.NET Encryption question

I need to talk to an Oracle database maintained by a large organization.  I'll be doing that with a .NET (Desktop) application.  Mostly it's straightforward, but I'm confused by my client's insistence that there be "encryption".   I get the feeling that this is more a CYA kind of request, as the information is not particularly sensitive.

I see encryption classes in .NET and I'm more than willing to dig into them, but I have a basic nagging question.   If I encrypt the information that I'm sending to these guys, how in the world would it be decrypted on their end?  I have absolutely no ability to influence or modify anything on their servers or database.   They've given me credentials with enough rights to run a couple of stored procedures, but that's it.

It seems to me that the communication channel should be encrypted (some kind of HTTPS thing?), and this should not have much else to do with my app.

Can someone give me a leg up here and educate me?   I'm not sure I'm going to get much cooperation on the other end.  I just have a requirement for "encryption" with no further explanation or guidance.

Thanks!
BobSacksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
encrypt the connection maybe?

here is how you would do that in standard sqlnet....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BobSacksAuthor Commented:
Thanks!  That's helpful, but it looks like it requires that THEY do something on their end.  Unclear to me that they are willing to do that.  I get the distinct feeling that they just want me to tell them that I "have encryption".

I very much appreciate your response.  Let's let this sit for a day or two to see what others might say.

Bob
0
Dave HoweSoftware and Hardware EngineerCommented:
Sure. but in the meantime, you could ask them what algos they support on their side of the SQLNET link - if they come back with a list, then the problem is solved, if not, it gives them something to think about while you are waiting for other answers :)
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BobSacksAuthor Commented:
Point taken...  let me toss this at them and see if anything productive comes back.  ;)

Thanks once again!
0
Rich RumbleSecurity SamuraiCommented:
You can't talk encrypted if they aren't listening... There has to be some Service Level Agreement between you two, they have to spell out the criteria, and you need to ask if the data might be subject to laws and regulations such as HIPAA, SOX, or PCI/DSS. Then if so, make sure you protect yourself from liability should they be compromised.

If they need guidance in those area's, they know they need encryption but don't know which or at what level (FIPS-140), then that has to be worked out first.
-rich
0
BobSacksAuthor Commented:
Rich -  I have to smile.  I told my contact that someone was going to start talking about HIPAA,  Sarbanes-Oxley or FERPA eventually!     What you say is what I thought.  I don't have much experience with encryption, but it didn't seem logical that you could only do it on one end.

Thanks so much!
0
Dave HoweSoftware and Hardware EngineerCommented:
Depends on what you are doing with it. If you are storing data for your own use (and only your own use) then you can encrypt it, store it, pull it back when you need it, then decrypt it again before using.

This is the model a lot of backup software now uses - data is encrypted before it goes to the backup device, and only the backup software can decrypt it but that's fine, only the backup software needs to :)

Alternatively, you could store the data encrypted, wait until they ask why it looks like random garbage, and then smile sweetly, give them the key and algo you chose, and let them worry about it. That (while enormously satisfying) isn't likely to result in positive feedback and your invoices paid though :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Programming

From novice to tech pro — start learning today.