We would like to decrypt data stored in Microsoft Access.
Without getting into too much detail we have a Web Form, written in PHP, that saves Form Data (encrypted) to a MySQL table. MS Access copies that Form Data (via an ODBC link) from MySQL to its own table. I am following this post Decrypt PHP encrypted string in C# thinking that VBA and VB.net should be close enough that I can work out the errors. But I don't see System.Security.Cryptography listed in 'Access database Object Library'. Is it possible to add System.Security.Cryptography to MS Access and if so how? If MS Access doesn't support adding System.Security.Cryptography, do you have any ideas on how to decrypt data within MS Access that was encrypted in PHP?
Thanks
You could create a C#/VB.Net library that simply encrypts/decrypts data, expose it as COM and call it from Access. It's very simple to do and I've successfully done this with various projecs. Rich Newman has a very good article on how to do this here.
Related
I created two methods Encrypt() and Decrypt() in my Web Application for Encrypting and Decrypting Data.
Now, I want to use same technique in my SQL Server Database for Decrypting Data.
Can anyone tell me how is it possible.
Please help!!
Thanks,
Rahul
Even though is theoretically possible to load your functions as SQLCLR, you will get key management wrong. Use SQL Server cryptographic functions and discard everything you wrote yourself. Use a proper key hierarchy.
I have a web application running under Windows/IIS that includes some reports via SSRS.
I would like to be able to render a report, somehow save it on the web or SSRS file system, create an encrypted version, and deliver that encrypted file to the user.
I've considered creating a zip file with a password, but not sure about how well that would work.
What would be the best way to do this?
There are a couple of issues in this - and I have to work on the assumption that the purpose of encryption is that you want to be able to distribute the report in a way that only authorized users can view it.
The simplest way of achieving this goal would be to have a login scheme, and serve the report over HTTPS. This means only those who have a log-in can download the report, and it can't be intercepted using network sniffing.
In the past, a client insisted that they wanted to avoid allowing users to download unencrypted files, because they might forward the (unencrypted) report to un-authorized users. To meet this requirement, we created a windows service which created encrypted ZIP files; we used a service because performance tests showed that creating the ZIP in the context of a web request created a serious scalability issue.
The major problem you have with this scheme is distributing decryption keys; making sure everyone has the right key for their report is a huge pain in the backside.
It also didn't prevent users from decrypting the ZIP file and emailing on the unencrypted report - but this was a clear breach of IT policies, which was a harder point to make with unencrypted reports.
Maybe 7-zip or TrueCrypt?
Both require the installation of additional software however. I'm really not sure how strong ZIP file password protection is, so I would be hesitant to go that route without some research.
TrueCrypt is pretty secure, from my understanding.
You'll need a reference in your project to http://<Server Name>/ReportServer/ReportExecution2005.asmx. See the example included in ReportExecutionService.Render Method for how to execute and render a report. You can then take the returned byte array from the render method and create a MemoryStream based on it.
You can perform simple compression using thing in the System.IO.Compression Namespace like this:
public void CompressData(Stream uncompressedSourceStream, Stream compressedDestinationStream)
{
using (DeflateStream compressionStream = new DeflateStream(compressedDestinationStream, CompressionMode.Compress))
{
uncompressedSourceStream.CopyTo(compressionStream);
}
}
public void DecompressData(Stream compressedSourceStream, Stream uncompressedDestinationStream)
{
using (DeflateStream decompressionStream = new DeflateStream(uncompressedDestinationStream, CompressionMode.Decompress))
{
compressedSourceStream.CopyTo(decompressionStream);
}
}
using (FileStream sourceStream = File.OpenRead(#"C:\MyDir\MyFile.txt))
using (FileStream destinationStream = File.OpenWrite(#"C:\MyDir\MyCompressedFile.txt.cp"))
{
CompressData(sourceStream, destinationStream)
}
See the AesCryptoServiceProvider Class for information on how to encrypt data. It shouldn't be hard to modify the example to encrypt a stream instead of a string.
It's also possible to issue certificates to users and perform encryption/decryption based on that but it's more complicated. For that you'll need to look at the System.Security.Cryptography.X509Certificates Namespace.
I am writing an ASP.NET web site where users will be able to upload a .CSV file from which i want to extract the data into a table on a MySQL Database. I was wondering what would be the safest way to do this by protecting against SQL injection or other dangers towards my database.
