Encrypting Salary value in ASP .NET 2.0 and SQL Server 2005

Question

Hi,

I have an ASP .NET 2.0 website connected to a SQL Server 2005 database. The site is pretty simple and stores information about staff, including salary.

What is the best way to encrypt the salary value so no-one (including myself) can ever see what it is, except for the authorised staff using the web-app?

I don't want to encrypt / decrypt on the SQL Server because I could just run SQL Profiler to view the information, so I assume the encrypt/decrypt happens in the BLL on the web server?

Also, do I need SSL to stop someone sniffing HTTP responses between the browser and the web server?

Many thanks!

Anthony

Answer 1

SSL is probably your best bet to keep someone from sniffing, but be aware that it is still possible.

As for the other bit, SQL Server 2005 supports table-level encryption out of the box. Here's an article on it. You could create a SALARY table that is linked to an employee and keep that table encrypted.

Answer 2

There are many encryption methods you could use here in your code. Make sure you choose one that takes a key and a "salt" (as opposed to just using the same key each time). If you use the same key (without a salt) each time you encrypt a salary, then two employees with the same salary will display the same encrypted value in the database, compromising the security of the salary info.

You could use each employee's unique ID as the salt.

Answer 3

You definitely need SSL to prevent sniffing of the sensitive web traffic (not to mention logins), but that doesn't solve your server-side encryption problem.

To make it impossible for you as the developer to access the data is a tough nut to crack. In order for it to really work, all the encryption/decryption needs to be done only on machines that you have no access to. Theoretically you would have to make some sort of browser extension that decrypts the salary data on the client machines. Your employer would have to trust you enough to not put a backdoor into the client-side code (or at least hold the possibility of a code audit over your head).

In most cases, it is easier to trust the developer to not disclose the data. It's a good idea to keep it on a need-to-know basis, but ultimately some people need to know. (For instance, accounting people see salary data all the time.)

Answer 4

You definitely want to use SSL for the transportation security. You could also setup IPSec for the transportation between the web server and database server.

As for securing in the database, SQL Server 2005 has several encryption functions:

1) EncryptByAsymKey - http://msdn.microsoft.com/en-us/library/ms186950.aspx
2) EncryptByKey - http://msdn.microsoft.com/en-us/library/ms174361.aspx
3) EncryptByPassPhrase - http://msdn.microsoft.com/en-us/library/ms190357.aspx
4) EncryptByCert - http://msdn.microsoft.com/en-us/library/ms188061.aspx

Obviously, all of these have an associated decrypt function.

You can store the key or whatever you choose on the web server (in the machine.config or web.config or somewhere) and then pass it to your stored procedures (or along with your sql somehow) for the encryption.

Answer 5

Developers of the webapp could still access the salary figures -- it's all a matter of trust. To counter that, you could switch to the model where the encryption/decryption happens on the client-side, but this is more cumbersome and still not 100% secure. Security is always a trade-off with convenience.

You should use TLS/SSL (i.e., HTTPS) so that eavesdropping on the HTTP traffic is harder to perform.

An attack you may consider, is replacing your own encrypted salary figure with that of the person you are interested in, then calling up the accounting department and asking what your current salary figure is. One way to negate the attack is to have the contents of the encrypted salary field reference the person it belongs to.