Encryption

[Guest]

Lets say there are values in the database that are encrypted but need to be
decrypted to display to an authenticated user on a web site.

Now the problem is that somewhere along the way during a request by an
authenticated user that data must be decrypted and displayed to the user.

Now, lets say we also want to prevent anyone packet sniffing from being able
to decipher the data.

It would seem to me that the data must remain encrypted all the way to the
client and then decrypted via javascript so that the data is never in its
true form through a wire.

But then the question becomes how does one leverage the wonderful
cryptography namespace in the framework on the client...well obviously you
can't since it is a SERVER side component.

If anyone can shed some light on this please do.

Thanks

 

[Mark Fitzpatrick]

The javascript won't do much good either because whoever wants to look at it
would have your entire decryption algorithm at their disposal. That's where
SSL comes in. To really secure it, get an SSL certificate and use the app
through an https connection instead to mitigate this issue. You can then
decrypt the data server-side after it comes out of SQL server, then display
it to the user over a secure SSL connection.

 

[Mark Rae]

It would seem to me that the data must remain encrypted all the way to the
client and then decrypted via javascript so that the data is never in its
true form through a wire.

This is without doubt the worst possible thing you could do in this
situation - JavaScript is client-side, so the entire decryption routine /
algorithm would need to be downloaded to the client machine, where it would
run.

UNDER NO CIRCUMSTANCES DO THIS!!!

But then the question becomes how does one leverage

AAARRRGGGHHH!!! The *L* word...

If anyone can shed some light on this please do.

Extremely simple - get an SSL certificate from a known and trusted
certification authority.