fvillena
asked on
Credit Card Encrytpion - RijndaelManaged
Hi,
I need to store credit card details on an SQL Server database which will be entered via an ASP.NET (C#) website.
I found this article (http://blog.sb2.fr/post/2008/12/21/Simple-Symmetric-Cryptography-With-C.aspx) which would seem to do the trick, however I see that to encrypt and decrypt you simply send the value you wish to decrypt and a password.
I'm just wondering where you should store the password? I'm just thinking that in the unlikely event of someone getting access to your web files and database they would have everything they need to decrypt the information.
I need to store credit card details on an SQL Server database which will be entered via an ASP.NET (C#) website.
I found this article (http://blog.sb2.fr/post/2008/12/21/Simple-Symmetric-Cryptography-With-C.aspx) which would seem to do the trick, however I see that to encrypt and decrypt you simply send the value you wish to decrypt and a password.
I'm just wondering where you should store the password? I'm just thinking that in the unlikely event of someone getting access to your web files and database they would have everything they need to decrypt the information.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> .. should device your own algo for encryption and decryption, ..
never do that!
Or read all papers describing crypto algorithms first, then read all papers recommending to *not use* your own algorythm. If you then find a papers which recoomend *use* your own one for a valuable reason, then please post the links ;-)
Security by obscurity is no security.
> .. store your encrypted credit card numbers and passwords
no, never store the password in the database.
more details in CoccoBill's comment.
never do that!
Or read all papers describing crypto algorithms first, then read all papers recommending to *not use* your own algorythm. If you then find a papers which recoomend *use* your own one for a valuable reason, then please post the links ;-)
Security by obscurity is no security.
> .. store your encrypted credit card numbers and passwords
no, never store the password in the database.
more details in CoccoBill's comment.
Hi,
Never use passwords in your code to encrypt / decrypt data. As you will declare in a static variable (literals) and it can be easily decompiled using a decompiler / reflector.
Try using public key / private key based encryption. You can get some details from below EE thread.
https://www.experts-exchange.com/questions/24443008/C-Public-Private-Key-Encryption-Decryption.html
Never use passwords in your code to encrypt / decrypt data. As you will declare in a static variable (literals) and it can be easily decompiled using a decompiler / reflector.
Try using public key / private key based encryption. You can get some details from below EE thread.
https://www.experts-exchange.com/questions/24443008/C-Public-Private-Key-Encryption-Decryption.html
> Never use passwords in your code to encrypt / decrypt data.
> ...
> Try using public key / private key based encryption.
hmm, beside one more obfuscation level: what is the difference between getting/decompiling a password from the source or decompiling the used cipher algorithm?
Both need access to the source of the script/program. If you get the source and the private key file you're in business.
If the source is disclosed, you loose anyway.
You only get good protection if the key file is protected with a passphrase. As the passphrase needs to be entered manually it's most likely not used for server programs 'cause you cannot restart the server unattended.
> ...
> Try using public key / private key based encryption.
hmm, beside one more obfuscation level: what is the difference between getting/decompiling a password from the source or decompiling the used cipher algorithm?
Both need access to the source of the script/program. If you get the source and the private key file you're in business.
If the source is disclosed, you loose anyway.
You only get good protection if the key file is protected with a passphrase. As the passphrase needs to be entered manually it's most likely not used for server programs 'cause you cannot restart the server unattended.
"You only get good protection if the key file is protected with a passphrase. As the passphrase needs to be entered manually it's most likely not used for server programs 'cause you cannot restart the server unattended."
Very true, but yes this is used in certain environments, where resources prohibit getting an HSM, and the confidentiality requirements outweigh the availability requirements sufficiently.
There are several public and freely available key management options available, one is the NIST recommendation:
http://csrc.nist.gov/groups/ST/toolkit/key_management.html
Very true, but yes this is used in certain environments, where resources prohibit getting an HSM, and the confidentiality requirements outweigh the availability requirements sufficiently.
There are several public and freely available key management options available, one is the NIST recommendation:
http://csrc.nist.gov/groups/ST/toolkit/key_management.html
ASKER
Well answered and easy to follow
And store your encrypted credit card numbers and passwords in the database.