Mark Nicholson

Marshaling SecureString Passwords to String

markn — Sat, 04 Oct 2008 06:56:25 GMT

You should always use a System.Security.SecureString when creating .NET APIs that handle passwords. Unfortunately many of the .NET Framework APIs do not yet use System.Security.SecureString. This will change in the future, but for now, how do you handle the marshaling of a System.Security.SecureString to an API that uses System.String without leaving traces of the password all over memory. Here is one work-around for this problem.

First off, what is wrong with using System.String to represent passwords:

1. The GC is free to move the System.String around in memory (unknown to the developer). When moving the memory buffer around in memory, copies of the string are left all over the now free areas of the process memory. For efficiency, the GC does not zero the memory that it frees. So even though your code may only have 'one copy' of the string, in memory there could be thousands of copies of the string that are no longer accessible by a reference or pointer and will remain there until that memory is used for something else and gets overwritten.

2. Whenever you perform some System.String manipulation, a new System.String is created. This is because System.String is immutable. Thus, if I append characters onto a System.String in order to build up a password, pieces of the password are left all over the process memory by the temporary strings that are created.

An example of a .NET Framework API that should use a System.Security.SecureString to represent a password, but instead uses a System.String, is the WCF System.ServiceModel.Security.UserNamePasswordClientCredential.Password property. There are many examples of this in the .NET Framework. One in particular that relates to a post below about the SQL OPEN { MASTER | SYMMETRIC } KEY relates to ADO.NET not accepting a System.Security.SecureString as a mapable type to a string-based parameter. This means that all passwords sent to the database via ADO.NET must be System.String.

There is some good news though, the System.Diagnostics.Process class uses a System.Security.SecureString to represent the password.

So, how do we marshal a System.Security.SecureString to a System.String temporarily, and then guarantee that traces aren't left all over the process memory. We need to implement two things:

1. Guarantee that the .NET GC does not move the System.String around in memory.

2. Guarantee a deterministic freeing of the string, zeroing out the memory.

To accomplish the first one, we will pin the string in memory using the System.Runtime.InteropServices.GCHandle class.

To accomplish the second, we will use managed pointers (unsafe code) to mutate the System.String and the strong guarantees of the System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup method.

Step 1: Capture a System.Security.SecureString password from the command line.

SecureString password = ConsoleUtility.CapturePassword("Enter password: ");

See my post below for the ConsoleUtility code. http://dotnet.org.za/markn/archive/2008/10/03/simple-console-password-capture-utility.aspx

Step 2: Allocate an "empty" System.String (filled with zeros '\0') of the correct length.

int length = password.Length;
var insecurePassword = new string('\0', length);

This creates a string filled with the '\0' character for the same length as the password. At this point, the GC is still free to move this string around in memory, leaving copies of it in memory as it goes. We are not concerned with this, because the string does not contain any sensitive information yet.

Step 3: Pin the System.String so that the GC cannot move it around in memory.

GCHandle gch = GCHandle.Alloc(insecurePassword, GCHandleType.Pinned);

Once pinned by a GC handle, the GC cannot move the memory until GCHandle.Free is called.

Step 4: Marshal the System.Security.SecureString to the pinned System.String.

   1: IntPtr passwordPtr = Marshal.SecureStringToBSTR(password);

   2: var pPassword = (char*)passwordPtr;

   3: var pInsecurePassword = (char*)gch.AddrOfPinnedObject();

   4: for (int index = 0; index < length; index++)

   5: {

   6:     pInsecurePassword[index] = pPassword[index];

   7: }

   8: Marshal.ZeroFreeBSTR(passwordPtr);

Line 1 marshals the encrypted System.Security.SecureString password to an unmanaged buffer. Line 2 gets the managed pointer to the unmanaged buffer. Line 3 gets the managed pointer to the pinned managed System.String that we are going to copy the password into. Lines 4 to 7 copy the password into the System.String buffer (mutating the immutable string). Line 8 zeros and frees the unmanaged buffer holding the marshaled password.

