AES 256 Encryption/Decryption in c#

RadhaKrishnaKiJaya
RadhaKrishnaKiJaya used Ask the Experts™
on
Hello Experts,
I am looking for a AES-256 Encryption/Decryption program to deal with my Customer Credit Card numbers.  If possible, please help find me an industry standard sample program.

Thank you very much in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Depends on exactly how encryption was done.

If credit card numbers have been hashed (converted to a hash) then no decryption is possible (unless you have an extravagant budget + a Boeing hanger full of Crays (or whatever passes for a super computer these days).

Hashes are generated specifically to guard against decryption.

That said, if you really did use openssl to encrypt credit card numbers using AES-256, then you'll use openssl to decrypt them in reverse.

The only way to know for sure, is if you post code used to hash or encrypt the credit card numbers in question.

This info will instantly show if credit card numbers are hashed or truly encrypted.

Tip: Unless you wrote the encryption code yourself, likely your this data is hashed.

Tip: If you're keeping credit card numbers on file, then you best have gone through the entire PCI Compliance process... or you'll be looking at vast amounts of jail time, depending on jurisdiction of card holders + where card numbers are stored.

Tip: Best if you never talk about saving credit card numbers again in an open forum.
ǩa̹̼͍̓̂ͪͤͭ̓u͈̳̟͕̬ͩ͂̌͌̾̀ͪf̭̤͉̅̋͛͂̓͛̈m̩̘̱̃e͙̳͊̑̂ͦ̌ͯ̚d͋̋ͧ̑ͯ͛̉Glanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015

Commented:
@David

I think he's asking for code that shows how to perform encryption/decryption.

I do agree about going through with PCI compliance. Not sure about the jail time part, but I know that violations can be very monetarily expensive.

Author

Commented:
Hello Dave,
Thank you!  kaufmed is right.  I am looking for code to perform Encryption/Decryption process.  This is to meet our PCI Compliance.  The Credit Card Numbers are not hashed.  Please let me know.

Hello kaufmed, Thank you!

Thank you!
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Rikin ShahMicrosoft Dynamics CRM Consultant

Commented:
Hi,

You can always go for Aes Class available in .net Namespace: System.Security.Cryptography

Aes Class represents the abstract base class from which all implementations of the Advanced Encryption Standard (AES) must inherit.

You can find example here-
https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=netframework-4.7.2
Kyle AbrahamsSenior .Net Developer

Commented:
Check the following:
https://www.ryadel.com/en/aes-256-class-asp-net-c-sharp-custom-options-settings-hash-padding-mode-keylength-cipher-salt-iv-rijndael/

It looks like you can use this to generate your key.

Note that the passphrase is your key.

The IV should be generated and stored per record.
Salt if you're doing hashes, don't use them if you're encrypting the full CC number (good intro here: https://security.stackexchange.com/questions/52924/is-salt-iv-and-key-necessary-when-encrypting-password-in-a-database-using-aes)

Author

Commented:
Thank you Kyle and Rikin,
From the code, how do I know if the Encryption is 256 bits?

Thank you!
Kyle AbrahamsSenior .Net Developer

Commented:
https://www.techopedia.com/definition/29703/256-bit-encryption

32 Bytes = 32 * 8 bits = 256 bit encryption.

Author

Commented:
Kyle,
I am still lost.  I tried to relate 32 Bytes = 32 * 8 bits = 256 bit with the link you sent me.  I could not understand it.  Do you have any simple example to start with?

Thank you!

Author

Commented:
Rikin,
From your link, I see the sample code.  How would I understand it is 256 bit encryption?

Thank you!
Kyle AbrahamsSenior .Net Developer

Commented:
If the key is 256 bits, you have 256 bit encryption.
8 bits in a byte, so 32 bytes of a key would also make it 256 bit encryption (8 * 32 = 256).

You'll note in the original link there are 32 characters making up the key which are bytes (the comment incorrectly calls them bits for 256).

Author

Commented:
Kyle, I am sorry.  I am not able to see/understand that (original link there are 32 characters... ) in the link.  Please let me know the line number you are reading.

Thank you!
Senior .Net Developer
Commented:
This link:
https://www.ryadel.com/en/aes-256-class-asp-net-c-sharp-custom-options-settings-hash-padding-mode-keylength-cipher-salt-iv-rijndael/


// passPhrase (32 bit length for AES256)   -> should really be 32 BYTE
var passPhrase = "12345678901234567890123456789012";

Author

Commented:
Thank you guys for your help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial