I am currently storing the user password in a SecureString. Which is also kept around in case the connection to the DB resets.
My problem is, I’m trying to pass this password to an OracleParamater, but I’m not sure if it supports it or not.
Does Oracle’s Oracle.DataAccess dll support SecureString or BStr? Since If I have to convert it to a string then that would kinda defeat the purpose of SecureString.
— EDIT
I know that SecureString is about reducing the attack surface by keeping as few copies of the password around unencrypted as possible. The problem is at some point you ofcourse have to decrypt the password to use it. If I could pass a char[] or a BStr or the secure string itself in an OracleParameter then I could clear it after the call returns. But If I have to create a string in order to pass it to Oracle, then I’ve just created a new immutable copy of the password. So I’m not really sure I gained much then.
No – AFAIK what you ask is not supported…
BUT even if it were supported the security issue would remain since the Oracle driver used (OCI) is native and does not know anything about
SecureStringthus it will handle the value internally without encryption which in turn means that this value can end up for example unencrypted in the swap file…It would be a bit more secure if what you ask were supported on the .NET side of things but merely so…
IF you really need that level of security I would recommend redesigning that part of your software to use encrypted values in a way that the server-side (Oracle DB) of things does not require “plain text” but works with the encrypted values…