RE: Encrypting data in the database
- From: David Thielen <thielen@xxxxxxxxxxxxx>
- Date: Mon, 8 Jan 2007 10:05:05 -0800
ok - ordered. I'll read throuhg that first. This is one of those things that
has to be done exactly right.
--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com
Cubicle Wars - http://www.windwardreports.com/film.htm
"Dominick Baier" wrote:
in that case symmetric is easier..
- be aware against whom you want to protect
- data and key should be stored separately
- make sure you understand what you are doing (keys, session keys, IVs, algorithms,
block sizes etc)
i wrote about exactly that scenario in my book - maybe thats useful for you...
http://www.microsoft.com/mspress/books/9989.asp
-----
Dominick Baier (http://www.leastprivilege.com)
In our case it is the same ASP.NET app both encrypting and decrypting.
So I was thinking a symetric key is all we need. If we did a
public/private key, both would be held by the same app.
You say "if it is worth it." Do you think it might not be? If so, can
you explain? I don't want to add complexity if it doesn't buy us
anything.
Cubicle Wars - http://www.windwardreports.com/film.htm
"Dominick Baier" wrote:
have a look here:
http://msdn.microsoft.com/msdnmag/issues/06/01/SecurityBriefs/default
.aspx
this will add complexity to your app (if done correctly) - make sure
it is worth it...
-----
Dominick Baier (http://www.leastprivilege.com)
Good points - I'll add the encryption.
Any suggestions on creating the key for DESCryptoServiceProvider?
The example shows it never being set.
Cubicle Wars - http://www.windwardreports.com/film.htm
"Luke Zhang [MSFT]" wrote:
Hello Dave,
I think it is necessary to also encrypt the password in the
database, A sql server may have multiple administrator and used by
multiple applications. Even we can confirm that our ASP.NET
application is security enough, but we cannot ensure other
applications running with the SQL server is safe, so the db admin's
permission is still able to be leak. Especially, your system store
very important information and require strong security.
In .NET application we can encrypt data with
DESCryptoServiceProvider:
http://msdn2.microsoft.com/en-us/library/system.security.cryptograp
hy .descry ptoserviceprovider.aspx
Sincerely,
Luke Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.a
sp
x#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues where an initial response from the community or a Microsoft
Support Engineer within 1 business day is acceptable. Please note
that each follow up response may take approximately 2 business days
as the support professional working with you may need further
investigation to reach the most efficient resolution. The offering
is
not appropriate for situations that require urgent, real-time or
phone-based interactions or complex project analysis and dump
analysis issues. Issues of this nature are best handled working
with
a dedicated Microsoft Support Engineer by contacting Microsoft
Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
- References:
- RE: Encrypting data in the database
- From: Luke Zhang [MSFT]
- RE: Encrypting data in the database
- From: Dominick Baier
- RE: Encrypting data in the database
- From: David Thielen
- RE: Encrypting data in the database
- From: Dominick Baier
- RE: Encrypting data in the database
- Prev by Date: RE: Encrypting data in the database
- Next by Date: RE: What is the "correct & supported" way to setup SqlRoleProvider
- Previous by thread: RE: Encrypting data in the database
- Next by thread: RE: Storing network credentials
- Index(es):
Relevant Pages
|
|
