
Introduction
The main goal of this application is to show how easy is to work with System.Security
(SecureString
, SymmetricAlgorithms
) in a Windows Forms project. The application uses the SecurePasswordTextBox
control made by Paul Glavich. SecurePasswordTextBox
is a Windows Forms TextBox
control that uses the .NET V2 SecureString
class to store its contents. More details about this control can be found at Paul Glavich's blog.
Why do we need SecureString
s? Well, the MSDN documentation is very explicit on this, I will just quote it: "An instance of the System.String
class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created, and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String
object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used, because your application cannot delete the data from computer memory." So, as a programmer, you must make sure that the sensitive data that you are dealing with in your applications like passwords are as much as possible protected. In my manager, I am receiving the password string as a SecureString
with help from the Paul Glavich's control, and then I encrypt it with a symmetric algorithm (Rijndael) for storage and internal use. There is a moment when you can't protect the string, and that moment comes when the user wants to see his password in clear, or wants to paste it into a web page.
Using the code
There are two main classes that I use in my application; one is the CryptoCore
class, with which I encrypt the serialized data to disk and the passwords while residing in memory. The class looks like this:

For encryption and decryption, I am using a hard-coded Key and Initial Vector but you can change them by calling the SetBinaryKeys
method. The second class is named Storage
, and is used for the management of the encrypted files. You can create new files, and edit and save them to disk in a safe manner. The Storage
class has a collection of entries, each entry holds a row from the listview. The Entry
class looks like this:

Let's take a look at the constructor of the Entry
class:
public Entry(string name, string user, SecureString password,
string site, string comment)
{
this.name = name;
this.user = user;
this.comment = comment;
this.site = site;
using (CryptoCore cryptor = new CryptoCore())
{
IntPtr ptr = Marshal.SecureStringToBSTR(password);
this.password = cryptor.EncryptString(Marshal.PtrToStringAuto(ptr));
Marshal.ZeroFreeBSTR(ptr);
}
}
So I am receiving a password of type SecureString
from the form, and I encrypt it with Rijndael for storage in memory. After creating a new entry, we can add it to the Storage.Entries
, and when you want to change the password, you can call the entry.UpdatePassword
method.
Program.CurrentStorage.Entries.Add(
new Storage.Entry(txtName.Text, txtUser.Text,
txtPass.SecureText, txtSite.Text, txtComment.Text));
entry.UpdatePassword(txtPass.SecureText);
Next, I want to show you how the application can save or load a .sps file. An SPS file is a serialized Storage
object, to load a file we have to deserialize (special constructor) and for saving a file we have to serialize:
public Storage(string filePath)
{
Entries = new List<Entry>();
using (CryptoCore cryptor = new CryptoCore())
{
byte[] storage = cryptor.DecryptBuffer(File.ReadAllBytes(filePath));
using (MemoryStream ms = new MemoryStream(storage))
{
BinaryFormatter bf = new BinaryFormatter();
Entries = ((Storage)bf.Deserialize(ms)).Entries;
}
}
}
public void Serialize(string filePath)
{
byte[] storage;
using (MemoryStream ms = new MemoryStream())
{
BinaryFormatter bf = new BinaryFormatter();
bf.Serialize(ms, this);
storage = ms.ToArray();
}
using (CryptoCore cryptor = new CryptoCore())
{
File.WriteAllBytes(filePath, cryptor.EncryptBuffer(storage));
}
}
When we load an SPS file, the binding between the class and the listview control is very easy. Notice that the password is not shown here, there is another form that will help you change the password or view the credentials. Every time we open a new SPS file, it will load into a global Storage
class, Program.CurrentStorage
. Program.CurrentStorage
is a static public member of the Program
class.
private void FillListView()
{
listView.Items.Clear();
for (int i = 0; i < Program.CurrentStorage.Entries.Count; i++)
{
ListViewItem itemName = new ListViewItem(
Program.CurrentStorage.Entries[i].Name);
itemName.Tag = i;
itemName.SubItems.Add(Program.CurrentStorage.Entries[i].User);
itemName.SubItems.Add(Program.CurrentStorage.Entries[i].Site);
itemName.SubItems.Add(Program.CurrentStorage.Entries[i].Comment);
listView.Items.Add(itemName);
}
}
Points of interest
You have to download the code in order to understand the whole project; you can find examples of the new C# 2.0 features like generics and anonym delegates. This project does not implement a true password manager, because it lacks features like a main password for opening SPS files. It encrypts all SPS files with the same Rijndael key and so on. I will update the application with new features in time, if anyone finds it interesting.
History
- 27.09.2006 - Version 1.0 Alpha.