C#和WPF-使用SecureString作为客户端HTTP API密码 [英] C# & WPF - Using SecureString for a client-side HTTP API password
问题描述
编写WPF应用程序时, PasswordBox 将输入的密码存储为 SecureString .这完全有道理.但是,我想通过HTTP API发送密码,并且 HttpClient PostAsync似乎接受用于表单编码数据的字符串.
When writing a WPF application, the PasswordBox stores the entered password as a SecureString. This totally makes sense. However, I want to send the password via a HTTP API, and the HttpClient PostAsync seems to accept strings for form-encoded data.
我知道其他人也提出了相关问题,最值得注意的是SecureString在C#应用程序中是否可行?,但是我没有找到一种令人满意的方法来将此 SecureString 发送到Http端点,而不先将其转换为 String .转换首先完全击败了 SecureString 的对象(因为它会将纯文本重新放回托管内存中).
I am aware that other people have asked related questions, most notably Is SecureString ever practical in a C# application?, but I have not found a satisfactory method to send this SecureString to the Http endpoint, without first converting it to a String. The conversion totally defeats the object of SecureString in the first place (because it puts the plaintext right back into the managed memory).
是否存在一种规范的正确方法(最好是简单的方法)?
Is there a canonically correct (and preferably straightforward) way to do this?
为全面披露-我无法控制HTTP API.
For complete disclosure - I have no control over the HTTP API.
推荐答案
我认为,尽管不完美,但对您来说最好的解决方案是使用
I think that, although not perfect, the best solution for you is to use the DecryptSecureString method, posted by rdev5 on this answer (after all, the password is being transfered in plaintext over the network anyway)
rdev5的方法将 SecureString 解密为一个字符串,执行您告诉它使用密码的操作,然后从内存中擦除它.这样可以减少密码在内存中的窗口,从而减少从那里可以窥视密码的时间.
rdev5's method decrypts the SecureString into a string, do what you tell it to do with the password and then wipe it from memory. This reduces the window where the password is in the memory, and thus the time that it could be peeked from there.
Strings.DecryptSecureString(secureString, (password) =>
{
// Do your API call here
});
P.S.:正如原始帖子中指出的那样,请确保不要将 password 的内容保存在其他地方.
P.S.: As pointed out in the original post, just be sure not to save the content of password elsewhere.
这篇关于C#和WPF-使用SecureString作为客户端HTTP API密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
