Any suggestions for what encryption method to use for sensitive database values?

A

Alan Silver

Hello,

I am writing a page where sensitive data is collected (over SSL) and
stored in a database. I have been looking at the .NET encryption
classes, but am a bit confused as to which is best for my purposes.
There seem to be quite a few different ways of doing it, and I'm not
sure what's most suitable for me.

Anyone any suggestions? I only need to be able to store the data in such
a way that someone without access to my (to see how I'm doing it) can't
decipher the info.

Any suggestions welcome. TIA
 
P

Peter Kelcey

Alan,

First off, I'd recommend the following MSDN article.
msdn.microsoft.com/library/ en-us/dnnetsec/html/THCMCh14.asp

Also, here is a little blub about the various algorithms available.

"Larger key sizes generally increase security. The following list
summarizes the major algorithms together with the key sizes that each
uses:

Data Encryption Standard (DES) 64-bit key (8 bytes)
TripleDES 128-bit key or 192-bit key (16 or 24 bytes)
Rijndael 128-256 bit keys (16-32 bytes)
RSA 384-16,384 bit keys (48-2,048 bytes)

For large data encryption, use the TripleDES symmetric encryption
algorithm. For slower and stronger encryption of large data, use
Rijndael. To encrypt data that is to be stored for short periods of
time, you can consider using a faster but weaker algorithm such as DES.
For digital signatures, use Rivest, Shamir, and Adleman (RSA) or
Digital Signature Algorithm (DSA). For hashing, use the Secure Hash
Algorithm (SHA)1.0. For keyed hashes, use the Hash-based Message
Authentication Code (HMAC) SHA1.0."

Peter Kelcey
 
A

Alan Silver

Peter,

Thanks for the reply and the link, but I'm still not much clearer about
the encryption issue. I have to point out that I'm completely new at
encryption, so please be patient.

I understand that stronger encryption takes longer, but is more secure.
How much of an issue is this? The information I'm talking about is not
huge, probably about 50 characters long. I need it to be secure as it's
going to sit in the database permanently. Is it hard to switch between
algorithms? If not, then I could try them all and see how much impact it
has on performance.

So, assuming I've picked an algorithm, how do I go about using it? I've
spent ages trying to find some code that will take a string value and a
key and return an encoded string. That's all I need. Most of the
examples I have seen show how to encrypt a file, which is not what I
need. Do you have a simple example of this? I'm sure it's not hard, but
I just can't find anything. I'm using C# by the way.

Thanks again for the reply. I would really appreciate it if you can
point me in the direction of some samples. The SDK is great for
reference, but useless for learning. I haven't found anything on the web
yet that was what I wanted. Most of it was way to complex for such a
simple task too!!
 
A

Alan Silver

I've spent ages trying to find some code that will take a string value
and a key and return an encoded string.

....and I finally found one!! I saw
http://www.obviex.com/samples/Code.aspx?Source=EncryptionCS&Title=Symmetric Key Encryption&Lang=C#
which does exactly what I want. I tinkered with it a bit to make it more
suitable for me, but it works fine.

Whilst trying to understand it, I was looking up the
RijndaelManaged.CreateEncryptor method, which takes two parameters, a
key and an IV. I guess the key is the value used to encrypt the text,
but what's the IV? I can't see this explained anywhere.

Also, what is a salt value? The PasswordDeriveBytes constructor takes
one, but again, I can't see what it is.

If anyone can explain these two in simple terms, I would be very
grateful.
 
R

Rob Schieber

Alan said:
...and I finally found one!! I saw
http://www.obviex.com/samples/Code.aspx?Source=EncryptionCS&Title=Symmetric Key Encryption&Lang=C#

which does exactly what I want. I tinkered with it a bit to make it more
suitable for me, but it works fine.

Whilst trying to understand it, I was looking up the
RijndaelManaged.CreateEncryptor method, which takes two parameters, a
key and an IV. I guess the key is the value used to encrypt the text,
but what's the IV? I can't see this explained anywhere.

Also, what is a salt value? The PasswordDeriveBytes constructor takes
one, but again, I can't see what it is.

If anyone can explain these two in simple terms, I would be very grateful.
Alan,

A salt and an IV are the same thing. Basically they are used to prevent
dictionary attacks (i.e. an attack where the attacker uses common words,
etc. to break your encryption) against your encryption.

In Rijandael, I believe the IV is generated from the first few blocks of
plain text. In other algorithms Salts/IVs are generated differently.
 
A

Alan Silver

Alan,

A salt and an IV are the same thing. Basically they are used to
prevent dictionary attacks (i.e. an attack where the attacker uses
common words, etc. to break your encryption) against your encryption.

In Rijandael, I believe the IV is generated from the first few blocks
of plain text. In other algorithms Salts/IVs are generated differently.

Thanks for the explanation. In the sample code, the author commented
about the IV...

"Initialization vector (or IV). This value is required to encrypt the
first block of plaintext data. For RijndaelManaged class IV must be
exactly 16 ASCII characters long"

Why does it have to be 16 characters long? The value he used was
hard-coded in his example, it wasn't generated from the text. I'm still
a bit confused about this. Do I just use a single fixed value, or should
I vary it each time?

Thanks for your reply, any further explanations would be welcome.
 
A

Alan Silver

In Rijandael, I believe the IV is generated from the first few blocks
of plain text. In other algorithms Salts/IVs are generated differently.

Sorry, me again ;-)

Well, I have some test code working very well, so all looks set for
incorporating this into the real code. However, I have another
question...

Do you have any idea of the relationship between the length of the plain
text string and the length of the encoded string. I can't spot an
obvious one, nor have I seen one mentioned. I need to know how big my
database table field needs to be to ensure that the encrypted data will
fit. As I said, my plain text strings are all about 50 characters long.

Thanks again.
 
A

Alan Silver

I understand that stronger encryption takes longer, but is more secure.
How much of an issue is this? The information I'm talking about is not
huge, probably about 50 characters long.

In case anyone is interested, I did some tests, and using the code found
at the URL I posted yesterday, I could encrypt and then decrypt a string
of 50 characters ten thousand times using SHA1 in 375 milliseconds!!

I don't think performance is going to be an issue here ;-)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top