Credit Card Encryption

jemacc · October 18th, 2006, 06:45 PM

Hi all I am trying to encrypt and decrypted credit card information using the following script created by Greg Larsen. I have install the capicom.dll but I could not register it. I can call other com objects but I cannot with the capicom. if any off you can offer some assistance. Please let me know. Here is the script.

Declare @rc int
Declare @returnval int
DECLARE @object int
DECLARE @Encrypted_CreditCard varchar(4000)
DECLARE @Decrypted_CreditCard varchar(4000)
Declare @Method_call varchar(4000)
Declare @Secret_code varchar(1000)
declare @src varchar(255)
declare @desc varchar(255)

-- Password for Encryption
set @secret_code = 'super secret code'

set @Decrypted_CreditCard = '1234 5678 9012 3456'

-- Encrypt
EXEC @rc = sp_OACreate 'CAPICOM.EncryptedData', @object OUT
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

EXEC @rc = sp_OASetProperty @Object, 'Algorithm.Name', 3 -- 3DES
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

EXEC @rc = sp_OASetProperty @Object, 'Algorithm.KeyLength', 3 -- 128 bit key
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

set @method_call = 'SetSecret("' + @Secret_code + '")'
EXEC @rc=sp_OAMethod @Object, @method_call
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

EXEC @rc=sp_OASetProperty @Object, 'Content',@Decrypted_CreditCard
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

EXEC @rc=sp_OAMethod @Object, 'Encrypt(0)', @Encrypted_CreditCard out
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

-- Print encrypted text
print 'Encrypted Credit Card Info = ' + @Encrypted_CreditCard

-- Decrypt
EXEC @rc = sp_OACreate 'CAPICOM.EncryptedData', @object OUT
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

set @method_call = 'SetSecret("' + @Secret_code + '")'
EXEC @rc=sp_OAMethod @Object, @method_call
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return

end

set @Decrypted_CreditCard = 'garbage'
set @method_call = 'Decrypt("' + @Encrypted_CreditCard + '")'
EXEC @rc=sp_OAMethod @Object,@method_call
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

EXEC @rc=sp_OAGetProperty @Object, 'Content',@Decrypted_CreditCard out
if @rc <> 0
begin
  exec sp_oageterrorinfo @object, @src out, @desc out
  select hr=convert(varbinary(4),@rc), source=@src, description=@desc
  return
end

-- Print decrypted text
print ' '
print 'Decrypted Create Card Info = ' + @Decrypted_CreditCard

-- Destroy object
exec @rc = sp_OADestroy @object
if @rc <> 0
begin
    exec sp_OAGetErrorInfo @object
    return
end

Thanks in Advance

Jaime E. Maccou

Jaime E. Maccou

SQLScott · October 18th, 2006, 07:29 PM

Jamie,

How did you try and register the dll? What error did you get when attempting to register it?

Scott Klein
Author - Professional SQL Server 2005 XML
http://www.wrox.com/WileyCDA/WroxTit...764597922.html

jemacc · October 18th, 2006, 08:25 PM

I was finally able to register it but. I still get and error " Invalid String"

Jaime E. Maccou

jemacc · October 18th, 2006, 08:55 PM

Hi All,

I was able to figure it out. I made a mistake in registering the .dll Here is the site with all instructions.
http://www.dbazine.com/sql/sql-articles/larsen2

Thanks to Greg Larsen; it works like a charm!

Jaime E. Maccou

joefawcett · October 19th, 2006, 02:46 AM

Be careful of the following scenario which might hit you...
If you encrypt the data and then have to change the CAPICOM secret you have two main options, either keep a history of old secrets and when trying to decrypt use all in order until one finally gives a legitimate credit card number, or decrypt and re-encrypt all the numbers as you make the change so that there is only one secret in play at any one time.
I wrote the following routine to do that and it may help in future:

Code:

DECLARE @OldCipherSecret NVARCHAR(100)
DECLARE @NewCipherSecret NVARCHAR(100)
DECLARE @PlainText NVARCHAR(20)
DECLARE @CipherText NVARCHAR(1000)
DECLARE @CustomerId INT
DECLARE @PaymentCardNumber NVARCHAR(1000)

DECLARE @HResult INT
DECLARE @EncryptedData INT
DECLARE @src varchar(255), @desc varchar(255)

DECLARE @LoopIndex INT

Ã 
SET @OldCipherSecret = 'OldSecret'
SET @NewCipherSecret = 'NewSecret'

DECLARE @CAPICOM_ENCRYPTION_KEY_LENGTH_MAXIMUM INT
SET @CAPICOM_ENCRYPTION_KEY_LENGTH_MAXIMUM = 0
DECLARE @CAPICOM_ENCRYPTION_ALGORITHM_3DES INT
SET @CAPICOM_ENCRYPTION_ALGORITHM_3DES = 3

EXEC @HResult = sp_OACreate 'CAPICOM.EncryptedData', @EncryptedData OUT
IF @HResult <> 0
BEGIN
Ã EXEC sp_OAGetErrorInfo @EncryptedData, @src OUT, @desc OUT 
Ã SELECT hr = convert(varbinary(4), @HResult), Source = @src, Description = @desc
Ã --RETURN
END
ELSE
BEGIN
Ã Ã EXEC sp_OAMethod @EncryptedData, 'SetSecret', NULL, @OldCipherSecret
Ã Ã DECLARE ToBeDecrypted CURSOR
Ã Ã LOCAL
Ã Ã FORWARD_ONLY
Ã Ã -- The SQL will need tailoring to your own table. We only want numbers that have been encrypted, that's why the length test is there.
Ã Ã FOR SELECT CustomerId, PaymentCardNumber FROM tblCustomer WHERE DATALENGTH(PaymentCardNumber) > 100 
Ã Ã FOR UPDATE OF PaymentCardNumber

