I need to encrypt / decrypt passwords for a new application. The spec requires me to use AES; can anyone suggest a good reason to either
- Do all my encryption in the database layer using CLR functions or
- Doing it at the .Net app layer ?
- a mixture of db and server
Am going to be validation passwords; the app is n-tiered using Telerik ORM. The only real functions are going to be create/ update password and check the entered value.
In my gut i think
- database is better for validating the users entered password against an existing record; and
- the front end for creating/ updating passwords (so the plain text password is never transmitted)
I am interested in other thoughts and suggestions as to why i might do an alternative. If you are suggesting i do it in the front end what are your thoughts around encryption keys ? One per user in XML or one per app in a config file ?
Thanks for any suggestions :)