Generating a Derived Key from a Password Stored in a SecureString
The Rfc2898DeriveBytes class derives a new cryptographic key from the given string password. As I understand it, this should improve the security of the key data, since you never need to store the key forever - it can always be obtained from the value known to the user. However, since only a value is required as an input string
, the original password remains in memory until GC'd. It seems to me that this is a potential security problem, as dangerous as storing the key itself in the system. The .NET Framework implements a SecureString implementation for in-memory password protection. But Rfc2898DeriveBytes doesn't accept a safe string.
Is there a way to generate a cryptographic key from a SecureString?
source to share