We are designing a .net web application that has an external and internal site.
Both sites need to encrypt data only the internal site needs to decrypt data.
We are wondering what are the best practices for:
Which encryption method to choose?
Where to store the encryption / decryption key?
i need to implement a standard encryption decryption logic across an entire project platform which has different clients implemented using different platforms as follows:
iphone app (objectiv c)
website (classic asp)
webservice (asp.net)
samsung bada app (c++)
the iphone app as well as the website need to send info to webservice using encrypted query strings
the web service then decrypts this and processes the info further
wanted to know the simplest way to achieve this. is there some free and ready to use binary available with an easy to use api to achieve this?
encryption needs to be as secure as possible
edited: currently we use AES on the website and webservice front
I am trying to encrypt/decrypt a file with CAPICOM in javascript. I have to encrypt file with private key and decrypt with public key. But I dont know how to do this with CAPICOM.
View 1 RepliesI have web.config file and it is encrypted completely and hosted in one server,Now I got one requirement to change admin person mail id. So I need to decrypt the web.config file and update the mail id then encrypt the config file again. Please tell me how to do this using aspnet_regiis -pdf commands?
View 1 RepliesThis is meant to be easy ...so ive been told, but still cant get it to work!I have a sql database hosted on a shared server which requires the use of sql authentication.As a result I require to encrypt my sensitive data in the config (connection strings etc).I understand that you can do this using aspnet_regiis etc, but ive been told that as I have no direct acccess to the server, I may need to program the encryption.
I have seen a few examples, but as a novice I have been banging away at this, looking at an errors screen most of the time!
I used the following command to encrypt my connection string but an error ocurred,
"The connection name'DatabaseConnectionString1' was not found in the applications configuration or the connection string is empty" How can I encrypt it while keeping the application working? What if I move the encrypted application to another computer? Will it work?
I am passing values through query string. I want to restrict the user to modify the url to get the unauthorized permissions.I want to encrypt the url so that user can not understand and decrypt and use in the code.How can i do this.If there is any method to restrict the user to modify the url,
View 2 RepliesI have a Triple DES Key generated by java code from a third party vendor. It is a 3 part key.
We need to use this key in our VB.NET application. When I try to combine this key and use it in my app
'Dim desTransform As ICryptoTransform = desCrypto.CreateEncryptor(EncryptKey(Key), EncryptIV(IV))' gives me an error ' Specified key is not a valid size for this algorithm)
I am new to cryptography and do not understand the algorithms well. How can I use the java generated key in our app for encrypt/decrypt.
I want the encryption and decryption codes in C# for RSA, MD5 and HMAC-SHA1 for generated key.
View 1 Repliesexplain me Secure Socket Layers (SSL) and how it provide the functionality of encryption and decryption of data ?
View 1 RepliesI have to Encrypt and Decrypt Back the Password field in sql server i have used the pwdencrypt and pwdCompare() but i dont have to compare but i have to display the password back using the Decrypt technique Is there any algorithm which i can use only for encryption and decryption of password field?
View 4 RepliesFor our website, we have decided we would like to maintain our user passwords as encrypted binary data in our database. We are using ASP.NET 3.5 to host our site and SQL Server Express 2008 for the database, both running on the same server. When a user logs in and submits a username and password, there will need to be some sort of encryption or decryption in order to verify the credentials. To me, it would appear that there are 3 ways to do this:
1)[C# Encyrption] On User creation, perform encryption in the Web App and submit the encrypted password to the database. To verify credentials at Login, perform the same encryption on the submitted password and ensure that it matches the value stored in the database.
2)[SQL Encryption] On User creation, submit the plain-text password to the database and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, have the database perform decryption on the password during the SELECT statement, and compare the plain-text submitted password to the one in the database.
3)[Mix] On User creation, submit the plain-text password to the database, and have it perform one of the SQL encryption variants during INSERT. To verify credentials at Login, perform the same encryption algorithm used by SQL on the submitted password ( is this possible? ), and ensure that it matches the value stored in the database.
Does anybody have an opinion as to which of these options is best? Number 1) is the most familiar to me, and would be the easiest to use with LINQ to SQL ( which is our current data model ), so I am leaning towards that. But if there are better options I would love to know about them.
When you need to store sensitive data such as CCs or SSNs, do you:1) Build your own encryption routine within the application, define a secret key somewhere in a config file, and then manually encrypt/decrypt data going to the database.2) Push all the problem to the database, using the built in DB capabilities (I think most vendors call it Transparent Database Encryption).What trade-offs have you find for your solution? Does writing your own routine perform poorly when compared to TDE? Is code maintainability, or conversely DB vendor lock-in an issue?
View 3 RepliesI am encrypting data (health care industry) using the aes encryption classes in the .net framework. What are some of the recommended locations for safely storing the key? I have it in the web.config for development, but that does not feel production worthy, to say the least.
