469,596 Members | 2,241 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,596 developers. It's quick & easy.

encrpyt salary data

ljb
Anyone have a good idea for encrypting salary data in US $? I have an Access
database with some salary info connected to ASP on our intranet. My manager
is somewhat apprehensive about the level of security currently provided. I'm
using basic authentication (I think that's what it is called). It relies on
NT directory permissions and code to query "AUTH_USER". Does anyone have a
simple encryption idea that can take US$, 5 digit employee ID, encrypt it
and store it in Access' Currency data type? The database will store the
salary encrypted. When an authorized user hits the ASP it will display
decrypted values. All data maintenance is done with various ASP which must
be able to do the encryption/decryption by vbscript.

thanks
LJB
Jul 19 '05 #1
19 2078
Where are you going to display this "encrypted" data in a meaningful form?
Once you've encrypted the information, great, now what you need to protect
is the decryption algorithm.
Anyone have a good idea for encrypting salary data in US $? I have an Access database with some salary info connected to ASP on our intranet. My manager is somewhat apprehensive about the level of security currently provided. I'm using basic authentication (I think that's what it is called). It relies on NT directory permissions and code to query "AUTH_USER". Does anyone have a
simple encryption idea that can take US$, 5 digit employee ID, encrypt it
and store it in Access' Currency data type? The database will store the
salary encrypted. When an authorized user hits the ASP it will display
decrypted values. All data maintenance is done with various ASP which must
be able to do the encryption/decryption by vbscript.

thanks
LJB

Jul 19 '05 #2

"ljb" <.> wrote in message news:ur*************@TK2MSFTNGP12.phx.gbl...
Anyone have a good idea for encrypting salary data in US $? I have an Access database with some salary info connected to ASP on our intranet. My manager is somewhat apprehensive about the level of security currently provided. I'm using basic authentication (I think that's what it is called). It relies on NT directory permissions and code to query "AUTH_USER". Does anyone have a
simple encryption idea that can take US$, 5 digit employee ID, encrypt it
and store it in Access' Currency data type? The database will store the
salary encrypted. When an authorized user hits the ASP it will display
decrypted values. All data maintenance is done with various ASP which must
be able to do the encryption/decryption by vbscript.

thanks
LJB


There are a number of encryption scripts here:
http://www.aspin.com/func/search?tre...ncryption&cat=
To improve security there are a number of things you can do, including:
1.If the users accessing this application are using IE then it's better to
use 'Integrated authentication' set under 'directory security' in the
website properties. This will prevent the login details being sent
unencrypted across the network. If they are not running IE then you could
still use basic authentication but do it over SSL.
2.Make sure the server is patched with all the latest security updates.
3.Password protect the database.
4.If those using the application have static IPs then you could restrict
access to the application by IP (in directory security under website
preference).

chopper


Jul 19 '05 #3
ljb
Only when an authorized user views the single employee record by ASP will
the data be meaningful.

I realize that protection of the algorithm becomes critical. Since the NT
directories don't allow Anonymous browsing I'm counting on that to protect
the algorithm. I'm not expecting high security just something to hinder
accidental release of the info.

My original request was to store the encrypted data in Access' Currency data
type. Is that easily possible? My goal was to not require a change to the
table. Perhaps storing the data in a string is easier to accomplish.

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
Where are you going to display this "encrypted" data in a meaningful form?
Once you've encrypted the information, great, now what you need to protect
is the decryption algorithm.

Jul 19 '05 #4
> I realize that protection of the algorithm becomes critical. Since the NT
directories don't allow Anonymous browsing I'm counting on that to protect
the algorithm.
Wow, you have a lot of faith. The problem here is that you have an ASP page
which is responsible for decrypting things. So, whether you put that
algorithm right in the ASP page, or in a DLL, there is going to be a vector
for at least using, if not reverse engineering, the algorithm... and trust
me, a determined person within your company is going to get to it. Also,
Access is not the most secure place for this kind of sensitive
information!!!
My original request was to store the encrypted data in Access' Currency data type. Is that easily possible?


