我什么时候需要 .NET 中的 SecureString? [英] When would I need a SecureString in .NET?
问题描述
我正在尝试理解 .NET 的 SecureString 的用途.来自 MSDN:
I'm trying to grok the purpose of .NET's SecureString. From MSDN:
System.String 类的实例既不可变,当不再需要时,不能以编程方式安排垃圾收集;也就是说,实例在创建后是只读的,无法预测实例何时会从计算机内存中删除.因此,如果 String 对象包含诸如密码、信用卡号或个人数据之类的敏感信息,则存在信息在使用后可能会泄露的风险,因为您的应用程序无法从计算机内存中删除数据.
An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.
SecureString 对象类似于 String 对象,因为它具有文本值.但是,SecureString 对象的值是自动加密的,可以修改直到您的应用程序将其标记为只读,并且可以由您的应用程序或 .NET Framework 垃圾收集器从计算机内存中删除.
A SecureString object is similar to a String object in that it has a text value. However, the value of a SecureString object is automatically encrypted, can be modified until your application marks it as read-only, and can be deleted from computer memory by either your application or the .NET Framework garbage collector.
SecureString 实例的值在实例初始化或值被修改时自动加密.您的应用程序可以通过调用 MakeReadOnly 方法使实例不可变并防止进一步修改.
The value of an instance of SecureString is automatically encrypted when the instance is initialized or when the value is modified. Your application can render the instance immutable and prevent further modification by invoking the MakeReadOnly method.
自动加密是最大的回报吗?
Is the automatic encryption the big payoff?
为什么我不能说:
SecureString password = new SecureString("password");
代替
SecureString pass = new SecureString();
foreach (char c in "password".ToCharArray())
pass.AppendChar(c);
我缺少 SecureString 的哪些方面?
What aspect of SecureString am I missing?
推荐答案
我会停止使用 SecureString .看起来PG家伙正在放弃对它的支持.甚至可能在未来拉它 - https://github.com/dotnet/apireviews/tree/master/2015-07-14-securestring .
I would stop using SecureString . Looks like PG guys are dropping support for it. Possibly even pull it in the future - https://github.com/dotnet/apireviews/tree/master/2015-07-14-securestring .
我们应该在 .NET Core 的所有平台上从 SecureString 中删除加密 - 我们应该废弃 SecureString - 我们可能不应该在 .NET Core 中公开 SecureString
We should remove encryption from SecureString across all platforms in .NET Core - We should obsolete SecureString - We probably shouldn't expose SecureString in .NET Core
这篇关于我什么时候需要 .NET 中的 SecureString?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