NOTE: This code must be executed in an unsafe context. Place the unsafe keyword around the code or on the method. Enable your assembly to use unsafe code under Properties, Build, Allow unsafe code.

Step 5: Use the System.String password.

Console.WriteLine(insecurePassword);

Here we would pass the System.String to the .NET API that requires a System.String. In this case I just output the password to the console. In a real situation this would be a more useful call.

Step 6: Deterministically zero the pinned System.String password.

for (int index = 0; index < length; index++)
{
    pInsecurePassword[index] = '\0';
}

This overwrites (mutates) the System.String memory with zeros '\0'.

Verify that the System.String memory has been overwritten.

Console.WriteLine(insecurePassword);

Step 7: Unpin the System.String password.

gch.Free();

Now the System.String is free to be garbage collected by the GC, but the string does not contain any sensitive information, so we don't care that the string can now move around in memory or that there is a delay before the string is actually GC'ed.

That is the basic structure of the code. However, there are potential memory leaks in this code in the face of exceptions and asynchronous exceptions such as ThreadAbortException, OutOfMemoryException and StackOverflowException, etc.

In Step 3, we need to protect the GCHandle.Alloc to ensure that we do not leak a GC handle. An asynchronous exception, such as ThreadAbortException may be thrown after the GCHandle.Alloc method has allocated the handle, but before it is assigned to the variable 'gch', thus leaking the handle. To protect this allocation and the assignment to the variable we use a CER (Constrained Execution Region).

Step 3 changes to the following code:

   1: GCHandle gch;

   2: RuntimeHelpers.PrepareConstrainedRegions();

   3: try {} finally

   4: {

   5:     gch = GCHandle.Alloc(insecurePassword, GCHandleType.Pinned);

   6: }

The try block is not a CER, only the finally block is a CER. You will often see this strange form of a try finally block with RuntimeHelpers.PrepareConstrainedRegions method call directly above the try. This declares a CER for the finally block. A CER cannot be interrupted once entered, even by asynchronous exceptions such as ThreadAbortException, OutOfMemoryException and StackOverflowException. This post is not about CERs, so I won't go into more detail here. NOTE: CERs should NOT be used in "normal, everyday" code. They should only be used when marshaling to and from unmanaged code or in this edge case, when using GCHandle, because GCHandle requires an explicit free.

In Step 4, line 1, the Marshal.SecureStringToBSTR method call is also not safe from asynchronous exceptions. Again we require a CER...

   1: IntPtr passwordPtr;

   2: RuntimeHelpers.PrepareConstrainedRegions();

   3: try {} finally

   4: {

   5:     passwordPtr = Marshal.SecureStringToBSTR(password);

   6: }

Finally, we should ensure that the GC handle is freed with GCHandle.Free and the unmanaged pointer is freed with Marshal.ZeroFreeBSTR. To do this, we could use a try/finally, but this does not guarantee that the finally will be executed in the face of asynchronous exceptions. To harden this and ensure we don't leak GC handles or unmanaged memory, we again use CERs. We should also dispose the System.Security.SecureString to ensure good house-keeping with a using. Here is the final reworked code.

   1: using (SecureString password = ConsoleUtility.CapturePassword("Enter password: "))

   2: {

   3:     int length = password.Length;

   4:     var insecurePassword = new string('\0', length);

5:

   6:     var gch = new GCHandle();

   7:     RuntimeHelpers.PrepareConstrainedRegions();

   8:     try

   9:     {

  10:         RuntimeHelpers.PrepareConstrainedRegions();

  11:         try {} finally

  12:         {

  13:             gch = GCHandle.Alloc(insecurePassword, GCHandleType.Pinned);

  14:         }

15:

  16:         IntPtr passwordPtr = IntPtr.Zero;

  17:         try

  18:         {

  19:             RuntimeHelpers.PrepareConstrainedRegions();

  20:             try {} finally

  21:             {

  22:                 passwordPtr = Marshal.SecureStringToBSTR(password);

  23:             }

24:

  25:             var pPassword = (char*)passwordPtr;

  26:             var pInsecurePassword = (char*)gch.AddrOfPinnedObject();

  27:             for (int index = 0; index < length; index++)

  28:             {

  29:                 pInsecurePassword[index] = pPassword[index];

  30:             }

31:

  32:             // Use the password.

