Solved

Implementing Encryption/Decryption on a property in my MVC 4 application using Entity Framework 5

Posted on 2014-04-10
5
5,955 Views
Last Modified: 2014-04-12
I have an MVC 4 web application that uses EF 5.  Some of the tables in my application contain data that needs to be encrypted.  I am using SQL Server 2005 (soon to be upgraded to 2008).

What is the best way to implement the encryption/decryption?

Do I create a Stored Procedure for encrypting and decrypting the fields in the table and somehow tell EF to use the Stored Procedure when retrieving and setting the value in the fields that require encryption?

Do I create the Encryption / Decryption methods and use them in the get and set operations of the property?  If yes, how would I do this? (Assume I have an Encrypt(string) and Decrypt(string) method).

Do I use Data Annotations to indicate the field should be Encrypted and Decrypted?  If yes, where would I add the code for Encrypting and Decrypting?

As you can see I really don't have a good idea of where to start so any suggestions are greatly appreciated!
0
Comment
Question by:dyarosh
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
dj_alik earned 500 total points
ID: 39993749
Depending on what you need to achieve
1. DATABASE LAYER
SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script
http://blog.sqlauthority.com/2009/04/28/sql-server-introduction-to-sql-server-encryption-and-symmetric-key-encryption-tutorial-with-script/

Custom encryption of field with Entity Framework
http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

HTTP/S LEVEL
Working with SSL in Web API
http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api
Using SSL in ASP.NET Web API
http://www.codeguru.com/csharp/.net/using-ssl-in-asp.net-web-api.htm

ASP.net MVC LEVEL  
Securing Query String in ASP.NET MVC
http://www.mytecbits.com/microsoft/dot-net/securing-query-string-in-net
0
 
LVL 25

Expert Comment

by:apeter
ID: 39993797
0
 

Author Comment

by:dyarosh
ID: 39993928
I've reviewed the links and the following links seem like they are what I am looking for but I'm not sure how I would use them.

http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/
1. This requires a prefix to let you know the field is encrypted.  If I am using an encryption algorithm that requires 256 bytes, would I set my field in the table to be 257 bytes so the prefix can be preappended to the encrypted value?
2. How would I really know that the field is encrypted/decrypted?  Is the first character blank for decrypted value and 'X' for encrypted value?  So if the field in the database is defined as nvarchar(255), the actual text can be accepted is 254 characters so the encryption character can be preappended?

http://forums.asp.net/t/1838604.aspx?Encryption+Decryption+In+Model+repository+or+in+Controller+Best+Practice+Advice+
1. My project is currently setup very similar to this post in that I have an Interface Class and a class that implements that Interface.  I don't understand how the CryptoRepository is used.  

I appreciate the responses and hope you will continue to help me with this.
0
 

Author Closing Comment

by:dyarosh
ID: 39994447
I am using the concept found at this link: http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

I am modifying his implementation in that the field from the database that is encrypted will always be encrypted so I won't need the encryption string prefix.  I am adding an unsecured version of the property that will contain the unencrypted version of the field from the database.  I will use that field to display and edit information.  I will modify the SaveChanges method to encrypt the unsecured property and save it back to the secured property.

Thank you for your help.
0
 
LVL 25

Expert Comment

by:apeter
ID: 39994489
You have follow repository pattern to achieve that. Sample of repository patter you can see there.

http://www.codeproject.com/Articles/600097/Why-the-Repository-Pattern

So there will be two kinds of repository in the previous sample. Models where we don't need encryption and one for where you need encryption.

Maybe we can change little herem instead of have two, we can have one repository pattern.
1. Have all your model have a mandatory property say "IsEncrtypDecryptNeeded".
2. When you are getting any model from DB, just loop all the entities whether it the bit is set, then you can Decrypt method(details step 4)
3.When you are saving any model from DB, just loop all the entities whether it the bit is set, then you can Encrypt method(details step 4).
4. For each model, you want encrypt/decrypt, create two extensions method.  Call them accordingly. This way each model can either fully encrypted or needed properties.

Hope this helps.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now