1

which algorithm is prefered for hiding an important string into database using c# ?
ENCODING AND DECODING STRINGS WITH C#
mean i have some important data (they are not passwords) , so i want to change them in database!
also i need to reconvert them to normal mode for using in my web pages ?

how can i do this job ?

i know we can use md5 hash for passwords / but by doing this we can not reconvert them to normal mode!
so , should be another way for another data!

thanks in advance
best regards

SilverLight
  • 19,668
  • 65
  • 192
  • 300
  • Well, you can use a 2-way algorithm. But you still need to remember the algorithm itself (for example - divide all values by 2) – Mark Segal Jul 17 '11 at 13:13
  • check out explanation for string encryption/decrpytion here: [Encrypt/Decrypt string in .NET](http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net) – ravyoli Jul 17 '11 at 13:18
  • Why do you want to hide the strings? What kind of attack are trying to defend against? – svick Jul 17 '11 at 13:22
  • @Quantic Programming thanks : would u plz give some explain about 2 way algorithm in c# – SilverLight Jul 17 '11 at 13:24
  • @svick thanks : i want to hide my data from web server admins -> strings are something like mobile charge codes ... – SilverLight Jul 17 '11 at 13:26
  • @LostLOrd, but the webserver admins have access to the code of your web application. What's stopping them from taking that, removing authentication and getting the codes anyway? – svick Jul 17 '11 at 13:39
  • @LostLord You can think of a simple algorithm to Encrypt \ Decrypt strings without a password - and not share this algorithm - it will act like a password. – Mark Segal Jul 17 '11 at 13:42
  • @Quantic how is that better than using a known algorithm where you just don't share then key? Just throw AES128 at it. – CodesInChaos Jul 17 '11 at 14:07
  • Let's see. The web server admins have the database, and your code that extracts information from the database. At that point, protection of your data from them depends on their stupidity. – btilly Jul 17 '11 at 15:57

2 Answers2

2

It sounds like you simply want encryption. Depending on the scenario (who can read it vs who can write it) this could be symmetric or asymmetric. Just keep the keys outside the db.

Another option: assume access to the DB is secure; then you don't need to encrypt the data. You would, however encrypt the connection, and typically enable the encrypted storage options inside the database itself. So everything is encrypted, but invisibly to you as a caller.

Marc Gravell
  • 1,026,079
  • 266
  • 2,566
  • 2,900
  • "Another option: assume access to the DB is secure" I agree that's an option, but should come with a warning that taking this option hasn't always worked out well. The fundamental problem of course is that if the app needs access to the decrypted data, then unless access to the environment in which the app runs is secure, you're screwed anyway. So encrypting the DB is useful in a threat model where an attacker can access the DB, but can't get access to whatever the app runs on. Losing backup tapes is a traditional way to give an attacker this limited access, for example. – Steve Jessop Jul 17 '11 at 13:19
0

SQL Server has an entire set of encryption commands. You can view them here:

http://msdn.microsoft.com/en-us/library/ms173744.aspx

Peter Bromberg
  • 1,498
  • 8
  • 11