  33:             Console.WriteLine(insecurePassword);

  34:         }

  35:         finally

  36:         {

  37:             if (passwordPtr != IntPtr.Zero)

  38:             {

  39:                 Marshal.ZeroFreeBSTR(passwordPtr);

  40:             }

  41:         }

  42:     }

  43:     finally

  44:     {

  45:         if (gch.IsAllocated)

  46:         {

  47:             // Zero the string.

  48:             var pInsecurePassword = (char*)gch.AddrOfPinnedObject();

  49:             for (int index = 0; index < length; index++)

  50:             {

  51:                 pInsecurePassword[index] = '\0';

  52:             }

  53:             gch.Free();

  54:         }

  55:     }

  56: }

[EDIT] There is an error in the code above. Between lines 16 and 17 there should be a RuntimeHelpers.PrepareConstrainedRegions(); method call.

[EDIT] Lines 32 and 33 should come after line 41 to ensure that the unmanaged buffer is freed as early as possible.

There is still a potential problem with this code. The final finally that zeros and unpins the managed System.String containing the unencrypted password, may never execute in the face of a StackOverflowException.

To harden this code further we can convert the outer try/finally (CER) to RuntimeHelpers.ExecuteCodeWithGauranteedCleanup method. This guarantees that the cleanup code ALWAYS executes even in the face of a StackOverflowException. Here is the reworked code...

   1: using (SecureString password = ConsoleUtility.CapturePassword("Enter password: "))

   2: {

   3:     int length = password.Length;

   4:     var insecurePassword = new string('\0', length);

5:

   6:     var gch = new GCHandle();

   7:     RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(

   8:         delegate

   9:             {

  10:                 RuntimeHelpers.PrepareConstrainedRegions();

  11:                 try {} finally

  12:                 {

  13:                     gch = GCHandle.Alloc(insecurePassword, GCHandleType.Pinned);

  14:                 }

15:

  16:                 IntPtr passwordPtr = IntPtr.Zero;

  17:                 try

  18:                 {

  19:                     RuntimeHelpers.PrepareConstrainedRegions();

  20:                     try {} finally

  21:                     {

  22:                         passwordPtr = Marshal.SecureStringToBSTR(password);

  23:                     }

24:

  25:                     var pPassword = (char*)passwordPtr;

  26:                     var pInsecurePassword = (char*)gch.AddrOfPinnedObject();

  27:                     for (int index = 0; index < length; index++)

  28:                     {

  29:                         pInsecurePassword[index] = pPassword[index];

  30:                     }

31:

  32:                     // Use the password.

  33:                     Console.WriteLine(insecurePassword);

  34:                 }

  35:                 finally

  36:                 {

  37:                     if (passwordPtr != IntPtr.Zero)

  38:                     {

  39:                         Marshal.ZeroFreeBSTR(passwordPtr);

  40:                     }

  41:                 }

  42:             },

  43:         delegate

  44:             {

  45:                 if (gch.IsAllocated)

  46:                 {

  47:                     // Zero the string.

  48:                     var pInsecurePassword = (char*)gch.AddrOfPinnedObject();

  49:                     for (int index = 0; index < length; index++)

  50:                     {

  51:                         pInsecurePassword[index] = '\0';

  52:                     }

  53:                     gch.Free();

  54:                 }

  55:             },

  56:         null);

  57: }

[EDIT] There is an error in the code above. Between lines 16 and 17 there should be a RuntimeHelpers.PrepareConstrainedRegions(); method call.

[EDIT] Lines 32 and 33 should come after line 41 to ensure that the unmanaged buffer is freed as early as possible.

