question

banoo-7011 avatar image
0 Votes"
banoo-7011 asked cooldadtx commented

best and most secure way to encrypt data

Hello.
I have a program written with .net mvc(c#) and sql server 2014
I want to store some information encrypted in the database.
What is the best and most secure way to encrypt data?
And that encryption is better done in the sql or in C#?

sql-server-generaldotnet-csharpdotnet-aspnet-mvc
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @banoo-7011 ,
As far as I think,there won't be a totally secure way.If you only store static data,you should encrypt in SQL. If you have client,you need to store the encrypted value somewhere secure outside of your application(secured database?), or use some external value as part of your decryption process, like a certificate or other private key value.
Best regards,
Yijing Sun

0 Votes 0 ·

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help

0 Votes 0 ·

Hi @banoo-7011 ,
As far as I think,when it comes to security don't try to reinvent the wheel. Use Claims based authentication.If you still must manage usernames and passwords use Hash-based message authentication code (HMAC).
You could refer to below article:
https://stackoverflow.com/questions/39802164/asp-net-mvc-how-to-hash-password
Best regards,
Yijing Sun

0 Votes 0 ·

I want a few columns to be encrypted like passwords or settings or ...

0 Votes 0 ·

@YijingSun-MSFT @cooldadtx @ErlandSommarskog @AgaveJoe
Thank you for your answer, dear ones.
It helped me a lot.
One question I have is, is it better to use Sha512 or Bcrypt or HMAC or ... to encrypt the passwords of a web application?

0 Votes 0 ·

SHA512 is not secure nor was it designed for that. Again, do not write your own version of this. It is always wrong. Use one of the many available authentication systems already available. Even the framework ships with a version built in. You are not a security expert nor are you keeping up with standards. Let the experts do it for you.

If you must do your own encryption then use the largest key you can support (1K is generally considered minimal) based upon what is available in your framework. Refer to the earlier link I gave around what is supported in .NET. At a minimum you need an algorithm with a really long key (private) and a salt that is random enough to prevent guessing (generally the password itself modified).

Bcrypt is considered the most secure of the lot you specified by many but most secure can vary. It isn't built in so you'll need a library. Refer to this article.

0 Votes 0 ·
TomPhillips-1744 avatar image
0 Votes"
TomPhillips-1744 answered

There are several options. The answer to your question depends on who exactly you are trying to hide the encrypted data from?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cooldadtx avatar image
0 Votes"
cooldadtx answered AgaveJoe edited

Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data. But it gets a lot harder as you'll also need to ensure that only specific accounts can decrypt the data otherwise, again, anyone with DB access can read it. Of course this level of security is really only needed for sensitive data that you have no choice but to store for whatever business reasons such as SSNs or CC numbers. Of course the best option is to never store any of this and then encryption isn't needed.

If you need to share data between a client and a server (whatever that means to you) then C# is probably the better route. For example if you're communicating between two machines then HTTPS (already encrypted) is expected. For non-HTTPS then you should encrypt on one side and decrypt on the other, if needed.

As for the mot secure encryption then the general recommendation is asymmetric with the largest key both sides support. Refer to this helpful link in MSDN. You'll want the most secure algorithm with the largest key that you can manage. Of course this is expensive so if you don't need as much security then symmetric is easier but more vulnerable.

.NET docs have a good summary of all this to read.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data.

The other way round. You need to encrypt data in the client and store the encrypted values in the database. If SQL Server encrypts, the values can be retrieved with database access only.

SQL 2016 offers the feature Always Encrypted, where encryption indeed occurs in the client, but where SQL Server has knowledge and understanding of that the data is encrypted.

With SQL 2014, you will need to roll your own entirely.

0 Votes 0 ·

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help

0 Votes 0 ·

I already gave you the link to the docs that help decide which approach to use based upon your needs. Do you read it yet? Do you understand the difference between asymmetric and symmetric encryption?

If you want a few columns protected then masking is an option. The data is not visible to anyone who doesn't have the unmask rights. You can also encrypt the DB to provide more protection if desired.

For the specific example of a password you will want to encrypt the data before saving to the database using a one-way encryption algorithm. With a password you never need to retrieve it and therefore don't need to be able to decrypt. However you shouldn't be rolling your own. There are plenty of identity systems available. MVC ships with one and there is IdentityServer. They already handle this. Do not build your own. This is always the wrong approach and unsecure.

0 Votes 0 ·

No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS. Hence no one other than the limited users/groups who have unmask rights can see the real data. This is commonly used in PII columns like SSN and CC #s as I mentioned. This has to be done at the DB level, in addition to any client side protection you want to use.

0 Votes 0 ·

No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS.

Dynamic Data Masking is not encryption. Nor is DDM very good protection against SSMS users - it's quite easy to get the data. DDM is mainly an aide to the application.

And banoo is using SQL 2014, which does not support Dynamic Data Masking.

And if the data is passwords, they should be stored as salted hashes, and not be retrievable at all.

0 Votes 0 ·

What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help

0 Votes 0 ·

As explained above, SQL Server comes with encryption services where data at rest is not easily read.

The only reason to encrypt data in MVC, other than using standard SSL, is the design passes sensitive data to the browser. The safest method is to fix the design and stop passing sensitive data to the browser. Can you explain how your MVC application works, what type of data needs encryption, and why the design might pass sensitive data to the browser?

0 Votes 0 ·