Ã Ã OPEN ToBeDecrypted

Ã Ã FETCH NEXT FROM ToBeDecrypted 
Ã Ã INTO @CustomerId, @PaymentCardNumber

Ã Ã WHILE @@FETCH_STATUS = 0
Ã Ã BEGIN
    EXEC sp_OAMethod @EncryptedData, 'Decrypt', NULL, @PaymentCardNumber
    EXEC sp_OAGetProperty @EncryptedData, 'Content', @PlainText OUTPUT 
    PRINT CAST(@CustomerId AS NVARCHAR(10)) + ': ' + @PlainText
    UPDATE tblCustomer
    SET PaymentCardNumber = @PlainText
    WHERE CURRENT OF ToBeDecrypted
    FETCH NEXT FROM ToBeDecrypted 
    INTO @CustomerId, @PaymentCardNumber
Ã Ã END

Ã Ã CLOSE ToBeDecrypted
Ã Ã DEALLOCATE ToBeDecrypted

Ã Ã EXEC sp_OASetProperty @EncryptedData, 'Algorithm.Name', @CAPICOM_ENCRYPTION_ALGORITHM_3DESÃ Ã 
Ã Ã EXEC sp_OASetProperty @EncryptedData, 'Algorithm.KeyLength', @CAPICOM_ENCRYPTION_KEY_LENGTH_MAXIMUM
Ã Ã EXEC sp_OAMethod @EncryptedData, 'SetSecret', NULL, @NewCipherSecret

Ã Ã DECLARE ToBeEncrypted CURSOR
Ã Ã LOCAL
Ã Ã FORWARD_ONLY
Ã Ã FOR SELECT CustomerId, PaymentCardNumber FROM tblCustomer WHERE PaymentCardNumber IS NOT NULL AND DATALENGTH(PaymentCardNumber) > 1
Ã Ã FOR UPDATE OF PaymentCardNumber
Ã Ã 
Ã Ã OPEN ToBeEncrypted

Ã Ã FETCH NEXT FROM ToBeEncrypted 
Ã Ã INTO @CustomerId, @PaymentCardNumber

Ã Ã WHILE @@FETCH_STATUS = 0
Ã Ã BEGIN
    EXEC sp_OASetProperty @EncryptedData, 'Content', @PaymentCardNumber
    EXEC sp_OAMethod @EncryptedData, 'Encrypt', @CipherText OUTPUT
    UPDATE tblCustomer
    SET PaymentCardNumber = @CipherText
    WHERE CURRENT OF ToBeEncrypted
    FETCH NEXT FROM ToBeEncrypted 
    INTO @CustomerId, @PaymentCardNumber
Ã Ã END

Ã Ã CLOSE ToBeEncrypted
Ã Ã DEALLOCATE ToBeEncrypted
Ã Ã EXEC sp_OADestroy @EncryptedData
END

This would be easier in SQL 2005 where you could make the decrypt/encrypt user defined functions written in .NET.

--

Joe (Microsoft MVP - XML)

jemacc · October 19th, 2006, 11:02 AM

using the script I have what would be your best advice for encrypting a table with columns. CustomerID, PaymentCardNumber.

Yours deletes the credit card number. I will like to encrypt the number stored and then decrypt when needed.

Jaime E. Maccou

joefawcett · October 19th, 2006, 11:55 AM

Quote:

quote:Originally posted by jemacc
using the script I have what would be your best advice for encrypting a table with columns. CustomerID, PaymentCardNumber.

Yours deletes the credit card number. I will like to encrypt the number stored and then decrypt when needed.

Jaime E. Maccou

If you mean my script then on my server it decrypts and then encrypts using the new secret.

--

Joe (Microsoft MVP - XML)

jemacc · October 19th, 2006, 12:34 PM

Yes your scripts. I have changed the column and table name. What I see it does is sets the credit card number to NULL. Here is my table structure

CREATE TABLE [dbo].[customer_test] (
    [SubscriptionID] [int] IDENTITY (1, 1) NOT NULL ,
    [CustomerID] [int] NOT NULL ,
    [NameOnCard] [varchar] (255) NOT NULL ,
    [CardType] [varchar] (50) NOT NULL ,
    [ExpirationDate] [datetime] NOT NULL ,
    [AuthCode] [int] NOT NULL ,
    [DateCreated] [datetime] NOT NULL ,
    [DateModified] [datetime] NOT NULL ,
    [PaymentCardNumber] [varchar] (100) NOT NULL ,
    [CardNumber] [varchar] (50) NULL
) ON [PRIMARY]
GO

I will like to store the paymentcardnumber encrypted, then decrypted if necessary at another time.

Thanks

Jaime E. Maccou

joefawcett · October 19th, 2006, 01:57 PM

Sorry a mistake, I've edited the script, change @PlainText to @PaymentCardNumber in the encrypt section. But my script is designed to overcome the "secret" changing problem. There was already a script to encrypt in isolation.

--

Joe (Microsoft MVP - XML)

jemacc · October 20th, 2006, 05:50 AM

Thank you joefawcett, as you have been so help in this.

The encryption process has work and I have tried to decrypt using the cursor but was unsuccessful, can you walk me through this process. Once again you have being great.

Jaime E. Maccou