Solved

Implementing Encryption/Decryption on a property in my MVC 4 application using Entity Framework 5

Posted on 2014-04-10
5
6,146 Views
Last Modified: 2014-04-12
I have an MVC 4 web application that uses EF 5.  Some of the tables in my application contain data that needs to be encrypted.  I am using SQL Server 2005 (soon to be upgraded to 2008).

What is the best way to implement the encryption/decryption?

Do I create a Stored Procedure for encrypting and decrypting the fields in the table and somehow tell EF to use the Stored Procedure when retrieving and setting the value in the fields that require encryption?

Do I create the Encryption / Decryption methods and use them in the get and set operations of the property?  If yes, how would I do this? (Assume I have an Encrypt(string) and Decrypt(string) method).

Do I use Data Annotations to indicate the field should be Encrypted and Decrypted?  If yes, where would I add the code for Encrypting and Decrypting?

As you can see I really don't have a good idea of where to start so any suggestions are greatly appreciated!
0
Comment
Question by:dyarosh
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
dj_alik earned 500 total points
ID: 39993749
Depending on what you need to achieve
1. DATABASE LAYER
SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script
http://blog.sqlauthority.com/2009/04/28/sql-server-introduction-to-sql-server-encryption-and-symmetric-key-encryption-tutorial-with-script/

Custom encryption of field with Entity Framework
http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

HTTP/S LEVEL
Working with SSL in Web API
http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api
Using SSL in ASP.NET Web API
http://www.codeguru.com/csharp/.net/using-ssl-in-asp.net-web-api.htm

ASP.net MVC LEVEL  
Securing Query String in ASP.NET MVC
http://www.mytecbits.com/microsoft/dot-net/securing-query-string-in-net
0
 
LVL 25

Expert Comment

by:apeter
ID: 39993797
0
 

Author Comment

by:dyarosh
ID: 39993928
I've reviewed the links and the following links seem like they are what I am looking for but I'm not sure how I would use them.

http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/
1. This requires a prefix to let you know the field is encrypted.  If I am using an encryption algorithm that requires 256 bytes, would I set my field in the table to be 257 bytes so the prefix can be preappended to the encrypted value?
2. How would I really know that the field is encrypted/decrypted?  Is the first character blank for decrypted value and 'X' for encrypted value?  So if the field in the database is defined as nvarchar(255), the actual text can be accepted is 254 characters so the encryption character can be preappended?

http://forums.asp.net/t/1838604.aspx?Encryption+Decryption+In+Model+repository+or+in+Controller+Best+Practice+Advice+
1. My project is currently setup very similar to this post in that I have an Interface Class and a class that implements that Interface.  I don't understand how the CryptoRepository is used.  

I appreciate the responses and hope you will continue to help me with this.
0
 

Author Closing Comment

by:dyarosh
ID: 39994447
I am using the concept found at this link: http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

I am modifying his implementation in that the field from the database that is encrypted will always be encrypted so I won't need the encryption string prefix.  I am adding an unsecured version of the property that will contain the unencrypted version of the field from the database.  I will use that field to display and edit information.  I will modify the SaveChanges method to encrypt the unsecured property and save it back to the secured property.

Thank you for your help.
0
 
LVL 25

Expert Comment

by:apeter
ID: 39994489
You have follow repository pattern to achieve that. Sample of repository patter you can see there.

http://www.codeproject.com/Articles/600097/Why-the-Repository-Pattern

So there will be two kinds of repository in the previous sample. Models where we don't need encryption and one for where you need encryption.

Maybe we can change little herem instead of have two, we can have one repository pattern.
1. Have all your model have a mandatory property say "IsEncrtypDecryptNeeded".
2. When you are getting any model from DB, just loop all the entities whether it the bit is set, then you can Decrypt method(details step 4)
3.When you are saving any model from DB, just loop all the entities whether it the bit is set, then you can Encrypt method(details step 4).
4. For each model, you want encrypt/decrypt, create two extensions method.  Call them accordingly. This way each model can either fully encrypted or needed properties.

Hope this helps.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question