We did this extra hardening step to ensure the safety of the password. That is, to ensure that the System.String containing the unencrypted password is ALWAYS zeroed deterministically.

However, there is still a potential memory leak in that the Marshal.ZeroFreeBSTR may never execute. We can further harden this code by replacing the inner try/finally with RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup, although this is not necessary for the security of the password, only to avoid a memory leak.

This is the final code listing:

using (SecureString password = ConsoleUtility.CapturePassword("Enter password: "))
{
    int length = password.Length;
    var insecurePassword = new string('\0', length);

    var gch = new GCHandle();
    RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(
        delegate
            {
                RuntimeHelpers.PrepareConstrainedRegions();
                try {} finally
                {
                    gch = GCHandle.Alloc(insecurePassword, GCHandleType.Pinned);
                }

                IntPtr passwordPtr = IntPtr.Zero;
                RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(
                    delegate
                        {
                            RuntimeHelpers.PrepareConstrainedRegions();
                            try {} finally
                            {
                                passwordPtr = Marshal.SecureStringToBSTR(password);
                            }

                            var pPassword = (char*)passwordPtr;
                            var pInsecurePassword = (char*)gch.AddrOfPinnedObject();
                            for (int index = 0; index < length; index++)
                            {
                                pInsecurePassword[index] = pPassword[index];
                            }
                        },
                    delegate
                        {
                            if (passwordPtr != IntPtr.Zero)
                            {
                                Marshal.ZeroFreeBSTR(passwordPtr);
                            }
                        },
                    null);

                // Use the password.
                Console.WriteLine(insecurePassword);
            },
        delegate
            {
                if (gch.IsAllocated)
                {
                    // Zero the string.
                    var pInsecurePassword = (char*)gch.AddrOfPinnedObject();
                    for (int index = 0; index < length; index++)
                    {
                        pInsecurePassword[index] = '\0';
                    }
                    gch.Free();
                }
            },
        null);
}

Simple Console Password Capture Utility

markn — Fri, 03 Oct 2008 17:45:10 GMT

For command line utilities, that require capturing a password, you may find this C# utility class to capture a password useful.

Features:

1. Allows you to specify a prompt, e.g. "Enter password: "

2. Caters for masking or unmasking the displayed password, e.g. abc123 or ******

3. Allows you to specify the masking character, e.g. - instead of *

4. Caters for a maximum length, or unlimited length passwords.

5. Caters for processing the backspace key so the user can make corrections.

6. Uses the System.Security.SecureString class (correctly) to ensure that the password is encrypted in memory.

Copy this code into a Visual Studio 2008,C# Windows Console Application Project, Program.cs file.

using System;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security;