View 4 RepliesI am developing a asp.net application to use the HMAC encryption (SHA1). I do not want to store the encryption keys in .config files or in database. In .net is there any other alternatives to securely store the encrption keys
View 1 RepliesI am creating an application that will save financial data.I am in the process of creating an architecture for this application.I am stuck deciding wether to do encryption on the application side or SQL Server side. I am planning to use AESManaged algorithm for this.My requirement is such that the ecnryption key is unique for each user (based on user's password).I am of the opinion that it should be on the application server side as it becomes easily scalable. Another attractive thing that I find is that if my frontend is Silverlight then I can pass on the actual encryption load onto the client system.
View 7 RepliesNot sure if I'm posting the question in the right category.
1) I'm working in a project where encryption of data is high priority. Could some one suggest what would be the best encryption method to protect data from being cracked.
I'm using TCP/IP protocol.
2) Is HTTPS totally secured. If I'm using HTTPS, does that mean that there is no encryption of data required in the coding?
How do I store a variable or object application wide in ASP.net MVC. In regular ASP, you had the Application object, and in ASP.net too apparently.
View 1 RepliesI'm creating a web application using asp.net & WCF as 3 tier architecture, which is mostly looks like a social website. Users can register with the system and they can upload their profile images, documents, video clips etc. So, what i want to know is what is the best way to store those files? In the wcf side or web application side ?
Also I want to know that, if i choose web application side to store those files as set of folders, how it makes those folders shared and allow access to another different project (such as a desktop client need to upload files into that shared folder) ?
how could i store a Asp.net Application variable by javascript.
View 2 RepliesI am working on a railway web application and I have following layers:
[Code]....
I pass Domain Entity Objects from Repository to Service layer and thinking of passing View Models from Service to Presentation layer. Website would require a login and after successful login I have to present a search screen with basic search (as default option) and option for advance search. Once user fills the
search criteria I have to gather data from DB & Web Services and present the results to user. User would select a particular Rail option and would move on to other additional options page BUT they should be allowed to change their previously selected Rail option by going back to Rail search results. I have to
always hold and present user's initial search criteria (basic and advance search options selected by user on the search wizard) on every screen and need these criteria in Service and Repository layers.
What is the best way to hold these search criteria and pass them from page to page within presentation layer and across layers? Should I create a View Model class for Search Options? Or a Domain Entity Object (I don't think so)? and best way to pass it across layers and from page to page with in presentation layer.
My question relates to the performance implications of reading application configuration data from an XML file.I am building an application that lists information from a database and needs to know how to display the lists, depending on the types of data returned.This is difficult to explain, but basically I would like to have an XML config file that lists the types and describes how to display them. This will allow me to change the display methods without re-compiling the application.
My question is really around performance. Given that my application will need to use this data many times during each page load...Should I be reading directly from the XML file and parse it each time I need it?
Or should I cache the XML object and parse it each time I need it?Or should I parse the XML once, generate some sort of object and cache that object?My guess is option 3, but I'm basically fishing for best practice around this.
I am working on a Railway Portal and would require maintaining a shopping cart of components user has selected, there could be multiple components of different type in the cart. I don't see a value in storing the cart in database, would like to store the final order in DB. Where can I store/hold (temporary) the cart data per user session in MVC? All MVC samples I saw online save the cart data in DB - not sure why.
MVC presentation layer will be communicating with external web services for pricing and availability of these components, so I can't store only the product IDs to do a lookup for actual product descriptions/prices during the shopping process... I have to store everything in the cart (Product IDs, Descriptions, Prices etc) some place in memory. My application will be running in WEB FARM environment and cannot use in-process session storage.
Options come to my mind are:
SESSION STATE in SQL SERVER Using some kind of Distributed Caching Mechanism to store Session data such as "Windows Server AppFabric"
I have until now always stored my lists definitions for labels and values for dropdownboxes in my own defined Xml files. These lists labels I then match with a language file (.resx) ..... so far so good but now I am starting a new project. Should I continue with my old habbits or is there a better way of storing label constants for my dropdown boxes throughout my application?
I would be happy skipping my read and write rutines for my onw structure if there is a better dedicated one for the purpose.
Exploring the feasibility of something here... We have a UI page in the mvc3 web-application that the admin will use to upload a 'csv' file. Is it possible to have an SSIS package that will be called by the application..that will validate/transform all these data and store into db if its all valid or throw back error details to application if there are invalid data?
Just trying to leverage the capabilities of SSIS to do the parsing of file and transformation of data. If this is not possible, is there a better way?
update: yes, need to execute ssis on the fly.. and give back a message on the UI page. telling the'uploader' if his upload failed or not based on message that SSIS would give back to the application.