| Storing Sensitive Data Securely
By 15 Seconds Discussion List | Rating: 2.3 out of 5
Rate this article |
email this article to a colleague
suggest an article| Ben Asks: Hi, I need to store Credit Card details in a MSSQL DB on a W2K server. I am
just really interested in the security implications. If I install a
security certificate for accessing the sensitive data over the web will this
be sufficient to stop anyone getting this data? If anyone has any tips or advice on such issues I would love to hear from
you. Chris Replies: Hi, The more security the better, but I would encrypt the data using blowfish or
somesuch. Also, unless this is not possible, consider having the sql box
inaccessible from the internet by sticking it on the back of the web server
or networked with named pipes, etc.
Paul Says: if you have to ask, it's likely that someone could get the data. Check out
this book: http://www.amazon.com/exec/obidos/ASIN/0735609950/qid=988705948/sr=1-1/ref=s
c_b_2/107-0328823-3747724 Consider paying for a security audit or at least run something like ISS on
the box(es) and patch *every* security hotfix for the web and database
server. The number of boxes out there that are unicode exploitable is
astounding. with just that, you can take over a domain in a matter of
minutes. Whatever you do, do not store the cc numbers in plain text.
Arnold Offers: I'm currently encrypting sensitive information fields in an ACCESS/SQL db,
using crypto product from Dyncrypto. The design, based on asymmetric
crypto, uses the password as the private key, which isn't stored as
cleartext, but rather hashed. ***Therefore, even in the case of total database compromise, the information
is protected.*** This was the key requirement underlying the design -- a
certificate provides no help in this, the worst case. There are some significant details to be worked out in this approach, esp.
in making the info available to the support staff, but all certainly
solvable.
Rob Shares: A solution that I put in place previously was to have a dedicated machine
with SQL server installed, and allow only one machine share the trusted
domain with it. This one machine has the COM object, the only place where
the key to encrypt/decrypt the data is stored. I got the CTO to type in
the password, hit compile, and then exit VB without saving. I have no idea
on the key at all. And only that one person knows it. He is also the only
person that has access to login at the very machine storing the data. This
data is never passed outside of the firewall in any manner. This has
proven to be somewhat secure, all I need to do now, is get them to lock the
freaken door on the office. I've cut off all internet access to this machine, other than through the one
machine, the one COM, with the trusted connection, etc... This conversation string was taken from the 15Seconds ASP Listserv on 4/30/01. If you have an ASP-related question or would like to share some of your knowledge with others, you may join the list by clicking here.
|
| | | Supporting Products/Tools | | AspEncrypt | | Built around the Microsoft CryptoAPI, AspEncrypt helps you harness all major encryption and hashing algorithms such as DES, Triple-DES, RC2, RC4, RSA, MD5 and SHA1 in just a few lines of code. The component can be used in tandem with AspEmail to send encrypted and signed mail in the industry-standard S/MIME format, or with AspUpload to encrypt files as they are being uploaded. AspEncrypt can also be used to issue and manage X.509 digital certificates. |
[Top] |
| | AspPDF | | AspPDF is an ASP/ASP.NET component which enables generation and management of documents in PDF format. Features include advanced text formatting, font embedding, form fill-in, images, tables, content and page extraction, document stitching, encryption, digital signatures, and more. |
[Top] |
|
| | Other Articles | | Feb 3, 2005 - ASP.NET Mixed Mode Authentication | | In many web applications it is desirable for both intranet users and external parties to be able to seamlessly log onto the system. The problem this raises is that it is not easy to allow intranet users to log in via Windows integrated authentication while also allowing external parties to log in to the same application using standard forms authentication. This article will show you one way to achieve the best of both worlds when it comes to authentication.
[Read This Article] [Top] |
| | | | | | Feb 2, 2004 - Fighting Spambots with .NET and AI | | Bill Gates, in a recent interview, predicted the end of spam by 2006. One of the methods he mentioned involved a challenge only a real live person could handle. Adnan Masood shows how to use AI and .NET to create a user verification scheme that incorporates similar concepts Gates alluded to.
[Read This Article] [Top] |
| | | | |
| Mailing List
Want to receive email when the next article is published? Just Click Here to sign up. |
|