namespace TestConsoleUtility
{
    /// <summary>
    /// Extensions to the <see cref="Console"/> class.
    /// </summary>
    public static class ConsoleUtility
    {
        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// No prompt message is displayed to the user.
        /// The password may be any length.
        /// The characters entered by the user are replaced by the '*' character
        /// for improved security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword()
        {
            return CapturePassword(null, -1, true, '*');
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// The password may be any length.
        /// The characters entered by the user are replaced by the '*' character
        /// for improved security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks> 
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt)
        {
            return CapturePassword(prompt, -1, true, '*');
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// The password may be any length.
        /// If the <paramref name="useMask"/> parameter is true, the characters
        /// entered by the user are replaced by the '*' character for improved 
        /// security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks> 
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <param name="useMask">true, if the characters typed by the user 
        /// should be replaced by the '*' character, otherwise false.</param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt, bool useMask)
        {
            return CapturePassword(prompt, -1, useMask, '*');
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// The password may be any length.
        /// If the <paramref name="useMask"/> parameter is true, the characters
        /// entered by the user are replaced by the <paramref name="mask"/> 
        /// character for improved security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks> 
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <param name="useMask">true, if the characters typed by the user 
        /// should be replaced by the <paramref name="mask"/> character, 
        /// otherwise false.</param>
        /// <param name="mask">The character to replace the characters typed by
        /// the user with, if the <paramref name="useMask"/> parameter is true.
        /// </param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt, 
            bool useMask, char mask)
        {
            return CapturePassword(prompt, -1, useMask, mask);
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// If the <paramref name="maxLength"/> parameter is set to -1, the 
        /// password can be any length.
        /// The characters entered by the user are replaced by the '*' character
        /// for improved security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks>
        /// <exception cref="ArgumentOutOfRangeException">
        /// <paramref name="maxLength"/> is less than -1.</exception>
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <param name="maxLength">The maximum length of the password to 
        /// capture. Specify -1 for infinite.</param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt, int maxLength)
        {
            return CapturePassword(prompt, maxLength, true, '*');
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// If the <paramref name="maxLength"/> parameter is set to -1, the 
        /// password can be any length.
        /// If the <paramref name="useMask"/> parameter is true, the characters
        /// entered by the user are replaced by the '*' character for improved 
        /// security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks>
        /// <exception cref="ArgumentOutOfRangeException">
        /// <paramref name="maxLength"/> is less than -1.</exception>
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <param name="maxLength">The maximum length of the password to 
        /// capture. Specify -1 for infinite.</param>
        /// <param name="useMask">true, if the characters typed by the user 
        /// should be replaced by the '*' character, otherwise false.</param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt, int maxLength,
            bool useMask)
        {
            return CapturePassword(prompt, maxLength, useMask, '*');
        }

        /// <summary>
        /// Captures an encrypted password from the console.
        /// </summary>
        /// <remarks>
        /// If the <paramref name="maxLength"/> parameter is set to -1, the 
        /// password can be any length.
        /// If the <paramref name="useMask"/> parameter is true, the characters
        /// entered by the user are replaced by the <paramref name="mask"/> 
        /// character for improved security.
        /// The user may use the backspace key to make corrections while 
        /// capturing the password.
        /// </remarks>
        /// <exception cref="ArgumentOutOfRangeException">
        /// <paramref name="maxLength"/> is less than -1.</exception>
        /// <param name="prompt">The message to show to the user on the console.
        /// </param>
        /// <param name="maxLength">The maximum length of the password to 
        /// capture. Specify -1 for infinite.</param>
        /// <param name="useMask">true, if the characters typed by the user 
        /// should be replaced by the <paramref name="mask"/> character, 
        /// otherwise false.</param>
        /// <param name="mask">The character to replace the characters typed by
        /// the user with, if the <paramref name="useMask"/> parameter is true.
        /// </param>
        /// <returns>A <see cref="SecureString"/> containing the encrypted 
        /// password.</returns>
        public static SecureString CapturePassword(string prompt, int maxLength,
            bool useMask, char mask)
        {
            if (maxLength < -1)
            {
                throw new ArgumentOutOfRangeException("maxLength");
            }

            var password = new SecureString();

            // Output the prompt message.
            Console.Write(prompt);

            // Read in the password character by character until <Enter> is hit.
            ConsoleKeyInfo consoleKeyInfo;
            while ((consoleKeyInfo = Console.ReadKey(true)).Key != 
                ConsoleKey.Enter)
            {
                if (consoleKeyInfo.Key == ConsoleKey.Backspace)
                {
                    // Process the backspace key.
                    if (password.Length > 0)
                    {
                        // Remove a character from the encrypted password.
                        password.RemoveAt(password.Length - 1);

                        // Remove the last mask character from the console.
                        Console.Write(consoleKeyInfo.KeyChar);
                        Console.Write(' ');
                        Console.Write(consoleKeyInfo.KeyChar);
                    }
                }
                else
                {
                    // Process a password character.
                    if (maxLength == -1 || password.Length < maxLength)
                    {
                        password.AppendChar(consoleKeyInfo.KeyChar);
                        // Write out the masked character or actual character.
                        Console.Write(useMask ? mask : consoleKeyInfo.KeyChar);
                    }
                }
            }

