String Encryption

How strong does it have to be?

Simple encryption that does'nt change the string size is nice, so you
don't outrun your db string space!

Unless I had a reason to be very paranoid about security, I'd go with
that ...

How strong does it have to be?

Simple encryption that does'nt change the string size is nice, so you
don't outrun your db string space!

Unless I had a reason to be very paranoid about security, I'd go with
that ...

Hello lee,

See codesnippet below

using System;
using System.Security.Cryptography;

public sealed class CryptoString
{
private CryptoString( ) {}

private static byte[] savedKey = null;
private static byte[] savedIV = null;

public static byte[] Key
{
get { return savedKey; }
set { savedKey = value; }
}

public static byte[] IV
{
get { return savedIV; }
set { savedIV = value; }
}

private static void RdGenerateSecretKey(RijndaelManaged rdProvider)
{
if (savedKey == null)
{
rdProvider.KeySize = 256;
rdProvider.GenerateKey( );
savedKey = rdProvider.Key;
}
}

private static void RdGenerateSecretInitVector(RijndaelManaged rdProvider)
{
if (savedIV == null)
{
rdProvider.GenerateIV( );
savedIV = rdProvider.IV;
}
}

public static string Encrypt(string originalStr)
{
// Encode data string to be stored in memory.
byte[] originalStrAsBytes = Encoding.ASCII.GetBytes(originalStr);
byte[] originalBytes = {};

// Create MemoryStream to contain output.
using (MemoryStream memStream = new
MemoryStream(originalStrAsBytes.Length))
{
using (RijndaelManaged rijndael = new RijndaelManaged( ))
{
// Generate and save secret key and init vector.
RdGenerateSecretKey(rijndael);
RdGenerateSecretInitVector(rijndael);

if (savedKey == null || savedIV == null)
{
throw (new NullReferenceException(
"savedKey and savedIV must be non-null."));
}

// Create encryptor and stream objects.
using (ICryptoTransform rdTransform =
rijndael.CreateEncryptor((byte[])savedKey.
Clone( ),(byte[])savedIV.Clone( )))
{
using (CryptoStream cryptoStream = new CryptoStream(memStream,
rdTransform, CryptoStreamMode.Write))
{
// Write encrypted data to the MemoryStream.
cryptoStream.Write(originalStrAsBytes, 0,
originalStrAsBytes.Length);
cryptoStream.FlushFinalBlock( );
originalBytes = memStream.ToArray( );
}
}
}
}
// Convert encrypted string.
string encryptedStr = Convert.ToBase64String(originalBytes);
return (encryptedStr);
}

public static string Decrypt(string encryptedStr)
{
// Unconvert encrypted string.
byte[] encryptedStrAsBytes = Convert.FromBase64String(encryptedStr);
byte[] initialText = new Byte[encryptedStrAsBytes.Length];

using (RijndaelManaged rijndael = new RijndaelManaged( ))
{
using (MemoryStream memStream = new MemoryStream(encryptedStrAsBytes))
{
if (savedKey == null || savedIV == null)
{
throw (new NullReferenceException(
"savedKey and savedIV must be non-null."));
}

// Create decryptor, and stream objects.
using (ICryptoTransform rdTransform =
rijndael.CreateDecryptor((byte[])savedKey.
Clone( ),(byte[])savedIV.Clone( )))
{
using (CryptoStream cryptoStream = new CryptoStream(memStream,
rdTransform, CryptoStreamMode.Read))
{
// Read in decrypted string as a byte[].
cryptoStream.Read(initialText, 0, initialText.Length);
}
}
}
}

// Convert byte[] to string.
string decryptedStr = Encoding.ASCII.GetString(initialText);
return (decryptedStr);
}
}
l> Does anyone have any recommendation for encrypting simple strings to
l> be stored in a db?
l>
l> Thank you,
l>
l> "Upon further investigation it appears that your software is missing
l> just one thing. It definitely needs more cow bell..."
l>
---
WBR,
Michael Nemtsev :: blog: http://spaces.msn.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche

Michael Nemtsev <ne*****@msn.com> wrote:

See codesnippet below

Two suggested changes:
1) Use UTF-8 instead of ASCII
2) Use StreamReaders/Writers instead of creating an intermediate byte
array.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

Michael Nemtsev enlightened me by writing:

Hello lee,

See codesnippet below

Thank you. Do you know if this is save for database insertion? I've
tried to use encrypted strings but the characters sometimes cause
problems in a sql script.

Thanks again,
--
Warm Regards,
Lee

"Upon further investigation it appears that your software is missing
just one thing. It definitely needs more cow bell..."

Lee <lu*************@yahoo.com> wrote:

See codesnippet below

Thank you. Do you know if this is save for database insertion? I've
tried to use encrypted strings but the characters sometimes cause
problems in a sql script.

That suggests that you've tried to use the encrypted binary data as if
it were plain text. Michael's code takes the binary data and base64-
encodes it, which is an excellent way of doing things.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too

Lee wrote:

Does anyone have any recommendation for encrypting simple strings to
be stored in a db?

Thank you,

1 Encryption is not a simple subject.

2 Have a look at the encryption already built into .NET, for instance
AES/Rijndael.

3 Most good encryption will produce random looking bytes, if you want
to store it as a string then have a look at Base64, also in .NET though
that will take up more space.

rossum

Jon Skeet [C# MVP] enlightened me by writing:

That suggests that you've tried to use the encrypted binary data as
if it were plain text. Michael's code takes the binary data and
base64- encodes it, which is an excellent way of doing things.

Oops, you're right. I missed that.

Thank you.

--
Warm Regards,
Lee

"Upon further investigation it appears that your software is missing
just one thing. It definitely needs more cow bell..."

You can make use many classes available in Cryptography namespace. Are you
using SQL Server 2005 as you database? If so you can also leverage new
security features in SQL Server 2005 and do the encryption directly in
database.