473,325 Members | 2,860 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Any suggestions for what encryption method to use for sensitive database values?

Hello,

I am writing a page where sensitive data is collected (over SSL) and
stored in a database. I have been looking at the .NET encryption
classes, but am a bit confused as to which is best for my purposes.
There seem to be quite a few different ways of doing it, and I'm not
sure what's most suitable for me.

Anyone any suggestions? I only need to be able to store the data in such
a way that someone without access to my (to see how I'm doing it) can't
decipher the info.

Any suggestions welcome. TIA

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #1
7 2220
Alan,

First off, I'd recommend the following MSDN article.
msdn.microsoft.com/library/ en-us/dnnetsec/html/THCMCh14.asp

Also, here is a little blub about the various algorithms available.

"Larger key sizes generally increase security. The following list
summarizes the major algorithms together with the key sizes that each
uses:

Data Encryption Standard (DES) 64-bit key (8 bytes)
TripleDES 128-bit key or 192-bit key (16 or 24 bytes)
Rijndael 128-256 bit keys (16-32 bytes)
RSA 384-16,384 bit keys (48-2,048 bytes)

For large data encryption, use the TripleDES symmetric encryption
algorithm. For slower and stronger encryption of large data, use
Rijndael. To encrypt data that is to be stored for short periods of
time, you can consider using a faster but weaker algorithm such as DES.
For digital signatures, use Rivest, Shamir, and Adleman (RSA) or
Digital Signature Algorithm (DSA). For hashing, use the Secure Hash
Algorithm (SHA)1.0. For keyed hashes, use the Hash-based Message
Authentication Code (HMAC) SHA1.0."

Peter Kelcey

Nov 19 '05 #2
Peter,

Thanks for the reply and the link, but I'm still not much clearer about
the encryption issue. I have to point out that I'm completely new at
encryption, so please be patient.

I understand that stronger encryption takes longer, but is more secure.
How much of an issue is this? The information I'm talking about is not
huge, probably about 50 characters long. I need it to be secure as it's
going to sit in the database permanently. Is it hard to switch between
algorithms? If not, then I could try them all and see how much impact it
has on performance.

So, assuming I've picked an algorithm, how do I go about using it? I've
spent ages trying to find some code that will take a string value and a
key and return an encoded string. That's all I need. Most of the
examples I have seen show how to encrypt a file, which is not what I
need. Do you have a simple example of this? I'm sure it's not hard, but
I just can't find anything. I'm using C# by the way.

Thanks again for the reply. I would really appreciate it if you can
point me in the direction of some samples. The SDK is great for
reference, but useless for learning. I haven't found anything on the web
yet that was what I wanted. Most of it was way to complex for such a
simple task too!!
First off, I'd recommend the following MSDN article.
msdn.microsoft.com/library/ en-us/dnnetsec/html/THCMCh14.asp

Also, here is a little blub about the various algorithms available.

"Larger key sizes generally increase security. The following list
summarizes the major algorithms together with the key sizes that each
uses:

Data Encryption Standard (DES) 64-bit key (8 bytes)
TripleDES 128-bit key or 192-bit key (16 or 24 bytes)
Rijndael 128-256 bit keys (16-32 bytes)
RSA 384-16,384 bit keys (48-2,048 bytes)

For large data encryption, use the TripleDES symmetric encryption
algorithm. For slower and stronger encryption of large data, use
Rijndael. To encrypt data that is to be stored for short periods of
time, you can consider using a faster but weaker algorithm such as DES.
For digital signatures, use Rivest, Shamir, and Adleman (RSA) or
Digital Signature Algorithm (DSA). For hashing, use the Secure Hash
Algorithm (SHA)1.0. For keyed hashes, use the Hash-based Message
Authentication Code (HMAC) SHA1.0."

Peter Kelcey


--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #3
>I've spent ages trying to find some code that will take a string value
and a key and return an encoded string.


....and I finally found one!! I saw
http://www.obviex.com/samples/Code.a...tion&Lang=C%23
which does exactly what I want. I tinkered with it a bit to make it more
suitable for me, but it works fine.

Whilst trying to understand it, I was looking up the
RijndaelManaged.CreateEncryptor method, which takes two parameters, a
key and an IV. I guess the key is the value used to encrypt the text,
but what's the IV? I can't see this explained anywhere.

Also, what is a salt value? The PasswordDeriveBytes constructor takes
one, but again, I can't see what it is.

If anyone can explain these two in simple terms, I would be very
grateful.

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #4
Alan Silver wrote:
I've spent ages trying to find some code that will take a string value
and a key and return an encoded string.

...and I finally found one!! I saw
http://www.obviex.com/samples/Code.a...tion&Lang=C%23

which does exactly what I want. I tinkered with it a bit to make it more
suitable for me, but it works fine.

