Re: Security - Best Encryption Tool

From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 06/01/04 

Date: Tue, 1 Jun 2004 12:48:23 -0700

Svein,

DPAPI with user store cannot be used from an ASP.NET application unless you
want to implement the encryption architecture using enterprise services (as
described in the document you reference). In addition to being a somewhat
hassle-prone, this approach posses other challenges, like authorization and
performance. If you use DPAPI encryption with machine store and your machine
crashes (or you move the application to a different machine, or run it on a
server farm, or [fill in the blank]) you will not be able to decrypt data.
This is in addition to the risk factor that any application running on the
same (original) machine will be able to decrypt data. These are just the
most obvious problems associated with DPAPI in this scenario. The bottom
line is that while DPAPI can be the best choice in some case, it is clearly
not a good option for encrypting data stored in databases (such as credit
card numbers). That is unless you do not mind not being able to decrypt
data.

Alek

"Svein Terje Gaup" <stgaup@broadpark.no.spam> wrote in message
news:%23pHQpmASEHA.1936@TK2MSFTNGP10.phx.gbl...
> Why not use DPAPI?
>
> This article describes how to create a DPAPI ibrary:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT07.asp
>
> If you use the User store, then only the user that encrypted the data can
> decrypt it on the same machine:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT09.asp
>
> If you use the Machine store, then the encrypted data can only be decryped
> on the same server:
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT08.asp
>
> Sincerely
> Svein Terje Gaup
>
> "gaurav khanna" <gaurav.khanna@wipro.com> wrote in message
> news:dc575aed.0406010641.4d6cda4b@posting.google.com...
> > Hi
> >
> > I need to store the credit card information in my database. I have
> > been looking for some third party tools which could provide encryption
> > for credit card numbers.
> >
> > The help I need is:
> >
> > a) What is the most secure encryption tool that can be used to store
> > credit card information?
> >
> > b) Any tool which implements AES and does not expect a private key to
> > be supplied as shown in the sample application provided by
> > Microsoft. But in this case customize tool needs to be provided as
> > anybody can buy the tool and decrypt the information.
> >
> > c) What is the best way to secure a private key used by the
> > algorithm like storing in RAM, registry, isolated storage etc? And
> > how to implement it.
> >
> > d) If some code implementation, which allows encrypting securely
> > is available.
> >
> >
> > The client is ready to invest in Third Party Tool.
> > I short listed two third party .Net components for encryption:
> >
> > Chilkat Software (http://www.chilkatsoft.com/dotNetCrypt.asp)
> >
> > ezCrypto .NET
>
(http://www.componentsource.com/Catalog.asp?fl=A200&gf=+BUSFUNCDATAPC&gd=Enc
>
ryption&bc=A100~A200~BUSFUNCDATAPC&sc=CS&PO=514745&option=10444&RC=FCSR&POS=
> 1&bhcp=1
> > )
> >
> >
> > Both the above are c# implemented tools and implement AES algorithm.
> >
> > But the problem is both ask for private key to be supplied. And I need
> > to store the private key in a secure manner.
> >
> >
> > The work round I decided was to use the dll provided by the tool.
> > Write some login to generate dynamically private key for each of the
> > registered users based on his profile. Store this logic in a dll and
> > some how secure this logic, so that no body is able to access it. But
> > how to secure the logic is a concern, as dll can also be hacked to
> > view its contents.
> >
> > One option I was looking at was to use isolated storage as provided by
> > .Net.
> > But I'm not sure can we store and access a dll using isolated storage.
> >
> >
> > It would be great if somebody can help me with the above problem.
> >
> > Regards
> > Gaurav
>
>

Relevant Pages

  • Re: Security - Best Encryption Tool
    ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ...
    (microsoft.public.vb.general.discussion)
  • Re: Security - Best Encryption Tool
    ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: Security - Best Encryption Tool
    ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ...
    (microsoft.public.dotnet.framework.aspnet.buildingcontrols)
  • Re: Security - Best Encryption Tool
    ... DPAPI with user store cannot be used from an ASP.NET application unless you ... If you use DPAPI encryption with machine store and your machine ...
    (microsoft.public.dotnet.framework.component_services)
  • How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)?
    ... Use DPAPI to Encrypt and Decrypt Data ... The code below demonstrates how to call Data Protection API (DPAPI) ... In addition to encryption and decryption, ... public static string Encrypt ...
    (microsoft.public.dotnet.framework.aspnet.security)