Credit Card Encrytpion - RijndaelManaged

fvillena
fvillena used Ask the Experts™
on
Hi,

I need to store credit card details on an SQL Server database which will be entered via an ASP.NET (C#) website.

I found this article (http://blog.sb2.fr/post/2008/12/21/Simple-Symmetric-Cryptography-With-C.aspx) which would seem to do the trick, however I see that to encrypt and decrypt you simply send the value you wish to decrypt and a password.

I'm just wondering where you should store the password? I'm just thinking that in the unlikely event of someone getting access to your web files and database they would have everything they need to decrypt the information.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Muhammad KashifDevelopment Manager

Commented:
I do recommend you should device your own algo for encryption and decryption, don't use any algo which is openly available like RijndaelManaged's.
And store your encrypted credit card numbers and passwords in the database.

I'm sorry but that information is completely false. Please see the PCI DSS requirements regarding cardholder data protection (https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml, requirement 3 with all the subsections).

- Only store cardholder data if it's absolutely necessary and you have a business need to do that.
- Stored PANs always needs to be protected, allowed protection forms include strong encryption, truncation (max 6 first and 4 last digits), tokenization or one-way hashes, preferably with salt.
- When using encryption, always make sure that you use industry standard OPEN and TESTED algorithms with adequate key lengths. Security by obscurity is not security at all. Do not try to build your own cryptographic solution, 99+% of weaknesses in crypto systems are in the implementation, not the algorithms. Rijndael aka AES is an accepted industry standard. If you choose AES, use 128-bit key length with default number of cycles.
- Make sure you have adequate key management procedures documented as per PCI. Encryption keys need to be protected, preferably by encrypting them with a key-encrypting key that's stored in a hardware security module, or otherwise secured.
> .. should device your own algo for encryption and decryption, ..
never do that!
Or read all papers describing crypto algorithms first, then read all papers recommending to *not use* your own algorythm. If you then find a papers which recoomend *use* your own one for a valuable reason, then please post the links ;-)
Security by obscurity is no security.

> .. store your encrypted credit card numbers and passwords
no, never store the password in the database.

more details in CoccoBill's comment.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Hi,

Never use passwords in your code to encrypt / decrypt data. As you will declare in a static variable (literals) and it can be easily decompiled using a decompiler / reflector.

Try using public key / private key based encryption. You can get some details from below EE thread.

http://www.experts-exchange.com/Programming/Languages/C_Sharp/Q_24443008.html
> Never use passwords in your code to encrypt / decrypt data.
> ...
> Try using public key / private key based encryption.

hmm, beside one more obfuscation level: what is the difference between getting/decompiling a password from the source or decompiling the used cipher algorithm?
Both need access to the source of the script/program. If you get the source and the private key file you're in business.
If the source is disclosed, you loose anyway.

You only get good protection if the key file is protected with a passphrase. As the passphrase needs to be entered manually it's most likely not used for server programs 'cause you cannot restart the server unattended.
"You only get good protection if the key file is protected with a passphrase. As the passphrase needs to be entered manually it's most likely not used for server programs 'cause you cannot restart the server unattended."

Very true, but yes this is used in certain environments, where resources prohibit getting an HSM, and the confidentiality requirements outweigh the availability requirements sufficiently.

There are several public and freely available key management options available, one is the NIST recommendation:

http://csrc.nist.gov/groups/ST/toolkit/key_management.html

Author

Commented:
Well answered and easy to follow

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial