Hi,
I'm trying to incorporate the 'SecurityLib'
project from the ASP.Net E-Commerce "WROX
JokeShop" site into my 'thePhile' application.
Has anyone done this? or worked with it?

The 'SecurityLib' in WROXJokeShop is a
standalone with no 'get', 'update' 'add'
or 'delete' functions of its own. I need
advice whether I can use it like that in
'thePhile'. For instance, if I have functions
in 'thePhile' accounts.business to 'get' or
'update' card info to the accounts_users table,
can I use the 'SecurityLib' to encrypt the data
right in the functions that reside in accounts.business?

If anyone has had any experience here, plz let me
know and maybe you can assist me correcting some
methods?

Thx much,


Reid C.

__________________
Reid C.

Is your objective to encrypt the data items stored in the database?

There are a lot of ways to do this. It's not terribly difficult and I'm not sure if its worth the effort to use another lib for this.

Encryption will slow down the web site, but it won't be noticeable unless you have a lot of users online.

Eric

Hi Eric,
good to hear from you as always.
I looked at the 'SecurityLib' from WROX Joke shop and figured
it looks like an 'elegant solution' because the encrypt, decrypt
createxml, extractxml, etc are all written and I've already
modified them to contain my parameters.

With that said, I'd love to know an easier solution. Basic thing I
need, with an "update creditcard" form, is to be able
to view current info (if any exists) in two textboxes, and add
with encryption when info needs to be added. So far what I'm trying
is a real mess, but here's the "page_Load" for the page:
<code>
Private Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)
            UserIdentifier.Text = "Account Details For: "
      If Not IsPostBack Then

            Dim CurrentUser As SiteIdentity = CType
                 (Context.User.Identity,SiteIdentity)
            Dim CompanyName As String = CurrentUser.CompanyName
                UserIdentifier.Text = UserIdentifier.Text & "<b>" &
                CurrentUser.CompanyName & "</b>"

                Dim AccountDetails As SecureCard = New SecureCard
                ("GetUserAccountData(_DdRouter, _DdAccount)")
                txtDdRouter.Text = AccountDetails.DDRouterX
                txtDdAccount.Text = AccountDetails.DDAccountX
      End If
End Sub
</code>

...and here's my "get" and "update" functions:
<code>
Public Function Update(ByVal CompanyName As String, ByVal DdRouter As String,
                        ByVal DdAccount As String) As Boolean
            Dim theAccount As New Data.DDBankInfo(mySettings.ConnectionString)
            theAccount.Update( _
            CompanyName, _
            DdRouter, _
            DdAccount)
End Function

Public Function GetUserAccountData(ByVal CompanyName As String) As
                                   DataSet
            Dim theAccount As New Data.DDBankInfo(mySettings.ConnectionString)
            Dim AccountData As DataSet = theAccount.GetUserAccountData
            (CompanyName)
            Return AccountData
End Function
</code>
These above functions are in the Accounts.Business class library.
They and the "Page_Load" and the "btn_Update" (not shown) don't currently work,
obviously.
...my basic dilemma is thus:

1) do I incorporate the "encryptdata", "decryptdata" etc from the
'SecurityLib' right in the business class functions, or do I
convert the 'SecurityLib' into data, business, and config projects
like the others?

Or do I scrap this whole process in favor of a better suggestion?

Thx as always for looking and any suggestion.


Reid C.

Please drop back a notch and explain the business requirement you have. It's not good to discuss code until I know what you are trying to accomplish.

I guess you need to keep data encrypted while it's inside your database, right? (by the way, I think SQL Server 2005 can do this for you automatically).

The biggest question, and the one that causes most security loopholes, is how are you going to store the encryption/decryption key? The best answer to this is also a terribly slow choice (from a web perspective, where you want fast page processing) is to use the Windows Data Protection API (DPAPI). This keeps the key well hidden in the registry. This is very secure, but also very slow.

There are some simpler methods - normally related to how you store connection strings. These aren't just hard-coded in a config file, are they? If your data is important enough to protect in the database (and I believe you are right is wanting to encrypt it), then you also need to protect the connection strings. Connection strings are the keys to the database. Don't let anyone have the keys just because the most sensitive data is encrypted - you want to lock down the DB the best you can without resorting to very slow complex processes.

You might want to store the connection strings in one XML config file, and the DB encryption key in another. But, both of these config files should have their senstive data encrpyted with a different scheme, and that password can be stored in the registry in a non-obvious place.

This sounds more complex than it is. It's not bad from a runtime viewpoint, you simply have one ConnectionString class that will serve-up connection strings (and encryption key for the database) to all the other modules that want one. If you're using one ASP.NET application, the decrypted sensitive data (connection strings and encryption key for the database) might be held in the data cache, thereby giving you fast access and a good bit of protection - no clear text sensitive data is stored in a easily accessible manner on the hard disk.

If your company does business in California, or has any Californian customers, then this kind of thing is critical from a legal perspective. But whether you must do it for legal reasons, or common sense reasons, it's an important topic and you need to consider the security profile of the entire application. The weakest links need to be protected, along with consideration of more advanced issues (preventing cross-site scripting, SQL injection, etc).

Eric

Hey Eric,

sorry I'm late responding, been out of town for a week.

