tags:

views:

184

answers:

5
+1  Q: 

SQL Server - Storing Sensitive Data

What is a secure way of storing an a username and password (not asp.net membership details) within a database table that needs to be pulled out and decrypted to use for passing to a webservice.

Each way I think about the problem I find security holes as the username and password need to be in plain text before being passed to the webservice.

A: 

Can't you use the webservice method to unencrypt them and pass in the encrypted string from the database?

Fermin  2009-05-12 12:13:06
the webservice is provided by a third part which I have no control over and on each function call you pass the username and password in plain text (webservice is over ssl)
monkeylee  2009-05-12 12:15:29
you didn't explain in your initial post..
Fermin  2009-05-12 12:19:22
+3  A: 

Some suggestions:

For storing the data

  1. Encrypt the data (CryptoAPI calls are best) when you insert
  2. Make sure you have encryption enabled between client and SQL Server
  3. if you are using SQL 2008 enable the encryption of the MDF/LDF file

Passing to the web service

  1. If you are using .NET there is the SecureString to keep it secure in memory in your app.
  2. Make sure the web service uses SSL to secure over the wire
Robert MacLean  2009-05-12 12:15:41
+1  A: 

As Fermin says, Do you have access / control over the web service on the other end.

if so, you should send the details encryped. However, even if you send an username and password pair encryped. someone could still sniff them and have a valid pair of UN and PW.

HTTPS would help in this situation.

There is no 100% secure way of sending sensitive data over the wire. Its a case of doing the best you can.

Greg B  2009-05-12 12:17:36
so understanding that as the webservice expects the UN and PW as clear text then there will be a security hole at some point, what is the best way to secure the data in the db and where/how do I store the key (that decrypts) the encrypted values
monkeylee  2009-05-12 12:28:17
I think it would be useful if you could expand your original question with a bit more background. As you are now edging into where in your application the encryption/decryption should be done.Who owns the web service you are sending to. a 3rd party? might their be someone sniffing at your server? more background would be really useful
Greg B  2009-05-12 15:41:39
The webservice is to a paid a subscription service provided by an external company(thats all I can say). the web service asp.net soap asmx called over https, restricted on their side by ip. when you call a function you pass the function parameters and username and password in plain text. I think its the case of how to secure the details within my system the best possible. so I need to encrypt the data when enter on my site, save it to the db encrypted and when I need to decrypt it and pass to the webservice. how do I therefore securely store my encryption keys and what method to use
monkeylee  2009-05-12 16:06:45
A: 

T-SQL supports a number of cryptographic functions that could be used to encrypt the data (e.g. via instead of triggers, if client not already using stored procs).

Doing the encryption in the database engine should be a last resort, far better it were done earlier in the chain.

There was an article a few years back in MSDN magazine that covered the usage of these functions.

Richard  2009-05-12 12:27:10
+1  A: 

IMHO is that you never unencript data...

Use a 1 way encrytion to encrypt the data before you first save it, use this on password and user name.

When the user logs on you encrpt the username and password and then check that the encrypted values match on the DB. I.e you do not need to unencrpt.

Because its one way encryption is very hard to decrpy (some say its just takes to long to make it worth hacking) thats why is one way...

MS encrypto class offers 1 way encryption.

hope this helps

Jules

 2009-05-12 14:36:22
Yes, this is definitely the way I would do it. Passing around hashes is far safer.
Chris Simpson  2009-05-12 14:48:22

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?