Encryption issues - encrypt, not encrypt, why encrypt and how encrypt?
I know what I'm about to put down is probably more theorectical than an pure ASP prob, but I don't know where else to post over this forum of my ilk!! :0)
Basically I've created a classic asp web app that connects to an sql 2008 express db via ssl and even though the whole sys runs on/through ssl I've been told that I should encrypt certain parts of the db's content just in case anybody gets onto my server and hacks into the db.
Now I started to use an old Base64 encryption with a key bit of code that I've had for a bit, but somebody told me that base64 just converts the text into a better transport method rather than actually encrypting it and its easy to hack, but I've put a long key in and it doesn't seem to convert back and forth properly without knowing the key - are they right?? Should I be using something else?
Having started to encrypt certain parts, eg a person's name, dob, etc, it suddenly dawned on me that although I'm encrypting and decrypting as I go if I want to do search queries then it ain't gonna work. For example if I want to find all the people with 'gar' in their name then this isn't going to work and if I want to find all the people who are born between Apr and May then this isn't either.
My second query is, if I've got the dbs on a dedicated server running only one site, loads of password access only and on https do I really need to encrypt db fields as well?? If so, how do I get round these query (and sort order) issues??
For security, the only thing I encrypt is passwords and I don't store credit card info. All other information is typically non-risk. The best security is to purge old data after a specified period of time.
Think of it like this - What's the point of encrypting data that is public? So if you have a page showing a list of members, why encrypt the user name backend?
As webber suggested, reasonably good way is to one-way salt & encrypt login name and password, assign those to a usedID and have nothing else in that table. Then have other tables including a display name, that all have the userID as the index, which you can use to join tables.
There are a lot of overheads to classic ASP encryption. If you want to encyrpt personal info like emails, address and phone number then switch to php. ASP.NET might have embedded functions you can use but I haven't looked into that yet.
Do a search for the rijndael md5 encryption for classic asp. That's the one I like to use. And remember to salt your passwords before saving as it helps to prevent dictionary attacks.