Access doesn't support encryption natively, so what you are going to have to
do is encrypt or encode the data OUTSIDE of the database, and store it in a
VARCHAR column rather than a CURRENCY column. Alternatively, you could use
some other numbering system which is NOT incremental, e.g. $60,000 = 45,
$50,000 = 72, etc. etc. More like a code than encryption. Then, at least,
you could continue to use a numeric-based column.
Jul 19 '05 #5
ljb
Thanks for the pointer to some algorithms. Certainly enough there for me to
pick one and get going. Looks like I will probably need to store the
encrypted values as a string.
Jul 19 '05 #6

"ljb" <.> wrote in message news:ec**************@TK2MSFTNGP11.phx.gbl...
Thanks for the pointer to some algorithms. Certainly enough there for me to pick one and get going. Looks like I will probably need to store the
encrypted values as a string.


Yes, you'll have to store them as strings as the output from all the
encryption functions are strings.
Jul 19 '05 #7
ljb
I agree with every point. This application is not well thought out. I'm new
to this work group and was immediately assigned the task of extending what a
former secretary had developed. Around here they give anyone who wants one a
day long class in Access then send them back to their desk with instructions
to procreate. Soon after they get promoted because they have become "expert"
and someone else is expected to complete and extend the application.
"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:ex*************@TK2MSFTNGP10.phx.gbl...
I realize that protection of the algorithm becomes critical. Since the NT directories don't allow Anonymous browsing I'm counting on that to protect the algorithm.
Wow, you have a lot of faith. The problem here is that you have an ASP

page which is responsible for decrypting things. So, whether you put that
algorithm right in the ASP page, or in a DLL, there is going to be a vector for at least using, if not reverse engineering, the algorithm... and trust
me, a determined person within your company is going to get to it. Also,
Access is not the most secure place for this kind of sensitive
information!!!
My original request was to store the encrypted data in Access' Currency data
type. Is that easily possible?


Access doesn't support encryption natively, so what you are going to have

to do is encrypt or encode the data OUTSIDE of the database, and store it in a VARCHAR column rather than a CURRENCY column. Alternatively, you could use some other numbering system which is NOT incremental, e.g. $60,000 = 45,
$50,000 = 72, etc. etc. More like a code than encryption. Then, at least, you could continue to use a numeric-based column.

Jul 19 '05 #8
> then send them back to their desk with instructions
to procreate.


Geez, we can get fired around here for that. :-)
Jul 19 '05 #9
They must have an in-house daycare

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:uw**************@TK2MSFTNGP12.phx.gbl...
then send them back to their desk with instructions
to procreate.


Geez, we can get fired around here for that. :-)

Jul 19 '05 #10
ljb
The majority here are Civil Engineers as are all the managers. They are
quite confident in whatever they do. In their opinion end user development
is just fine. They also believe IS projects are always late, over budget and
short on promised functionality.

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:uw**************@TK2MSFTNGP12.phx.gbl...
then send them back to their desk with instructions
to procreate.


Geez, we can get fired around here for that. :-)

Jul 19 '05 #11
ljb
I picked the RC4 algorithm. Do you know if the encrypted string generated by
RC4 can be stored in an Access string type field? Not all characters in the
encrypted string are printable. Do Select and Insert handle these properly?

thanks
LJB
Jul 19 '05 #12
I think we have a different perception of the term "procreate" :-)
"ljb" <.> wrote in message news:uD**************@TK2MSFTNGP11.phx.gbl...
The majority here are Civil Engineers as are all the managers. They are
quite confident in whatever they do. In their opinion end user development
is just fine. They also believe IS projects are always late, over budget and short on promised functionality.

"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:uw**************@TK2MSFTNGP12.phx.gbl...
then send them back to their desk with instructions
to procreate.