            Console.WriteLine();

            // Prevent further changes to the encrypted password.
            password.MakeReadOnly();
            return password;
        }
    }

    class Program
    {
        static void Main()
        {
            using (var password = ConsoleUtility.CapturePassword(
                "Enter password: "))
            {
                IntPtr passwordPtr = IntPtr.Zero;
                // Execute with guaranteed cleanup to ensure we do not leave
                // a clear text password in the process memory, even in the face
                // of an asynchronous exception such as ThreadAbortException, 
                // OutOfMemoryException or StackOverflowException.
                RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(
                    delegate
                    {
                        // Execute in a CER to guarantee that we do not leak the
                        // pointer in the face of asynchronous exceptions such as 
                        // ThreadAbortException.
                        RuntimeHelpers.PrepareConstrainedRegions();
                        try { }
                        finally
                        {
                            passwordPtr = Marshal.SecureStringToBSTR(password);
                        }

                        // TODO: Do something useful with the password. 
                    },
                    delegate
                    {
                        // Zero and free the memory.
                        // This is guaranteed to always execute,
                        // even in the face of asynchronous exceptions.
                        if (passwordPtr != IntPtr.Zero)
                        {
                            Marshal.ZeroFreeBSTR(passwordPtr);
                        }
                    },
                    null);
            }
        }
    }
}

SQL 2005/2008 OPEN { MASTER | SYMMETRIC } KEY Password Parameterization

markn — Fri, 03 Oct 2008 16:49:30 GMT

Be careful when using passwords with OPEN MASTER KEY and OPEN SYMMETRIC KEY on SQL Server 2005 & 2008. The password is vulnerable to SQL injection attacks, unless you escape all single-quote characters ('), with two single quote characters. This is because the DDL syntax for the OPEN MASTER KEY and OPEN SYMMETRIC KEY SQL statements do not accept parameters for the password.

Consider the following SQL statement to open a symmetric key, decrypting it by a certificate that is protected by a password:

OPEN SYMMETRIC KEY [MyKey] DECRYPTION BY CERTIFICATE [MyCert] WITH PASSWORD = '<password>';

Since OPEN ... KEY SQL statements do not accept parameters, you need to formulate the SQL string as inline-SQL. Assuming your password is 'abc123', your SQL statement will look something like this:

OPEN SYMMETRIC KEY [MyKey] DECRYPTION BY CERTIFICATE [MyCert] WITH PASSWORD = 'abc123';

Nothing wrong there.

Now assume we select a password of [';SELECT 'SQL INJECTION';--] (excluding the square brackets []), your SQL statement will look as follows:

OPEN SYMMETRIC KEY [MyKey] DECRYPTION BY CERTIFICATE [MyCert] WITH PASSWORD = '';SELECT 'SQL INJECTION';--';

This does not open the SYMMETRIC KEY, but instead executes a SELECT statement that returns the value 'SQL INJECTION'.

Now imagine a somewhat worse choice of password such as [';DROP DATABASE pubs;'] (excluding the square brackets []).

Given that the primary use-case for specifying a password on OPEN ... KEY is to use a secret that is not stored in the database, for example to prevent dbo or sysadmin users from getting access to the data, this string would typically be executed from your application code. Since the statement does not accept parameters, you need to formulate this as an inline-SQL string in your code. Therefore you need to enforce that you escape all single-quotes in the password in your code. For example:

OPEN SYMMETRIC KEY [MyKey] DECRYPTION BY CERTIFICATE [MyCert] WITH PASSWORD = ''';SELECT ''SQL INJECTION'';--';

Now the password is the literal text [';SELECT 'SQL INJECTION';--] (excluding square brackets []) and the injected SELECT statement is not executed.

I've requested a feature from Microsoft to allow parameters on all DDL SQL statements that require passwords. Microsoft is currently considering adding this feature to improve security.

To vote on this feature request, please visit: https://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=369270