tags:

views:

144

answers:

3
+3  Q: 

Encryption from c# application

SITUATION: I need to make encryption happen between my remote database and my c# application. I don't know what I'm doing (never done any encryption before) and all the stuff I found on the web was for asp.net and dealt with the web.config file.

SOME RELEVANT DATA: My connection string contains password info for SQL server authentication, there is a select, and a delete statement. Those three things will need to be encrypted.

I am using SQL Server 2008, Visual Studio 2008, and C#.

I doubt this is relevant but this is taking place inside a windows service. So far, anything SQL related that works in winForms has worked for me in services, so any help that is winForms related is appreciated, too.

WHAT I NEED HELP ON:

  1. Any references on encryption that aren't restricted to asp.net would be greatly appreciated. :)

  2. I see the MSDN page, and it seems like a decent place to start, but I am a little confused. It seems like this is the way 2 applications would send a file to each other, rather than sending something encrypted to SQL Server? Using this, I don't see how SQL Server would know how to decrypt it?

  3. Am I way out in left field looking in System.Security.Cryptography? Is there some way to specify encryption within System.Data.SqlClient or am I going to have to resort to messing around making stored procedures on the remote server?

Thank you in advance!!! :)

SUMMARY:

Thank you all for setting me on the right path, it was difficult to choose just one answer! :)

I've concluded that I need to use SSL, and while I yet have a lot of confusion about the how-tos, I know that this requires a certificate, and that once the certificate is set up, the client can request encryption by asking for "Encrypt=yes" in the connection string. Luckily I believe I already have one I can use.

Another thing to note - TDE is the consensus on what is good for encrypting data that is just sitting in the database, while SSL is what to use for transmitting encrypted data.

Here were a couple links I found the most helpful:

http://blogs.msdn.com/b/sql_protocols/archive/2005/10/04/476705.aspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;316898

+5  A: 

For the encryption between the app and the DB, your best bet is to use an SSL certificate at the SQL Server level. Here is a Microsoft KB article on it (for an older version of SQL Server). http://support.microsoft.com/kb/316898 This will protect against sniffers.

We did this with our credit card application form, and it was very straightforward.

This Microsoft.com search will help you with newer versions of SQL Server.

And this article will help with SQL Server 2008. http://msdn.microsoft.com/en-us/library/cc278098.aspx

David Stratton  2010-06-07 21:07:19
That was a bing search, you liar :)
VoodooChild  2010-06-07 21:09:27
Oops. Caught me.
David Stratton  2010-06-07 21:12:56
Thanks for the answer. :) The search pointed me fairly quickly to something called TDE, is this what you used, too?
Brandi  2010-06-07 21:36:59
No, TDE is different than encrypting the data while it is moving across the network. TDE is for encrypting data in the DB. If I understand correctly, it needs to be decrypted by the DB before sending it to your application. You need to use SSL if you want to protect the data from sniffers as it moves across the network.
David Stratton  2010-06-07 21:45:04
Ahh, thank you. In that case TDE is something I will look into at a later time.
Brandi  2010-06-07 21:57:12
+1  A: 

I'm a little bit confused about your request. Do you need to encrypt the data locally, or do you want to encrypt the connection between your app and the server? Or the data stored in the database tables? Or a combination of those?

Anyways, for the encryption of the connection (which includes authentication), you may want to have a look at the channel encryption feature of SQL Server. http://blogs.msdn.com/b/sql_protocols/archive/2005/10/04/476705.aspx

For local files or connection strings as well as binary data encryption (which may also be stored in its encrypted form in the DB), looking into the System.Security.Cryptography namespace is the way to go.

Lucero  2010-06-07 21:11:42
+2  A: 

What you need is to protect the traffic between your application and the SQL Server. For this, simply follow the steps described in Encrypting Connections to SQL Server.

Next thing is that if you do store sensitive data, you want to store it encrypted in the database to protect against accidental media loss. The best solution, by far, is to use Transparent Database Encryption.

Neither of these solutions require any single line of code change in your application. They are both deployment time, administrator controlled settings. Trying to roll your own solution for cryptography will get you nowhere fast. Is is extremely easy to screw up royally in cryptography, and you won't even know it. Is it much easier and far better to satisfy the requirements without changing your application, by simply leveraging encryption features provided by SQL (connection TLS, storage TDE).

Remus Rusanu  2010-06-07 21:34:20
I am assuming specifying "Encrypt=yes" in the connection string is what article 1 means when it says "client requests encryption"? So, just to clarify, having a connection string that specifies "Encrypt=yes" will fail then if I don't have a certificate that I install directly on the server machine? But if I do have this certificate, then just using that in the connection string should make it okay for encrypted transmissions?
Brandi  2010-06-07 22:02:54
`Encrypt=yes` means the client requests encryption, true. The server will use the current certificate it uses for client connections. Whether this certificate will or will not be trusted by the client, is a more complicated issue. If the client app connects from hosts that are outside your administrative control, then the server *must* use a certificate signed by a trusted root authority (eg. VeriSign). If the client host is under your control, then other (cheaper) options exists, as you can deploy additional trust roots on the client hosts (ie. a corporate PKI).
Remus Rusanu  2010-06-07 22:07:23
See http://support.microsoft.com/kb/318605
Remus Rusanu  2010-06-07 22:11:34
Thank you so very much. :) So then, just to be sure, there is no way to use encryption without certificates?
Brandi  2010-06-07 22:37:47
Certificates and SSL is your best option.
Remus Rusanu  2010-06-07 22:41:19

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?