0 votes
by (150 points)
edited

What I would like to do is use SecureString to protect the SFTP password. I know it is possible to get at the value of a SecureSting instance by using the Marshall class to convert it to a standard string, but this compromises the value of using SecureString. Is there any way to use SecureString directly in credentials?

Applies to: Rebex SFTP

1 Answer

0 votes
by (134k points)
edited
 
Best answer

Unfortunately, this is not possible.

Reason: When performing password-based authentication, we actually have to construct an SSH message that contains the password. It is represented by an array of bytes, which is encrypted before being sent to the server. However, before the encryption, the array of bytes actually contains the password in plain text, compromising the value of using SecureString (we would have to use the Marshal class ourselves). Unfortunately, we can't do anything about this - we have to represent use an array of bytes to represent SSH messages because byte[] is the only input .NET's SymmetricAlgorithm accept.

Update: SecureString class should no longer be used. It's only secure if properly created and properly used (which is not possible with managed SFTP/SSH implementations, as described above). There is a proposal to make it obsolete in .NET 6.0.

by (150 points)
edited

Thanks, sometimes knowing something is impossible is the most valuable information.

...