Re: Best practice SecureString and pswd collection

Thanks Henning. Good article.

I'm looking for some commentary from MS on this also .. to see what
plans exist to implement secured credentials prompting in future
..NET releases.

Trying to dig into the api used in the generic IE export to pfx
and the pswd dialog that is used there (probably some internal
fn based on CredUIPromptForCredential ).
I'm updating the keypal.exe .NET tool to include pfx exportation,
so am idling on how to implement the pswd prompting :-)

Cheers,
- Mitch Gallant
MVP Security
jensign.com

"Henning Krause [MVP]" <newsgroups.remove@xxxxxxxxxxxxxxxxx> wrote in message
news:%23V%23TFEBVGHA.4900@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

my implementation is a CommonDialog, which can be dragged on a form and invoked easily...

Greetings,
Henning Krause

"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:epVpt$AVGHA.328@xxxxxxxxxxxxxxxxxxxxxxx
Hi Henning,

Yup .. I'm already aware of pinvoking like that ..
looked at 2 references herein:

http://groups.google.com/group/microsoft.public.dotnet.languages.csharp/browse_thread/thread/156736d67df0b2e9/7d58cd0be12e5d4c

But there should obviously be a managed simplified wrapper fn which
simplifies this procedure. Should be a nice simple .net implementation
to prompt a user for providing a pswd which securely manages the memory of
the string and returns a SecureString to be used by (granted few)
functions that accept a SecureString arg.

Cheers,
- Mitch Gallant

"Henning Krause [MVP]" <newsgroups.remove@xxxxxxxxxxxxxxxxx> wrote in message
news:OK%232%23rAVGHA.328@xxxxxxxxxxxxxxxxxxxxxxx
Hello,

you can use the CredUIPromptForCredential function.

If you google for this, you will find plenty of implementations. I've one on my website, too :-)

http://www.infinitec.de/software/nettoolbox/infinitec.security.aspx

Greetings,
Henning Krause

"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:u4kfYDAVGHA.1868@xxxxxxxxxxxxxxxxxxxxxxx
Using .NET 2 managed code only, what is the best that
can be done security-wise in collecting a password from
the user (as console or some pswd control dialog) and
passing to a function (like X509Certificate.Import)
which can accept a SecureString?

What about pinvoking to access a secure password dialog
input? Going out of managed code, but does this remove
immutable string input ?

- Mitch










.

Relevant Pages

  • Re: Best practice SecureString and pswd collection
    ... Henning Krause ... plans exist to implement secured credentials prompting in future ... and the pswd dialog that is used there (probably some internal ... the string and returns a SecureString to be used by ...
    (microsoft.public.dotnet.security)
  • Re: Best practice SecureString and pswd collection
    ... Avalon contains a Password Textbox that returns a SecureString - not sure if SS is used anywhere in WCF or WF ... plans exist to implement secured credentials prompting in future .NET ... and the pswd dialog that is used there (probably some internal ... but does this remove immutable string ...
    (microsoft.public.dotnet.security)
  • Re: Best practice SecureString and pswd collection
    ... Just noticed that there's a useful .NET 2 sdk SecureString console sample app: ... SecureString password = new SecureString; ... and the pswd dialog that is used there (probably some internal ...
    (microsoft.public.dotnet.security)
  • Re: Best practice SecureString and pswd collection
    ... Henning Krause ... I'm already aware of pinvoking like that .. ... functions that accept a SecureString arg. ...
    (microsoft.public.dotnet.security)
  • Re: Best practice SecureString and pswd collection
    ... I'm already aware of pinvoking like that .. ... But there should obviously be a managed simplified wrapper fn which ... functions that accept a SecureString arg. ...
    (microsoft.public.dotnet.security)