We help IT Professionals succeed at work.

asp.net: two way encryption to oracle database

Hi as the title says I would like to take some data (say a password), encrypt it and save it to a database. And then allow the possibility to extract it and decrypt it.

I've looked on the web and seen lots of articles regarding this... but I'm still not clear on exactly what type of encryption I should be doing or how. So yeah i've seen stuff such as http://www.4guysfromrolla.com/articles/112002-1.aspx. But some of it is one way encryption. Either way, I'm not sure exactly how to do this. Can someone clarify and providing code would be great (in vb thanks)
Comment
Watch Question

Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
You typically never decrypt passwords.  You perform a one-way encryption like MD5 or SHA1.

The main reason for this is anything that is encrypted can be unencrypted and thus compromised.

When the user enters their password, you use the same encryption then compare the encrypted values for a match.

http://www.4guysfromrolla.com/articles/103002-1.aspx

Author

Commented:
thanks yeah, as I say I saw that. but actually, a lot of the stuff i'm doing the last few couple months aren't actually necessary but I'm just trying to learn something. So I don't need to actually encyrpt the passwords, there's no real security concern (well, it's all behind the company firewall)...

so basically i actually want to be able to see passwords if i need to (well alternatively i could set up some 'master key' i suppose to log in under anyone's credentials. Well, either way, I'm interested in how to encrypt data and then decrypt it again and what's the best way to do that (might try the passwords later then with MD5 and use a master key as I said so that i can log in as anyone)
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
>>(well, it's all behind the company firewall)...

MOST attacks/data theft comes from within...

Most organizations have strict security policies regarding password storage to where even system administrators and/or DBAs cannot even see them.

If you still want to do this you will need to use the crypto libraries.

http://www.codeproject.com/KB/security/SimpleEncryption.aspx

There is also an Oracle database package DBMS_CRYPTO:
http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_crypto.htm

Author

Commented:
ok well i can use md5 for the passwords.

for other data that i want to decrypt then, I should use the first link above? Should i work on Symmetric or assymetric in your opinion.

So, I guess the above link is for standard encryption. I would be using ASP.NET website so is there anything to know regarding that (i.e. any differences)? Is it the case that I use the above methods to encrypt the data (i guess it becomes a byte array or something) and then save that into a blob perhaps in the database? or what am i doing exactly?
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
I really cannot say what is 'best' for you to use.  Only you will be able to make that decision.  I suggest you continue reading the information out there.

>>I would be using ASP.NET website so is there anything to know regarding that (i.e. any differences)?

When it comes to security, you need to pay attention to encryption 'over the wire'.  This is at what point can the data be seen as clear text if someone was sniffing the network packets.

>>(i guess it becomes a byte array or something) and then save that into a blob perhaps in the database?

Most encrypted data can be base64 encoded and stored as plain text but that all depends on the encryption you decide to use.  It might not even be binary once encrypted.  There are many ways to skin this cat.

Understand the requirements and choose the approach that best meets them.

Author

Commented:
sorry, just to let you know, i'm gonna work on this but probably beginning next week. I will try MD5 encryption for the passwords... and then I want to try two way encryption on something just to see how to use it...

Author

Commented:
Hi,

Ok so I implemented the MD5 encryption on the passwords without any issues. So, the one other thing I wanted to take a look at then would be sending information encrypted from the server to the client. For instance, I have a bit of code which sends some information on disk size  to an administrator who is logged into the website (the information isn't important and it's not private either really. If someone finds out I'm not bothered). But for the sake of understanding encryption a bit better I'd like to try and implement it in that situation.

The code I have goes a little bit like below where the sub Bind just binds the data to a gridview. So, I could try and encrypt the data before sending it, I presume RijndaelManaged would be a good idea there. But then the client isn't going to be able to see it anymore? So how do you do that so that the client can decrypt?

Well, just looking at this link http://stackoverflow.com/questions/2475861/rsa-encrypt-decrypt-problem-in-net it seems to suggest that this sort of thing is difficult (to do right at least) and you'd be better off using SSL?
getFolderSize("SELECT Size, Name FROM Win32_LogicalDisk WHERE DriveType=3", "Name", "Size")

Dim i As Integer = 0
For Each strDrive As String In alName
         sdData.Add(strDrive & " Size", Math.Round((FormatNumber(alSize(i).ToString) / 1000000000.0), 2) & "Gb")
         i += 1
Next

Bind(dt, sdData)

Open in new window

Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
You need to look where the encryption is taking place and where it can be intercepted.

Think about how a web page works.

Where will the data actually be decrypted when bound to a gridview?  On the web server.

Where will the gridview be displayed?  On the client browser.

Then is the data encrypted over the network between the web server and browser?

Also, if you encrypt if on the web server, is the data encrypted between the database server and web server?

Author

Commented:
Hi, well yes I can see that it wouldn't be encrypted between server and client that's why I was saying 'But then the client isn't going to be able to see it anymore?'

So the question is, how should I / can I do it? The client would presumably need some way of decrypting the data... so it starts to look complicated. And that's why I also mentioned SSL which sounds like it does all that for you... although presumably at some kind of cost also.
Most Valuable Expert 2012
Distinguished Expert 2019
Commented:
SSL is probably the way to go.  E-Commerce and Bank sites rely on it!


I'm far from a Web GURU but the only cost I can think of is the certification authority.  If this is an in-house link and you do not need a trusted certificate, I do not think there is a cost.

As far as the browser being able to decrypt the information:  I don't know how it would be secure.  The code to decrypt would have to be written in something like Javascript and could easily be seen so everyone would know your encryption key.

You might want to open a new question over in web browsers to see what options you have outside SSL that can encrypt data all the way to the browser.

Author

Commented:
ok thanks, so just finally... to clarify...

i guess people don't use encryption much for transmitting data across the web if it's going out to the general public... so mostly they use it just to encrypt the data in their databases.

Otherwise SSL is the way to go (I guess this link is probably a good start SSL - might open a new question on it).

Thanks for the info! Aiden

 
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
>>i guess people don't use encryption much for transmitting data across the web if it's going out to the general public...

I don't think that is a fair statement.  SSL encrypts data across the web.  That is what it does.

People do not generally write their own code to encrypt all the way to the browser since anything provided to the browser can be 'captured' and examined.