Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

Securely storing cc info

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Weston Weems - 22 Dec 2005 17:35 GMT
Ok,

Anyone got any reference implementations of how one might store cc's
securely?

I was looking at AES encryption of the everything but the last 4 digits,
and then storing private key via DPAPI.

I am looking for any sort of information I can get. C# examples or
source or anything would be greatly appreciated.

Weston Weems
Reply to this Message
Joe Kaplan (MVP - ADSI) - 22 Dec 2005 19:17 GMT
AES is a good algorithm choice for an symmetric cipher.  It would be a good
idea to use an unique, random initialization vector (IV) for each number.
This will help prevent brute force attacks as it will cause the cipher text
to be different for the same cc#.  You can store the IV next to the
encrypted data as it is not a secret.

Encrypting the AES key with DPAPI is also a good idea.  Essentially,
anything you can do to make it hard for attackers to steal the key is good.

www.dotnetthis.com has a good symmetric encryption sample.

Joe K.

> Ok,
>
[quoted text clipped - 8 lines]
>
> Weston Weems
Reply to this Message
Weston Weems - 03 Jan 2006 22:54 GMT
www.dotnetthis.com does have a basic encryption sample, which I could
already do, but has reference to "making it industry strength" which I
could not find anywhere on the site.

Does anyone have recommendations or a simple demo of how one would use
the encryption plus storing the key as scalable/clusterable as possible?

right now webserver is the machine that would be encrypting the data and
storing on a seperate db server, but later on, who knows. If I
understand correctly DPAPI would prevent me from being able to easilya
dd a load balanced web app server to the pool etc.

> AES is a good algorithm choice for an symmetric cipher.  It would be a good
> idea to use an unique, random initialization vector (IV) for each number.
[quoted text clipped - 21 lines]
>>
>>Weston Weems
Reply to this Message
Kaustav - 03 Jan 2006 13:07 GMT
Hi,

I would think Rijndael with DPAPI is a good option.

Kaustav.

> Ok,
>
[quoted text clipped - 8 lines]
>
> Weston Weems
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.