I was also wondering what would be the best way to extract this? For example would it be recommended to use an API to extract the data straight from the back of a button push or should I push the file to a temporary location where a service may pick it up periodically?
Thanks in advance
Use prepared statements to use your CSV data in the backend. Prepared statements securely escape data to prevent SQL injection.
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare(v=vs.71).aspx
Never create a dynamic string that uses data by joining or concatenating strings. Only use the prepared statements.
This is universal and should be used regardless of the input source.
How does one prevent passwords and other sensitive data submitted to and received from ASP.NET web pages in IIS/ASP.NET dump files?
Steps to reproduce
Using Visual Studio 2010, create a ASP.NET MVC 3 intranet application.
Configure it to use IIS 7.5.
Fire it up and register an account (say bob123 as the user and Pa$$w0Rd as the password. I'm assuming that the SQL Express database is created and the site is fully functional.
Using task manager, right click on the w3wp process and create a dump.
Open the dump in an editor capable of displaying its contents as hex, such as SlickEdit.
Search for "Pa$$0Rd" and "Pa%24%24w0Rd" in the hex dump. You should be able to find several copies of it stored as ASCII, Unicode, or encoded.
Note that it doesn't matter whether you use HTTPS because it only encrypts the communication. ASP.NET stores that data in the clear in memory or disk.
The problem
Common wisdom has it to encrypt sensitive data and not to store it in the clear. However an employee may receive a dump of an IIS/ASP.NET application and discover passwords and other confidential data of users because this information is neither encrypted, nor is memory used by ASP.NET cleared after usage.
This puts them at risk simply because they have access to it. Dump are sometimes shared with partners (such as Microsoft) to help them diagnose issues in their code. It is a necessary part of diagnosing some really complex problems in one's application.
Things I looked at
Use SecureString for passwords and other sensitive data. However, the ASP.NET Membership provider, along with other frameworks like WCF, often accepts passwords as System.String, which means that those copies will still be in the dump.
Looked to see if there is anything in the framework to clear out a copy of System.String when it is no longer being used. I couldn't find anything.
Investigated whether one can zero out the memory used for requests and responses once IIS is done with it, but I was unable to find anything.
I investigated wether one can encrypt files IIS receives (as HttpPostFile) so that they are not stored in the clear. We may receive documents that are extremely confidential and every step is made to encrypt and protect them on the server. However, someone can extract them in the clear from an IIS dump.
What I was hoping for is to tell IIS/ASP.NET that a specific request/response contains sensitive data and that IIS/ASP.NET will clear out the memory when it is done using it.
A dump file by definition dumps all the memory the application uses at the moment it is dumped, If you were to create a filter so that certain things were excluded then you could never be sure that you had enough data to zero in on a problem.
Would you be comfortable handing over your databases / configuration settings to a third party? if not then you probably shouldn't be handing over dumpfiles either. (imho)
I know this doesn't answer the question directly but why not look at this problem differently.
You could easily put together some javascript to do the hashing client side. I would combine the password with something random such as a guid that is sent down by the server and is valid only for a single use. The data exchange would no longer contain the password and the hash could easily be compared server side. It would only be valid for the session so someone looking at the dump data couldn't use the hash to "authenticate" themselves in future.
On the file side, how are these files being uploaded? directly from a web page? There are quite a few javascript libraries that do encryption (blowfish) and I would definitely use this option when sending a sensitive file. It does have a speed penalty but you can be sure that the data is secure.
I wonder which class is the class that I use to encrypt data (first time string data) and the best method of encryption (among those supported by caché). Must generate a strong encryption for data in my project.
Any help is welcome.
If someone can show me some example, I'll be even more grateful.
Please state what exactly do you want to encrypt. To encrypt the whole database, there is a setting in System Management Portal, this encryption is certified in US. To encrypt data transfers, you may use SSH (see %Net.SSH.*), HTTPS (see %Net.HttpRequest with Https property), and Web Services with WS-Security (see documentation). To encrypt just any string internally, see $system.Encryption.Help().
We use ensemble web services to serve up Base64 encrypted XML payloads to web portals and mobile apps in the healthcare field. The code we've implemented looks something like the below snippet, in addition to some other security features related to the web service.
Set sc = ..xmlData.XMLExportToString(.xml)
Set xmlReturn = ##class(%System.Encryption).Base64Encode(xml)
Quit xmlReturn