Geez, we can get fired around here for that. :-)


Jul 19 '05 #13
> I picked the RC4 algorithm. Do you know if the encrypted string generated
by
RC4 can be stored in an Access string type field? Not all characters in the encrypted string are printable. Do Select and Insert handle these

properly?

Well, you could always try it.
Jul 19 '05 #14
"ljb" <.> wrote in message news:%2******************@TK2MSFTNGP09.phx.gbl...
I picked the RC4 algorithm. Do you know if the encrypted string generated by RC4 can be stored in an Access string type field? Not all characters in the encrypted string are printable. Do Select and Insert handle these properly?
thanks
LJB


You shouldn't have a problem storing it in a field of type 'text' providing
the ciphertext doesn't exceed 255 characters.
The only character you will have problems with is the apostrophe. Here's
some info:
http://www.aspfaq.com/show.asp?id=2035

chopper
Jul 19 '05 #15
On Mon, 17 Nov 2003 10:26:15 -0600, "ljb" <.> wrote:
The majority here are Civil Engineers as are all the managers.
Around here we'd prefer that neither engineers nor managers be allowed
to procreate... :)
"Aaron Bertrand - MVP" <aa***@TRASHaspfaq.com> wrote in message
news:uw**************@TK2MSFTNGP12.phx.gbl...
> then send them back to their desk with instructions
> to procreate.


Geez, we can get fired around here for that. :-)


Jul 19 '05 #16
Here's what I did with that particular problem at a gov't site with
international users. (This may sound complex, but it really isn't, and
worked out very nicely. It also got us blessed in a stringent security
review.)

Let me note that the problem in encryption is the problem of key management.
Therefore, I built the solution around the use of public key crypto.

1. In this approach, the user's password is the private key. We don't
store that, but rather its hash, for login authentication.
2. At login, that private key is carried in a form field to the script
doing the lookup, decrypt, and display.
3. The public key, calculated from the password/private key, is used by the
data load script for encryption. It's perfectly secure to retain this
public key in the database, since the private key, the user's password,
can't be derived from it.

What's stored in the database? Only the public key, which is universally
considered safe for publication, and an MD5 hash of the public key, also
safe. Secondly, the salary info is secure from what's widely known to be
the bigtime risk, the insider. And thirdly, even if one password is broken,
all the others remain secure.

I used a very nice COM product for this: see it at www.dyncrypto.com Quite
inexpensive, good sample scripts, and easy to use.

AS


Jul 19 '05 #17
Correction: That " ...MD5 hash of the public key ... " should be "MD5 hash
of the PRIVATE key", the user's password.

AS
Jul 19 '05 #18
Send Me an email and I pass a function onto you, .
su*****@assoft.com.au

"ljb" <.> wrote in message news:ur*************@TK2MSFTNGP12.phx.gbl...
Anyone have a good idea for encrypting salary data in US $? I have an Access database with some salary info connected to ASP on our intranet. My manager is somewhat apprehensive about the level of security currently provided. I'm using basic authentication (I think that's what it is called). It relies on NT directory permissions and code to query "AUTH_USER". Does anyone have a
simple encryption idea that can take US$, 5 digit employee ID, encrypt it
and store it in Access' Currency data type? The database will store the
salary encrypted. When an authorized user hits the ASP it will display
decrypted values. All data maintenance is done with various ASP which must
be able to do the encryption/decryption by vbscript.

thanks
LJB

Jul 19 '05 #19
ljb
Thanks, but I have already found and implemented something based on RC4
encryption. The function I used came from
http://www.Planet-Source-Code.com/vb...=6646&lngWId=4

"Don Grover" <sp******@assoft.com.au> wrote in message
news:Or**************@TK2MSFTNGP09.phx.gbl...
Send Me an email and I pass a function onto you, .
su*****@assoft.com.au

Jul 19 '05 #20

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

35 posts views Thread by Troll | last post: by
1 post views Thread by sallyk57 | last post: by
5 posts views Thread by james121285 | last post: by
6 posts views Thread by zfareed | last post: by
4 posts views Thread by guiromero | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.