Encryption in custom features

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
9/10/2010 8:47:09 AM
bjmbrown
Gravatar
Total Posts 8
View Posts

Encryption in custom features

Joe,

 

Do you have wrapper methods for encrypting and decrypting data.  I have a couple of tables where I'd like to encrypt the data in a few fields. 

 

Thanks,

 

Bruce Browning

9/10/2010 9:00:19 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Encryption in custom features

using mojoPortal.Web.Framework;

string clearText = "mySecretValue";

string encrypted  = CryptoHelper.Encrypt(clearText);

string decrypted = CryptoHelper.Decrypt(encrypted);

note that it will throw an exception if you try to decrypt a string that is not encrypted.

9/10/2010 9:08:43 AM
bjmbrown
Gravatar
Total Posts 8
View Posts

Re: Encryption in custom features

thanks Joe. 

9/11/2010 8:35:53 AM
m3jim
Gravatar
Total Posts 9
View Posts

Re: Encryption in custom features

Joe,

 

C

Could you go into a little more detail about the Encryption methods that you use?  I see that you have a both an Encrypt() as well as a EncryptRijndaelManaged() method.   Which encoding method does Encrypt() use?    Are either of these secure enough to store Credit Card info in a custom module?

Thanks for any info you can provide,

Jim

9/11/2010 10:13:58 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Encryption in custom features

Hi,

You could look at the source code and see that the Encrypt and Decrypt methods are using RSACryptoProvider which uses RSA. It is a decent encryption algorithm but not necessarily the strongest possible. .NET 3.5 introduced a newer AesCryptoProvider which is probably stronger and what I would have used except I implemented this method long before .NET 3.5 came out. Of course the stronger encryption you use requires a larger field in the database.

I don't recommend using the EncryptRijndaelManaged method because it has a hard coded key in source code. It was something I was experimenting with a long time ago for encrypting cookies but is only used in one place currently in mojoportal and not really storing anything sensitive in the cookie where I am using it.

Encryption is a complex topic and I don't claim to be a cryptography guru.

What I can tell you is I would never ever ever persist credit card information in the database. Keeping the credit card data around for easy future purchases is exposing the customer to risks for which you may be liable if the data is stolen. Maybe the Amazons of the world can mitigate the risks or handle the liability of doing such things in the name of customer convenience but I would never recommend it unless you have full time security engineer(s) designing and managing your application. For normal people storing credit card data is asking for trouble.

Encrypted data can be decrypted and it is very difficult to truly secure the keys, so just because you encrypt something should not lead to a sense of security. It is not required to store credit card data at all, it can be posted to the card processor using SSL and the auth code returned is all you need to keep. 

What you need to understand about the CryptoHelper.Encrypt method is that the RSA key is located on disk in the root of the web in the mojoEncryption.config file. That means unless you put a different key there that you generate yourself anyone using mojoPortal can get the key. If you do generate your own key you should put it there before you use CryptpoHelper on any data because if you change the key it won't be able to decrypt data encrypted with the previous key.

http://stackoverflow.com/questions/41220/is-there-a-best-net-algorithm-for-credit-card-encryption

You should probably read up on the Visa guidelines that discuss prohibited data retention, there are a number of pdf downloads here:

http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Hope it helps,

Joe

You must sign in to post in the forums. This thread is closed to new posts.