locked
Secure and transportable encrypt/decrypt RRS feed

  • Question

  • Good day everyone! I'm looking into effective and transportable ways to do the following:

    • Encrypt/Decrypt a sensitive string in some biz logic code that will be stored in the database.
    • The ability for multiple app servers to share this "key" being used in the encrypt/decrypt so that any server will be able to pull this data as well as insert it
    • Ensure a moderate to excellent amount of security to this so in the event the data store in question is hijacked, the sensitive data would be well protected.

    I've read Keith Brown's latest book on security and while it's given me some ideas, there isn't anything that really seems suited to the above scenario. I'm sure I'm not the first person to ask this so I'm hoping you all can lend some insight and direction. Thanks!

    - James

    Tuesday, December 20, 2005 4:31 PM

Answers

  • Any of the cryptographic algorithms available in System.Security.Cryptography should work for you provided they use public/private keys.  The public key is used to encrypt the data on the servers for storage in the DB.  Decryption requires the private key.  The key would be shared amongst your servers in whatever mechanism is most appropriate such as a secure file on a central server or perhaps even local to all servers. 

    As most security books will tell you the issue is not necessarily guaranteeing that nobody can decipher your data but instead properly protecting your private key.  Modern recommendations are for at least 1K keys with 4K keys being a better choice.  The latest AES algorithm (not available in .NET but an article posted in MSDN Magazine contains the implementation) is really good.  I have used it for multiple server encryption with no problems.  RSACryptoServiceProvider (from .NET) is also a good choice.

    Michael Taylor - 12/20/05
    Tuesday, December 20, 2005 6:29 PM

All replies

  • Any of the cryptographic algorithms available in System.Security.Cryptography should work for you provided they use public/private keys.  The public key is used to encrypt the data on the servers for storage in the DB.  Decryption requires the private key.  The key would be shared amongst your servers in whatever mechanism is most appropriate such as a secure file on a central server or perhaps even local to all servers. 

    As most security books will tell you the issue is not necessarily guaranteeing that nobody can decipher your data but instead properly protecting your private key.  Modern recommendations are for at least 1K keys with 4K keys being a better choice.  The latest AES algorithm (not available in .NET but an article posted in MSDN Magazine contains the implementation) is really good.  I have used it for multiple server encryption with no problems.  RSACryptoServiceProvider (from .NET) is also a good choice.

    Michael Taylor - 12/20/05
    Tuesday, December 20, 2005 6:29 PM
  • Just a quick correction ... AES is available in the framework, it's the RijndaelManaged class.

    -Shawn

    Wednesday, January 4, 2006 4:58 PM