Hello.
I have a program written with .net mvc(c#) and sql server 2014
I want to store some information encrypted in the database.
What is the best and most secure way to encrypt data?
And that encryption is better done in the sql or in C#?
Hello.
I have a program written with .net mvc(c#) and sql server 2014
I want to store some information encrypted in the database.
What is the best and most secure way to encrypt data?
And that encryption is better done in the sql or in C#?
Hi @banoo-7011 ,
As far as I think,there won't be a totally secure way.If you only store static data,you should encrypt in SQL. If you have client,you need to store the encrypted value somewhere secure outside of your application(secured database?), or use some external value as part of your decryption process, like a certificate or other private key value.
Best regards,
Yijing Sun
What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help
Hi @banoo-7011 ,
As far as I think,when it comes to security don't try to reinvent the wheel. Use Claims based authentication.If you still must manage usernames and passwords use Hash-based message authentication code (HMAC).
You could refer to below article:
https://stackoverflow.com/questions/39802164/asp-net-mvc-how-to-hash-password
Best regards,
Yijing Sun
@YijingSun-MSFT @cooldadtx @ErlandSommarskog @AgaveJoe
Thank you for your answer, dear ones.
It helped me a lot.
One question I have is, is it better to use Sha512 or Bcrypt or HMAC or ... to encrypt the passwords of a web application?
SHA512 is not secure nor was it designed for that. Again, do not write your own version of this. It is always wrong. Use one of the many available authentication systems already available. Even the framework ships with a version built in. You are not a security expert nor are you keeping up with standards. Let the experts do it for you.
If you must do your own encryption then use the largest key you can support (1K is generally considered minimal) based upon what is available in your framework. Refer to the earlier link I gave around what is supported in .NET. At a minimum you need an algorithm with a really long key (private) and a salt that is random enough to prevent guessing (generally the password itself modified).
Bcrypt is considered the most secure of the lot you specified by many but most secure can vary. It isn't built in so you'll need a library. Refer to this article.
Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data. But it gets a lot harder as you'll also need to ensure that only specific accounts can decrypt the data otherwise, again, anyone with DB access can read it. Of course this level of security is really only needed for sensitive data that you have no choice but to store for whatever business reasons such as SSNs or CC numbers. Of course the best option is to never store any of this and then encryption isn't needed.
If you need to share data between a client and a server (whatever that means to you) then C# is probably the better route. For example if you're communicating between two machines then HTTPS (already encrypted) is expected. For non-HTTPS then you should encrypt on one side and decrypt on the other, if needed.
As for the mot secure encryption then the general recommendation is asymmetric with the largest key both sides support. Refer to this helpful link in MSDN. You'll want the most secure algorithm with the largest key that you can manage. Of course this is expensive so if you don't need as much security then symmetric is easier but more vulnerable.
.NET docs have a good summary of all this to read.
Depends on what your requirements are. If you need to store data even at rest then encryption in SQL is the only way to do that. Otherwise anyone with DB access can read the unencrypted data.
The other way round. You need to encrypt data in the client and store the encrypted values in the database. If SQL Server encrypts, the values can be retrieved with database access only.
SQL 2016 offers the feature Always Encrypted, where encryption indeed occurs in the client, but where SQL Server has knowledge and understanding of that the data is encrypted.
With SQL 2014, you will need to roll your own entirely.
What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help
I already gave you the link to the docs that help decide which approach to use based upon your needs. Do you read it yet? Do you understand the difference between asymmetric and symmetric encryption?
If you want a few columns protected then masking is an option. The data is not visible to anyone who doesn't have the unmask rights. You can also encrypt the DB to provide more protection if desired.
For the specific example of a password you will want to encrypt the data before saving to the database using a one-way encryption algorithm. With a password you never need to retrieve it and therefore don't need to be able to decrypt. However you shouldn't be rolling your own. There are plenty of identity systems available. MVC ships with one and there is IdentityServer. They already handle this. Do not build your own. This is always the wrong approach and unsecure.
No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS. Hence no one other than the limited users/groups who have unmask rights can see the real data. This is commonly used in PII columns like SSN and CC #s as I mentioned. This has to be done at the DB level, in addition to any client side protection you want to use.
No, I was talking about using masked columns which is supported in SQL in newer versions for securing specific columns from even the eyes of SSMS.
Dynamic Data Masking is not encryption. Nor is DDM very good protection against SSMS users - it's quite easy to get the data. DDM is mainly an aide to the application.
And banoo is using SQL 2014, which does not support Dynamic Data Masking.
And if the data is passwords, they should be stored as salted hashes, and not be retrievable at all.
What is the safest way to encrypt data in .net mvc(c#)?
Thank you for your help
As explained above, SQL Server comes with encryption services where data at rest is not easily read.
The only reason to encrypt data in MVC, other than using standard SSL, is the design passes sensitive data to the browser. The safest method is to fix the design and stop passing sensitive data to the browser. Can you explain how your MVC application works, what type of data needs encryption, and why the design might pass sensitive data to the browser?
There are several options. The answer to your question depends on who exactly you are trying to hide the encrypted data from?
16 people are following this question.
How to show assigned Departments of an user in my lambda expression (ASP.NET MVC 5)
MVC4 built in Register / login error on PLESK Deployment while working fine on localhost
Model to Assign Accessories to Products
MVC Checkbox value assigned in Model not same in another service page referencing the same model