I have a requirement to store the user password using VB.NET in Encrypted form in SQL
Server DB and while retrieving the password it should be Decrypted.
Is there a property to make the sql server table column as Encrypted so when ever the data is saved in this column it is shown in encrypted form.
How can this be achieved.
Related
Here's my requirement:
A database where at least 1 column on at least 1 table is sensitive, and should be encrypted
DBAs and people accessing the database with SSMS should not be able to view the plaintext values of the columns
There will be a client asp.net application that will be able to retrieve and decrypt the data, and insert and update to the table(s)
So, if I enable always encrypted on the necessary columns, any normal query will retrieve the ciphertext for those columns. Fine.
The client application will have Column Encryption Setting=Enabled on the connection string, so will have the ability to encrypt and decrypt data.
But what's to stop someone connecting with SSMS and enabling the same column encryption setting? They could then select from the table and see the plaintext.
In short, how do I apply permissions so that only people in a specific AD group, and excluding DBAs, has permissions to access the encryption keys to decrypt the data?
Is it as simple as making sure that the IIS that the .net application is on is not on the same server, and creating the column master key certificate only on that IIS machine?
There are two keys that are created Column Master Key (CMK) and Column Encryption Key (CEK).
The column master key is only stored on the application side, while the column encryption key will be stored on SQL Server side.
The result is that once the client has the CMK, you can activate encryption by changing the connection string and the driver will then look for this CMK. Without it the data cannot be decrypted.
I am facing a dilema.
I am using Asp.Net identity on a client-server app to store user accounts, roles and passwords. Just to avoid boilerplate and don't reinvent the wheel.That works.
However, I want to validate a remote client. I don't want to transmit the password by the wire, so I want to encode/hash it too and retrieve an access token.
The hashing mechanism in Asp.Net uses a random salt, included in the "PasswordHash" field in AspNetUsers table, among with the encryption algorithm, salt, version and etc.
Are there any suggestions on how to securely validate the client password? Maybe to extract the salt on the server to send/reencode the password on the client or something alike?
Server: Saved hash
Client: Password to hash/encrypt and send to server
Need to: Validate password securely
During Authentication, Validation of passwords should be done on server-side. Validate Generated Hash with Stored Hash.
To validate a password, I would try to do following steps on server.
1) Send the password from Client to Server over Https/SSL
2) Retrieve the User's Salt and Hash from the database.
3) Generate a Hash from User's Password and Stored Salt.
4) Compare the hash from database with generated Hash.
Reference: https://crackstation.net/hashing-security.htm
I want to build an app where users upload files. But the owners of the server should never be able to have access to any data from the files, only encrypted content.
If I had to implement it myself using Java, I would do something like:
symmetric encryption for the files using a random key per file (or per user because I don't need per file access control). The random key is then asymmetrically encrypted (one time for each user needing access to the file) and stored along the file on the server
Users have a password encrypting their randomly generated on account creation private key stored on the server along with the public key.
The user password hash (not the password itself) is also used as an authentication password to avoid having multiple passwords but also to avoid sending the user password to the server (the server then normally computes and compares the salted hash of this hash of the password)
How can I implement a custom app like this (using libraries?, running additional servers with http APIs?, something else?) ?
I found https://www.minio.io/features.html, an http server with s3 compatible rest APIs which has "Both server side and client side encryption are supported" but couldn't find enough documentation on the client side encryption.
We have a web application that contains sensitive data. Currently we are using sql server 2008 and using DECRYPTBYPASSPHRASE and ENCRYPTBYPASSPHRASE for the sensitive columns.
The key was exposed and now they want to change the key.
The most important thing is what is the best practices for storing the pass phrase. The application is a asp.net connecting to a sql server 2008. The sql admins do not want it stored anywhere in the database. But then it will stored in the application server and will be transmitted over the wire.
Secondly, I don't like the fact that I have to decrypt then re-encrypt to change the key. Is there a better was of encrypting the sensitive data.
thanks in advance.
I am using GET DATA command for importing data from SQL server. I would like to use ENCRYPTED sub command. I can encrypt the password using Database Wizard.
I am writing the commands directly in a syntax editor, so I would like to avoid using Database Wizard. Is there any other tool for encrypting the password? I do not want to run the wizard just for the encryption of the password.
A stand alone tool for encrypting password would be nice.