Right now I have no commercial project for this. I've been
working the better part of a year with thePhile as a way
to educate myself on web programming and learning to work
with a language--in my case, VB.Net. I hope to use what I learn
to do contract programming for a local tech company that
sells hardware, software and services. But I'm obviously
not ready yet. What I am doing is adding what I feel are
'essentials' to thePhile, which is a great system that I
have enjoyed working with and have learned a lot from.

Here's where I am--I have written an 'update' page to go
from thePhile's "MyAccount" page to input card/account
info into the accounts_users table, with encryption.

I have put update subs right into the "User" classes
in the business and data tiers. I have also 'borrowed'
the encryption subs from the "ASP.NET E-Commerce"
book (WROX Joke Shop) and placed those into the
accounts.business "User" class. My page updates the database
just fine--real easy to make that happen--but without
the data encrypted. Unfortunately, "WROX Joke Shop" is
not constructed in the same data-business-presentation 3-tier
method as "thePhile" is built in, so I am guessing as to where
to reference the encryption subs I'm trying to adapt from there.

I thought it was a natural to have them in the business class,
so here's how I did it:
------------
Public Function UpdateBankAccountData() As Boolean
            Dim theAccount As New Data.DDBankInfo
            (myModuleSettings.ConnectionString)
            Return theAccount.UpdateBankAccountData( _
            myCompanyName, _
            myDdRouter, _
            myDdAccount)
            EncryptData()
End Function
------------
...and here's my handler in the page's code-behind:
------------
Private Sub btnConfirm_Click(ByVal Sender As Object, ByVal e As EventArgs)
                             Handles btnConfirm.Click
            Dim currentUser As New AccBusiness.User( _
                      CType(Context.User, SitePrincipal))
            Dim CompanyName = currentUser.CompanyName
            Dim DdRouter = currentUser.DdRouter
            Dim DdAccount = currentUser.DdAccount
            Dim UpdatedAccount As AccBusiness.User = New AccBusiness.User( _
                      CType(Context.User, SitePrincipal))
            UpdatedAccount.DdRouter = txtDdRouter.Text
            UpdatedAccount.DdAccount = txtDdAccount.Text
            UpdatedAccount.UpdateBankAccountData()

            Response.Redirect("MyAccount.aspx")

End Sub
------------
...as you can see from the above, I have only referenced
the "EncryptData()" sub in the business class's "Update
BankAccountData" function. This is obviously wrong since
I'm getting a non-encrypted, but completed transaction
in the datarow.

I don't know if the encryption methods (and references) belong
in the data tier, or need to be written into the event handler,
or what???

If you have any suggestions, I'd appreciate it.

Also, I am just now delving into SQLServer 2005 and the built-in
encryption, but I want to learn this so as to have an
application-based solution for encryption so I can work in
multiple database environments(make sense?).

Sorry so long and thanks again for looking at this.


Reid C.

Since you don't have a requirement for encryption, it's probably not a good use of your time right now. There are a lot of important aspects to understand about the security profile of an application, but in most cases encryption is not really needed.

Some very important systems are required to encrypt data within the database, and I was going on the assumption that you needed to do this. Security auditors and corporate lawyers determine what actually needs to be encrypted, and it's usually only a small amount of data: like account numbers and social security numbers, but only for critical financial systems run by banks, and similar high-value companies. The vast majority of ASP.NET applications do NOT encrypt data, and it's not really important for them.

Most web applications really need to address basic security to prevent hacking. Of course you can't really prevent it, but you can make it harder for the hackers. You should do some research on ASP.NET security.

If a hacker can't get into your database, or your web server's filesystem, then the issue of encrpytion really doesn't apply. He can't get at the data, so it doesn't matter if it's encrypted.

And if it was encrypted, then the key management is critical because encryption is no good if a hacker can get the key. But this is really an advanced subject that you should study after you have a handle on the general threats and countermeasures.

Here are some links to get you started:

http://msdn.microsoft.com/asp.net/ar...y/default.aspx

http://msdn.microsoft.com/library/de...haspdotnet.asp

http://msdn.microsoft.com/library/de...cnetlpMSDN.asp

http://www.google.com/search?num=100...22&btnG=Search

It's important for you to learn the right terminology associated with security threats and preventative techniques. This will help you get a contract job to develop web sites. The person who interviews you needs to test your general knowledge of security before they hire you because they want to ensure that their company's data will be safe. The interviews I've been involved with often give the security part of the interview the highest weighting - if you don't seem to understand security then they won't want to even discuss other things. Would you loan your car keys to someone if you don't know for sure if you can trust him?

Small companies are sometimes more concerned about security than you might think. They might know that they lack a mastery of the subject, and they want to get a good feeling that the person they hire can protect them against threats that they don't even understand themselves.

Encryption by itself is not of much value. You need to secure the weakest entry points first. Once that's done you can discuss encryption with your employer. Many smaller companies normally don't want to spend much time and money on encrpytion unless they have a very specific accounting requirement for it.

If the database provides for encrypting fields transparently, then that will help with the time and money issue. It makes sense to use it more if it's an easy thing to implement. But you also need to consider response-time requirments and whether encrpytion in your environment can be done without degrading performance to an unacceptable level.

Eric