Saturday, April 01, 2006
[MSH] Extending System.Security.SecureString
I was reading Monad Technology Blog about Base64 Encode/Decode a string, which deals with extending a .NET object System.String to include script properties (which you can also add in an interactive mode through "add-member -type ScriptProperty" but lasts only during the given session) called "ToBase64String" and "FromBase64String".
Well, to apply the concept, I have decided to extend System.Security.SecureString by creating a new Monad XML type file called "my.types.mshxml"(the name is from Monad Technology blog) at $MshHome(for most of people, it should be "C:\Program Files\Microsoft Command Shell\v1.0") and then extended SecureString to include a script property called UnsecureString.
UnsecureString decodes SecureString's content.
*NOTE: I won't go into details on how you can view SecureString content. If you would like to know how you can view a secure string content and want to find out more about Windows Data Proctection, please refer to following sites
Update-TypeData $MshHome\My.Types.Mshxml
Let's see if System.Security.SecureString has been extended or not
From this point on,
But this raises a couple of questions.
Will anyone be able to justify the need for extending SecureString to display clear string?
Well it's all up to you whether you would want to or not. (I just like to mess around...)
Tags : Monad msh ¶ 5:37 PM
Well, to apply the concept, I have decided to extend System.Security.SecureString by creating a new Monad XML type file called "my.types.mshxml"(the name is from Monad Technology blog) at $MshHome(for most of people, it should be "C:\Program Files\Microsoft Command Shell\v1.0") and then extended SecureString to include a script property called UnsecureString.
UnsecureString decodes SecureString's content.
*NOTE: I won't go into details on how you can view SecureString content. If you would like to know how you can view a secure string content and want to find out more about Windows Data Proctection, please refer to following sites
- /\/\o\/\/'s blog: Get-credential and Decrypting a SecureString in MSH
- MSDN: Windows Data Protection(or follow the link on Mow's blog)
My.Types.MshxmlThen, as you see in Monad Technology Blog, load the newly created custom type data:<?xml version="1.0" encoding="utf-8" ?>
<Types>
<Type>
<Name>System.Security.SecureString</Name>
<Members>
<ScriptProperty>
<Name>UnsecureString</Name>
<GetScriptBlock>
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this))
</GetScriptBlock>
</ScriptProperty>
</Members>
</Type>
</Types>
Update-TypeData $MshHome\My.Types.Mshxml
Let's see if System.Security.SecureString has been extended or not
Now, you can see that SecureString type has been extended with "UnsecureString".MSH>$admin = get-credential administrator
MSH>($admin.password).getType().fullName
System.Security.SecureString
MSH>$admin.password | get-member -MemberType ScriptProperty | format-list
TypeName : System.Security.SecureString
Name : UnsecureString
MemberType : ScriptProperty
Definition : System.Object UnsecureString {get=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($this));}
From this point on,
where *** secret *** is your decoded password string.MSH>$admin.password
System.Security.SecureString
MSH>$admin.password.UnsecureString
*** secret ***
But this raises a couple of questions.
- Displaying clear, unsecure string for the credential object is a security threat
- I can't answer "IMPORTANT" note posted on Monad Technolog Blog site
<IMPORTANT POINT>
Whenever you are adding some functions, you should make a conscious decision about whether those functions are best exposed as a "function" or as a "type extension".
</IMPORTANT POINT>
Will anyone be able to justify the need for extending SecureString to display clear string?
Well it's all up to you whether you would want to or not. (I just like to mess around...)
Tags : Monad msh ¶ 5:37 PM
