VB 2005 and Content Security Question

Hello ILR,

For your scenario, must the sensitive data be stored in SQL Server database
or if it's some simple data that can also be stored in configuration
file(such as app.config). In .NET Framework 2.0, there does provide many
new data protection/secure features that can help us conveniently secure
our application data. If the data should be stored in SQL Server, since
SQL server access include network connection and data transfering, I
suggest you manually encrypt the data if the size is not very huge.

You can consider using the DPAPI component in .NET
2.0(System.Security.Cryptography.ProtectedData class). You can have a look
at the following MSDN reference about how to perform data protection in
.NET:

#How to: Use Data Protection
http://msdn2.microsoft.com/en-us/lib...41(vs.80).aspx

here is another web article introduce other net security features in .NET
2.0

#New Security Features in .NET 2.0
http://www.theserverside.net/tt/arti...wSecurityFeatu
res

In addition, if you have some sensitive configuration setting that need to
secure and want to store in configuration file, you can have a look at the
following article:

#How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
http://msdn2.microsoft.com/en-us/library/ms998280.aspx

Though the above article is targeting ASP.NET web.config, the function also
apply for normal .net application(console or winform), see a former thread:

#Encryption of application configuration block
http://groups.google.com/group/micro.../browse_thread
/thread/1bbeeb01ae5ca5c6/70dd27a4598ab060?

Hope this helps you.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your response Lan,

Please feel free to let me know if you have any further questions on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

OK I think I have a solution using DPAPI and a hashed password , I would
appreciate your feedback.

Store a password as an MD5 hash in the database. When the user wants to
save a secret entry to the database they are asked for a password (different
to the windows user password to provide additonal security) which is hashed
and compared to the hashed password in the database. If they are the same it
encrypts the text using DPAPI (using the protecteddata class with currentuser
scope) and uses the password value as the additional entropy, storing the
encrypted data in the database. The decryption process again askes for the
password, compares the hash values and then decrypts the data from the
database.

If I understand correctly this should prevent anyone accessing the
information by reverse engineering the application, intercepting the network
traffic or accessing the sql server?

Does that make sense? Anything else I should consider?

Regards
Ian



"Steven Cheng[MSFT]" wrote:

Thanks for your response Lan,

Please feel free to let me know if you have any further questions on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your reply Lan,

My comments below:

If I understand correctly this should prevent anyone accessing the
information by reverse engineering the application, intercepting the
network
traffic or accessing the sql server?
===============================

I think it ok. And here is an overall analysis over your application's data
process:

** in database and over network, since the data is in encrypted form, it is
secure.

** in your application, since you use DPAPI, so you do not need to worry
about the encryption key(the operating system help you manage it).

so the only potential threat is that if any one can access your program's
run memory and inspect the inmemory decrpypted data. However, I think this
is quite rare case and is not protectable through application code. so you
can feel free to use your current pattern.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Steven

Wondering if you can help?

I'm having trouble converting the byte array retrurned by
dataprotect.protect to a string that I can store in my database and then
retrieve later to be decrypted.

I've tried using UnicodeEncoding.ASCII.GetBytes to create the byte array for
encryption which returns the byte array ok but can't seem to covert it into a
string to display the encrypted data. I only get what I assume is the first
char of the encrypted data.

Any ideas
Appreciate any assistance.
Ian



"Steven Cheng[MSFT]" wrote:

Thanks for your reply Lan,

My comments below:

If I understand correctly this should prevent anyone accessing the
information by reverse engineering the application, intercepting the
network
traffic or accessing the sql server?
===============================

I think it ok. And here is an overall analysis over your application's data
process:

** in database and over network, since the data is in encrypted form, it is
secure.

** in your application, since you use DPAPI, so you do not need to worry
about the encryption key(the operating system help you manage it).

so the only potential threat is that if any one can access your program's
run memory and inspect the inmemory decrpypted data. However, I think this
is quite rare case and is not protectable through application code. so you
can feel free to use your current pattern.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Lan,

For convert binary data into string/text format, you should use base64
encoding, e.g.

.net framework has provided two methods for you to do the convertion:

System.Convert.FromBase64String()
System.Convert.ToBase64String()

For System.Text.Encoding namespace classes, they're used for convert
between binary and string based on a Charset , and this is used when you
are processing Text data and care about the charset of different
language/region.

Please feel free to let me know if there is anything you wonder.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Lan,

Does this helps some? Please feel free to post here if you have any further
question.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Steven

That has helped.
I appreciate your assistance.

Ian

"Steven Cheng[MSFT]" wrote:

Hi Lan,

Does this helps some? Please feel free to post here if you have any further
question.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.