Encrypted mail in ASP.NET

M

Michael

Hi folks,

i have to build a web-application for the internet where the user
gets a form where he can fill in his name, adress and so on.
He also can provide a credit number.
The data will be sent over SSL.

On the server i want to put all the stuff into a mail and send it
to the company. This should also be encrypted somehow.
I read some articles about encrypted mail, but didnt really find a
fitting answer.

Does the .NET Framework provide any classes for that?
Has anyone done anything like that?
Any other ideas how i could resolve that problem?

thx in advance
Michael
 
G

Guest

Is mail the only transport method available?

If you have to go with mail make sure that you're using a method where you:
1. Encrypt the data with the recipient's public key.
2. Sign the message with your private key.

..NET has many encryption classes in System.Security.Cryptography, but there
is no direct support, AFAIK, for any encrypted email standards.
 
M

M. Burnett

There is no easy way to send encrypted e-mail from ASP.NET, you would have
to write that functionality yourself or buy something that does that for
you. I assume you want to accomplish two things by encrypting the e-mail:
protect the data in transit and prove that the e-mail is authentic and
unmodified. Encrypting an e-mail means that only the recipient can view the
plaintext message. To do this, the recipient must provide you with his or
her public key, if they have one. Signing an e-mail means that the recipeint
can prove that the message came from you and has not been modified since you
signed it. Signing requires that you make your public key available to the
recipient.

Obviosuly, implementing encryption and signing means you need to modify your
application to handle and store user private keys. Another problem is that
to sign outgoing e-mails you need to keep your private key on the web server
and the web application needs to be able to read it. This could be a risk if
someone ever compromised your web server. If that happened, the intruder
could send fake e-mails and sign them with your signature.

You can sign and encrypt e-mails this with PGP and S/MIME. Using S/MIME
requires functions from CryptoAPI that the .NET framework doesn't expose. It
is a fairly complex process if you are not familiar with encryption and
public key concepts. As for PGP, I have seen people integrate that into
their application by shelling out to the gpg or pgp command line. Here are
some links for that:
http://www.15seconds.com/issue/011002.htm
http://www.codeproject.com/csharp/gnupgdotnet.asp

One problem with PGP is that the recipient needs to have it installed on
their end to view the plaintext message.

Although I would love to see every web site use encrypted e-mail, it just
isn't practical or pervasive enough to implement yet. Furthermore,
encrypting an e-mail doesn't guarantee the safety of the data once it is
sitting in the user's inbox. The best solution is to simply not send
sensitive information in an e-mail. One alternative is to send the use a
temporary link to a web page that displays the information to the user over
an SSL connection.


Mark Burnett
Hacking the Code: ASP.NET Web Application Security
http://www.hackingthecode.com
 
M

Michael

Hi Mark, hi Brad,

thank you very much for your very detailed answers.
It rather seems to me, that the encrypted mail stuff is pretty
complicated and probably to much effort.
I will try to enrypt the data and save it in a database.
The recipient will get the decryption key to decrypt the data.
This seems to be the cheapest and probably safest way to handle the
problem.

hope it works:)

greetz
Michael
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top