We are designing a .net web application that has an external and internal site.
Both sites need to encrypt data only the internal site needs to decrypt data.
We are wondering what are the best practices for:
An secure asymmetric encryption algorithm is what you need. Such an algorithm has two keys: A public key, that can be used to encrypt, but not decrypt, and a private key, which can be used to decrypt.
Choose an algorithm, making sure to research its characteristics (RSA is the common choice in .NET I think); generate a private/public key pair, store the private key somewhere on the internal site where it cannot be accessed from outside, and put the public key somewhere both the internal and the external site can find it.
There are some good MSDN articles which I'd like to recommend, nder the "Security Briefs" banner.
The first is Encrypting without secrets, which discusses the sort of split you'd want to implement, where the external site can only encrypt (no chance of a broken site revealing previously encrypted info).
The second is Cryptographic agility, which discusses planning from the outset to replace your encryption methods as, or when, they are no longer considered strong.