Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7116
  • Last Modified:

Implementing Encryption/Decryption on a property in my MVC 4 application using Entity Framework 5

I have an MVC 4 web application that uses EF 5.  Some of the tables in my application contain data that needs to be encrypted.  I am using SQL Server 2005 (soon to be upgraded to 2008).

What is the best way to implement the encryption/decryption?

Do I create a Stored Procedure for encrypting and decrypting the fields in the table and somehow tell EF to use the Stored Procedure when retrieving and setting the value in the fields that require encryption?

Do I create the Encryption / Decryption methods and use them in the get and set operations of the property?  If yes, how would I do this? (Assume I have an Encrypt(string) and Decrypt(string) method).

Do I use Data Annotations to indicate the field should be Encrypted and Decrypted?  If yes, where would I add the code for Encrypting and Decrypting?

As you can see I really don't have a good idea of where to start so any suggestions are greatly appreciated!
0
dyarosh
Asked:
dyarosh
  • 2
  • 2
1 Solution
 
dj_alikCommented:
Depending on what you need to achieve
1. DATABASE LAYER
SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script
http://blog.sqlauthority.com/2009/04/28/sql-server-introduction-to-sql-server-encryption-and-symmetric-key-encryption-tutorial-with-script/

Custom encryption of field with Entity Framework
http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

HTTP/S LEVEL
Working with SSL in Web API
http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api
Using SSL in ASP.NET Web API
http://www.codeguru.com/csharp/.net/using-ssl-in-asp.net-web-api.htm

ASP.net MVC LEVEL  
Securing Query String in ASP.NET MVC
http://www.mytecbits.com/microsoft/dot-net/securing-query-string-in-net
0
 
dyaroshAuthor Commented:
I've reviewed the links and the following links seem like they are what I am looking for but I'm not sure how I would use them.

http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/
1. This requires a prefix to let you know the field is encrypted.  If I am using an encryption algorithm that requires 256 bytes, would I set my field in the table to be 257 bytes so the prefix can be preappended to the encrypted value?
2. How would I really know that the field is encrypted/decrypted?  Is the first character blank for decrypted value and 'X' for encrypted value?  So if the field in the database is defined as nvarchar(255), the actual text can be accepted is 254 characters so the encryption character can be preappended?

http://forums.asp.net/t/1838604.aspx?Encryption+Decryption+In+Model+repository+or+in+Controller+Best+Practice+Advice+
1. My project is currently setup very similar to this post in that I have an Interface Class and a class that implements that Interface.  I don't understand how the CryptoRepository is used.  

I appreciate the responses and hope you will continue to help me with this.
0
 
dyaroshAuthor Commented:
I am using the concept found at this link: http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

I am modifying his implementation in that the field from the database that is encrypted will always be encrypted so I won't need the encryption string prefix.  I am adding an unsecured version of the property that will contain the unencrypted version of the field from the database.  I will use that field to display and edit information.  I will modify the SaveChanges method to encrypt the unsecured property and save it back to the secured property.

Thank you for your help.
0
 
apeterCommented:
You have follow repository pattern to achieve that. Sample of repository patter you can see there.

http://www.codeproject.com/Articles/600097/Why-the-Repository-Pattern

So there will be two kinds of repository in the previous sample. Models where we don't need encryption and one for where you need encryption.

Maybe we can change little herem instead of have two, we can have one repository pattern.
1. Have all your model have a mandatory property say "IsEncrtypDecryptNeeded".
2. When you are getting any model from DB, just loop all the entities whether it the bit is set, then you can Decrypt method(details step 4)
3.When you are saving any model from DB, just loop all the entities whether it the bit is set, then you can Encrypt method(details step 4).
4. For each model, you want encrypt/decrypt, create two extensions method.  Call them accordingly. This way each model can either fully encrypted or needed properties.

Hope this helps.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now