News:

Support the VirtueMart project and become a member

Main Menu

Data Encryption

Started by mrtrung, October 30, 2012, 05:15:59 AM

Previous topic - Next topic

mrtrung

Hi All,
according to the tutorial it is possible to set the encryption function of data stored in the db.
would it be possible to get a listing of fields that would be encrypted in the database?

We are looking to create an e-commerce site and would like all information stored in the database, such as: customer name, order information, shipping address and billing address, to be encrypted.
We are not planning on storing credit card data, but considering storing a truncated version of the credit card data? for example 4321********1234
Thank you,

Manson

#1
To encrypt any information,you can use  Rohos Disk or  Rohos Mini drive.
Encrypts data, Skype, ICQ, browsers and more

Click SSL

Implementing this carries a few challenges, questions, and concerns:

1. What is the schema of our database? If we were just storing the CreditCardNumber and CreditCardExpiration fields as plain-text, they'd likely be just varchar fields. But now that we want to encrypt them, what data type should these fields be?
2. How do we enrcypt the data before inserting it into the database? Likewise, once we read back the database data how can we decrypt it so that we can see it's plain-text value?
3. What encryption algorithm should be used, and how does the choice of the encryption routine affect the overall security of this approach? More bluntly, if a hacker gets his hands on this encrypted payment information, will he be able to decrypt it?
4. What consequences, if any, does encrypting the data stored in a table carry? Does it impede performance? Usability? Maintainability? Does it limit what queries I can run against the underlying data?

These are all great questions that we'll tackle throughout this article, some now, some later.

In order to store the encrypted data we'll use a field of type varbinary. That is, the encrypted data will be saved as a series of bytes. This means that from our ASP.NET application, when inserting or updating encrypted data, we'll need to:

1. Take the user's plain-text input,
2. Encrypt it,
3. Convert it from a string into a byte array, and, finally,
4. Issue the INSERT/UPDATE statement

Conversely, when reading the encrypted data from the database we'll need to do, essentially, the inverse:

1. Read the encrypted data from the database using a SELECT statement,
2. Convert it from a byte array into a string,
3. Decrypt it, and, finally
4. Work with the plain-text data

Get more from this link: http://www.4guysfromrolla.com/articles/081705-1.aspx