Whilst trying to understand it, I was looking up the
RijndaelManaged.CreateEncryptor method, which takes two parameters, a
key and an IV. I guess the key is the value used to encrypt the text,
but what's the IV? I can't see this explained anywhere.

Also, what is a salt value? The PasswordDeriveBytes constructor takes
one, but again, I can't see what it is.

If anyone can explain these two in simple terms, I would be very grateful.

Alan,

A salt and an IV are the same thing. Basically they are used to prevent
dictionary attacks (i.e. an attack where the attacker uses common words,
etc. to break your encryption) against your encryption.

In Rijandael, I believe the IV is generated from the first few blocks of
plain text. In other algorithms Salts/IVs are generated differently.

--
Rob Schieber
Nov 19 '05 #5
<snip>
Whilst trying to understand it, I was looking up the
RijndaelManaged.CreateEncryptor method, which takes two parameters, a
key and an IV. I guess the key is the value used to encrypt the text,
but what's the IV? I can't see this explained anywhere.
Also, what is a salt value? The PasswordDeriveBytes constructor
takes one, but again, I can't see what it is.
If anyone can explain these two in simple terms, I would be very
grateful.

Alan,

A salt and an IV are the same thing. Basically they are used to
prevent dictionary attacks (i.e. an attack where the attacker uses
common words, etc. to break your encryption) against your encryption.

In Rijandael, I believe the IV is generated from the first few blocks
of plain text. In other algorithms Salts/IVs are generated differently.


Thanks for the explanation. In the sample code, the author commented
about the IV...

"Initialization vector (or IV). This value is required to encrypt the
first block of plaintext data. For RijndaelManaged class IV must be
exactly 16 ASCII characters long"

Why does it have to be 16 characters long? The value he used was
hard-coded in his example, it wasn't generated from the text. I'm still
a bit confused about this. Do I just use a single fixed value, or should
I vary it each time?

Thanks for your reply, any further explanations would be welcome.

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #6
>In Rijandael, I believe the IV is generated from the first few blocks
of plain text. In other algorithms Salts/IVs are generated differently.


Sorry, me again ;-)

Well, I have some test code working very well, so all looks set for
incorporating this into the real code. However, I have another
question...

Do you have any idea of the relationship between the length of the plain
text string and the length of the encoded string. I can't spot an
obvious one, nor have I seen one mentioned. I need to know how big my
database table field needs to be to ensure that the encrypted data will
fit. As I said, my plain text strings are all about 50 characters long.

Thanks again.

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #7
>I understand that stronger encryption takes longer, but is more secure.
How much of an issue is this? The information I'm talking about is not
huge, probably about 50 characters long.


In case anyone is interested, I did some tests, and using the code found
at the URL I posted yesterday, I could encrypt and then decrypt a string
of 50 characters ten thousand times using SHA1 in 375 milliseconds!!

I don't think performance is going to be an issue here ;-)

--
Alan Silver
(anything added below this line is nothing to do with me)
Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

34
by: Blake T. Garretson | last post by:
I want to save some sensitive data (passwords, PIN numbers, etc.) to disk in a secure manner in one of my programs. What is the easiest/best way to accomplish strong file encryption in Python? ...
2
by: J. Muenchbourg | last post by:
I'm doing a few tests with simple .net scripts, and I noticed that I display the following error message at ErrMessage.Text if I don't enter "BLUE" in capital letters into my input textbox: ...
3
by: Molly Gibson | last post by:
Hi all, I have recently installed Apache/1.3.28 + mod_auth_pgsql-0.9.12 (http://www.giuseppetanzilli.it/mod_auth_pgsql/) The only way I have been able to get it to successfully authenticate...
193
by: Michael B. | last post by:
I was just thinking about this, specifically wondering if there's any features that the C specification currently lacks, and which may be included in some future standardization. Of course, I...
4
by: nepdae | last post by:
Well, after reading and hunting all over the web, including here, I still haven't been successful in my attempts to resolve my situation. So, I thought maybe I'd just ask. Here's the situation: ...
2
by: veg_all | last post by:
The documentation for using encyption with mysql does not seem to have any easy to follow examples. Anyone know of one? I am surprised there does not seem much out there on this. I googled mysql...
4
by: pintu | last post by:
Hello everybody.. I hav some confusion regarding asymmetric encryption.As asymmetric encryption it there is one private key and one public key.So any data is encrypted using private key and the...
15
by: Optimus | last post by:
I would like to know if there is a encryption algorithm that returns only lowercase encrypted string. Thanks in advance.
8
by: manmit.walia | last post by:
Hello Everyone, Long time ago, I posted a small problem I had about converting a VB6 program to C#. Well with the help with everyone I got it converted. But I overlooked something and don't...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.