Sensitive Data

Previous page
Table of content
Next page

Many Web applications store sensitive data of one form or another in the database. If an attacker manages to execute a query against your database, it is imperative that any sensitive data items ” such as credit card numbers ” are suitably encrypted.

  • Encrypt sensitive data if you need to store it .

  • Secure sensitive data over the network .

  • Store password hashes with salt .

Encrypt Sensitive Data if You Need to Store It

Avoid storing sensitive data if possible. If you must store sensitive data, encrypt the data.

Using 3DES Encryption

To store sensitive data, such as credit card numbers, in the database, use a strong symmetric encryption algorithm such as 3DES.

 Task    During development, to enable 3DES encryption

  1. Use the RNGCryptoServiceProvider class to generate a strong (192 bit, 24 byte) encryption key.

  2. Back up the encryption key, and store the backup in a physically secure location.

  3. Encrypt the key with DPAPI and store it in a registry key. Use the following ACL to secure the registry key: 

     Administrators: Full Control Process Account (for example ASPNET): Read

 Task    At runtime, to store encrypted data in the database

  1. Obtain the data to be encrypted.

  2. Retrieve the encrypted encryption key from the registry.

  3. Use DPAPI to decrypt the encryption key.

  4. Use the TripleDESCryptoServiceProvider class with the encryption key to encrypt the data.

  5. Store the encrypted data in the database.

 Task    At runtime, to decrypt the encrypted secrets

  1. Retrieve the encrypted data from the database.

  2. Retrieve the encrypted encryption key from the registry.

  3. Use DPAPI to decrypt the encryption key.

  4. Use the TripleDESCryptoServiceProvider class to decrypt the data.

With this process, if the DPAPI account used to encrypt the encryption key is damaged, the backup of the 3DES key can be retrieved from the backup location and be encrypted using DPAPI under a new account. The new encrypted key can be stored in the registry and the data in the database can still be decrypted.

For more information about creating a managed DPAPI library, see "How To: Create a DPAPI Library" in the "How To" section of "Microsoft patterns & practices Volume I, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication " at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp .

Secure Sensitive Data Over the Network

Sensitive data passed across the network to and from the database server may include application specific data or database login credentials. To ensure the privacy and integrity of data over the network, either use a platform-level solution (such as that provided by a secure datacenter where IPSec encrypted communication channels are used between servers) or configure your application to establish SSL connections to the database. The latter approach requires a server certificate installed on the database server.

For more information about using SSL and IPSec, see "How To: Use IPSec to Provide Secure Communication Between Two Servers" and "How To: Use SSL to Secure Communication to SQL Server 2000" in the "How To" section of "Microsoft patterns & practices Volume I, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication " at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp .

Store Password Hashes with Salt

If you need to implement a user store that contains user names and passwords, do not store the passwords either in clear text or in encrypted format. Instead of storing passwords, store non-reversible hash values with added salt to mitigate the risk of dictionary attacks.

Note  

A salt value is a cryptographically strong random number.

Creating a Salt Value

The following code shows how to generate a salt value by using random number generation functionality provided by the RNGCryptoServiceProvider class within the System.Security.Cryptography namespace. 

 public static string CreateSalt(int size) {   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();   byte[] buff = new byte[size];   rng.GetBytes(buff);   return Convert.ToBase64String(buff); }

Creating a Hash Value (with Salt)

The following code fragment shows how to generate a hash value from a supplied password and salt value. 

 public static string CreatePasswordHash(string pwd, string salt) {   string saltAndPwd = string.Concat(pwd, salt);   string hashedPwd =         FormsAuthentication.HashPasswordForStoringInConfigFile(                                              saltAndPwd, "SHA1");   return hashedPwd; }

More Information

For more information about implementing a user store that stores password hashes with salt, see "How To: Use Forms Authentication with SQL Server 2000" in the "How To" section of "Microsoft patterns & practices Volume I, Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication " at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp .



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Developing Tablet PC Applications (Charles River Media Programming)
Programming Microsoft ASP.NET 3.5
What is Lean Six Sigma
Java Concurrency in Practice
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy