implementations, as described above). There is a proposal to make it obsolete in .NET 6.0.

commented Jan 23, 2013 by Paul Keister (150 points)
edited Jan 23, 2013

Thanks, sometimes knowing something is impossible is the most valuable information.