SecureString data type in C#

Posts   
 
    
greenstone
User
Posts: 132
Joined: 20-Jun-2007
# Posted on: 30-Oct-2018 19:49:49   

Hi,

I understand that SecureString (instead of String) datatype can reduce the chance of having plain-text values in memory.

https://docs.microsoft.com/en-us/dotnet/api/system.security.securestring?view=netframework-4.7.2

Can you share any guidance about using SecureString for llblgen entities?

daelmo avatar
daelmo
Support Team
Posts: 8245
Joined: 28-Nov-2005
# Posted on: 31-Oct-2018 08:03:45   

Hi Andy,

This is not a built-in feature but you could write a TypeConverter to use it in the fields you want. I was curious about this type (I never used it before) so I gave it a try writing my own converter. I could assign it to fields, generate code, fetch an entity and save it back. The protected field was Customer.Phone. I was able to fetch the data from DB, while the field is not readable in the code, and then set it to a new value using the underlying converter using InteropServices.Marshal.SecureStringToGlobalAllocUnicode(value).

The TypeConverter, a test .llblgenproj file and a Test .net project zipped and attached to this message. Maybe it helps. To use it:

  1. Compile the NWTC.TypeConverters project.
  2. Copy the compiled NWTC.TypeConverters.dll to [LLBLGen Installation Folder]\TypeConverters
  3. Copy the NWTC.TypeConverters.typeimports file (it's in the root of the zipped folder) into [LLBLGen Installation Folder]\TypeConverters folder.
  4. Open the file used in (3) and validate that the path to the LLBLGen installation folder is ok.
  5. Now you can use it. There is a LLBLGen project and a solution to test.

Useful links: - Type shorcuts - How to automatically assign Type Converters. - Type Import Definitions

Now that I made that spike test, I really don't know whether or not this is 100% useful for what you are looking for. I see that ADO.Net doesn't support this type directly. It's used typically for protect the SQLCredentials in a connection string, but not for data types in ADO.Net. So, at some point, just before the conversion from the data coming from DB and the entity initialization, there is a string in plain text that is transformed into a SecureString by the converter at Entity initialization. So, for a moment that plain string was in the memory, right?

How would you do it if you just have a ADO.Net connection and want to protect some field of the resulset?

Attachments
Filename File size Added on Approval
NWTC.zip 48,157 31-Oct-2018 08:04.04 Approved
David Elizondo | LLBLGen Support Team