Solved

Implementing Encryption/Decryption on a property in my MVC 4 application using Entity Framework 5

Posted on 2014-04-10
5
5,822 Views
Last Modified: 2014-04-12
I have an MVC 4 web application that uses EF 5.  Some of the tables in my application contain data that needs to be encrypted.  I am using SQL Server 2005 (soon to be upgraded to 2008).

What is the best way to implement the encryption/decryption?

Do I create a Stored Procedure for encrypting and decrypting the fields in the table and somehow tell EF to use the Stored Procedure when retrieving and setting the value in the fields that require encryption?

Do I create the Encryption / Decryption methods and use them in the get and set operations of the property?  If yes, how would I do this? (Assume I have an Encrypt(string) and Decrypt(string) method).

Do I use Data Annotations to indicate the field should be Encrypted and Decrypted?  If yes, where would I add the code for Encrypting and Decrypting?

As you can see I really don't have a good idea of where to start so any suggestions are greatly appreciated!
0
Comment
Question by:dyarosh
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
dj_alik earned 500 total points
ID: 39993749
Depending on what you need to achieve
1. DATABASE LAYER
SQL SERVER – Introduction to SQL Server Encryption and Symmetric Key Encryption Tutorial with Script
http://blog.sqlauthority.com/2009/04/28/sql-server-introduction-to-sql-server-encryption-and-symmetric-key-encryption-tutorial-with-script/

Custom encryption of field with Entity Framework
http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

HTTP/S LEVEL
Working with SSL in Web API
http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api
Using SSL in ASP.NET Web API
http://www.codeguru.com/csharp/.net/using-ssl-in-asp.net-web-api.htm

ASP.net MVC LEVEL  
Securing Query String in ASP.NET MVC
http://www.mytecbits.com/microsoft/dot-net/securing-query-string-in-net
0
 
LVL 25

Expert Comment

by:apeter
ID: 39993797
0
 

Author Comment

by:dyarosh
ID: 39993928
I've reviewed the links and the following links seem like they are what I am looking for but I'm not sure how I would use them.

http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/
1. This requires a prefix to let you know the field is encrypted.  If I am using an encryption algorithm that requires 256 bytes, would I set my field in the table to be 257 bytes so the prefix can be preappended to the encrypted value?
2. How would I really know that the field is encrypted/decrypted?  Is the first character blank for decrypted value and 'X' for encrypted value?  So if the field in the database is defined as nvarchar(255), the actual text can be accepted is 254 characters so the encryption character can be preappended?

http://forums.asp.net/t/1838604.aspx?Encryption+Decryption+In+Model+repository+or+in+Controller+Best+Practice+Advice+
1. My project is currently setup very similar to this post in that I have an Interface Class and a class that implements that Interface.  I don't understand how the CryptoRepository is used.  

I appreciate the responses and hope you will continue to help me with this.
0
 

Author Closing Comment

by:dyarosh
ID: 39994447
I am using the concept found at this link: http://blog.cincura.net/233147-custom-encryption-of-field-with-entity-framework/

I am modifying his implementation in that the field from the database that is encrypted will always be encrypted so I won't need the encryption string prefix.  I am adding an unsecured version of the property that will contain the unencrypted version of the field from the database.  I will use that field to display and edit information.  I will modify the SaveChanges method to encrypt the unsecured property and save it back to the secured property.

Thank you for your help.
0
 
LVL 25

Expert Comment

by:apeter
ID: 39994489
You have follow repository pattern to achieve that. Sample of repository patter you can see there.

http://www.codeproject.com/Articles/600097/Why-the-Repository-Pattern

So there will be two kinds of repository in the previous sample. Models where we don't need encryption and one for where you need encryption.

Maybe we can change little herem instead of have two, we can have one repository pattern.
1. Have all your model have a mandatory property say "IsEncrtypDecryptNeeded".
2. When you are getting any model from DB, just loop all the entities whether it the bit is set, then you can Decrypt method(details step 4)
3.When you are saving any model from DB, just loop all the entities whether it the bit is set, then you can Encrypt method(details step 4).
4. For each model, you want encrypt/decrypt, create two extensions method.  Call them accordingly. This way each model can either fully encrypted or needed properties.

Hope this helps.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now