How do I insert private/public key in SecureString to the RSACryptoServiceProvider

Question

Let assume I've hardcoded my RSA key in string const:

 private const String rsaXmlKey = "<RSAKeyValue>something</RSAKeyValue>

Then I can use it with RSACryptoServiceProvider in that way:

 RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
 csp .FromXmlString(rsaXmlKey);

But I want to do it better and keep RSA key in SecureString. I know that are some issues with initializing SecureString, but it doesn't matter. I wonder to know how to pass SecureString to the RSACryptoServiceProvider?

Does it support SecureString ?

I don't want to convert SecureString to String, because it would be reasonless.

Answer 1

No, there is no way to import a private key (in the ToXmlString format) via a SecureString.

Your assumption also makes very little sense.

For one, you shouldn't ever have a private key embedded in an application. It will get extracted by someone, which now means you have false security, and that's worse than no security.

For two, you can't have a literal string be loaded into a SecureString safely. A constant string will have been written to the interned string table, which means it's discoverable; defeating your presumed desire. Hard-coding the sequential calls to AppendChar means that the IL still spells out your private key, leading back to point 1. Or, to quote MSDN:

A SecureString object should never be constructed from a String, because the sensitive data is already subject to the memory persistence consequences of the immutable String class. The best way to construct a SecureString object is from a character-at-a-time unmanaged source, such as the Console.ReadKey method.