| Author |
Topic |
|
ddasilva99
Starting Member
26 Posts |
 Posted - 2006-11-12 : 00:11:20
|
| Hi Everyone,What would you recommend when it comes to encrypting/decrypting personal data?I am using ASP.NET 2.0 and SQL Server....Thanks, |
|
|
afrika
Master Smack Fu Yak Hacker
2706 Posts |
Posted - 2006-11-12 : 02:20:37
|
| Where do you want to encrypt the data ? In your aspx pages or database.See this www.activecrypt.com , www.quest.com/sql_server |
 |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-11-12 : 04:10:54
|
| And what kind of information are you thinking of encrypting?Peter LarssonHelsingborg, Sweden |
|
|
|
ddasilva99
Starting Member
26 Posts |
Posted - 2006-11-12 : 11:39:54
|
| Im trying to encrypt/decrypt personal information such as address, phone#, etc. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-11-12 : 12:20:11
|
| I'm surprised you want to encrypt Address / phone# IN THE DATABASE. CreditCard / password maybe, but encrypting other data is going to ahve all sorts of problems.Kristen |
|
|
|
ddasilva99
Starting Member
26 Posts |
Posted - 2006-11-12 : 15:28:50
|
| It was a requirement by my group to encrypt name, address, phone, etc...Is there a way to encrypt this data? I'd prefer to use SQL but if I cant then ill use the crypto included with ASP |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2006-11-12 : 15:31:31
|
| Really want encryption, or obfuscation is enough?Peter LarssonHelsingborg, Sweden |
|
|
|
ddasilva99
Starting Member
26 Posts |
Posted - 2006-11-12 : 15:55:17
|
| The requirement is that they dont want DB admins to see the data in the table as cleartext. Any suggestions? |
|
|
|
rockmoose
SQL Natt Alfen
3279 Posts |
Posted - 2006-11-12 : 16:20:50
|
| > The requirement is that they dont want DB admins to see the data in the table as cleartext. Any suggestions?In that case the data would need to be encrypted before it reaches the database.rockmoose |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2006-11-13 : 01:53:52
|
| It always worries me when I hear that there are requirements for the DB Admins not to be able to see data .... issues of Trust and the DBAs not being able to do their job spring to mind.Credit card numbers I can understand - but other than a database of spies! I can't see a good business case for hiding names & addresses from DBAs.I'm sure there are other real-world instances, its just that it starts ringing warning bells for me!Kristen |
|
|
|
afrika
Master Smack Fu Yak Hacker
2706 Posts |
Posted - 2006-11-13 : 07:33:39
|
quote:
Originally posted by Kristen
It always worries me when I hear that there are requirements for the DB Admins not to be able to see data .... issues of Trust and the DBAs not being able to do their job spring to mind.Credit card numbers I can understand - but other than a database of spies! I can't see a good business case for hiding names & addresses from DBAs.I'm sure there are other real-world instances, its just that it starts ringing warning bells for me!Kristen
I think the greater fear lies in the fact of securing the database.However you encrypt your data, someone will always have a key to decrypt it, If however you employ high encryption algorithms, it will certainly affect performance on your application, especially if heavily hit. And if for some reason your db admin changes jobs, then you have lost your data either which way. |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2006-11-13 : 08:23:46
|
| For passwords I'd recomend using a one-way hashing algorithm like MD5 (http://www.codeproject.com/database/xp_md5.asp) which is used for comparison only. It cannot be decrypted so what you would do is to encrypt the password in the database, and when a user tries to log in or whatever you hash his password and compare it to what you have in the database. If you have a match he's entered the right password. In terms of things that needs to be decrypted you're basically down to standard algoritms like BASE64 and such -> http://www.sqlservercentral.com/columnists/mcoles/freeencryption.asp--Lumbago"Real programmers don't document, if it was hard to write it should be hard to understand" |
|
|
|
Lumbago
Norsk Yak Master
3271 Posts |
Posted - 2006-11-13 : 08:30:23
|
| But I have concur with the others here that it doesn't make alot of sense to encrypt names, adresses and such. A DBA/developer or whoever will for sure know what type of algorithm is used and it wouldn't take much effort to decrypt the thing knowing that. They wount see the real data in everyday development but the data is in no way secure even though someone encrypts it (unless you employ some obscure hardcore NSA John Forbes Nash stuff).--Lumbago"Real programmers don't document, if it was hard to write it should be hard to understand" |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
|
|
|
Data Encryption