[Solved] How should IBuffer objects generated through Windows.Security.Cryptography be managed securely?


You can wipe out the buffer if you like after use, even with C#. Here is a handy helper:

public static class BufferExtensions
{
  public async static Task ClearContentsAsync(this IBuffer buff)
  {
    var writer = new DataWriter(buff.AsStream().AsOutputStream());
    for (var i = 0; i < buff.Capacity; i++)
      writer.WriteByte(42);
    await writer.StoreAsync();
  }
}

Use it like this:

  var buff = CryptographicBuffer.GenerateRandom(20);
  var before = buff.ToArray();
  await buff.ClearContentsAsync();
  var after = buff.ToArray();
  Debug.WriteLine("{0},{1},{2} - {3},{4},{5}", 
    before[0], before[1], before[2], after[0], after[1], after[2]);

Note that the values in before (copy taken before clearing) are random, but the values in after (copy taken after clearing) are all 42. You can of course use a different value of your choice :-).

1

solved How should IBuffer objects generated through Windows.Security.Cryptography be managed securely?