Encrypt / decrypt data into database
I need to create a .NET application that will store some sensitive information in a database (like passwords, etc.). I could use symmetric encryption to encrypt them before I save them to the database, but if someone compiles the source, then the symmetric password can be compromised.
Since this will be a service application, I cannot ask the user for a symmetric password. I also cannot use the password associated with the machine, as this data will be read from different computers.
What would be the best way to do this?
Update: Hashes don't work for this case ... because someone needs to enter the correct password in order to check for a hash and it doesn't. The information should be in the database, but it will be retrieved by Windows service applications (no users here). No one can enter the password and check it for the hash, so I need to recover the original password ...
source to share
So you have an application that needs to encrypt / decrypt data, but doesn't require users to enter passwords to use it? First, it sounds like a security hole right there - the hacker doesn't need to get a key or password - they just need to get the app.
To do this safely, without storing the key in your application code, you will have to have some kind of password that came from the user that you could use to encrypt / decrypt the "real key" that is used to encrypt and decrypt the actual data.
If you are using a service to access data and no password is entered, you can create a unique string from the machine information and use it as a password to encrypt your key.
To do this on multiple machines, each machine will have its own "password" generated from the machine's information. This password will be used to create a key (unique to this computer), which will then be used to encrypt the public key (which is used to encrypt actual data). This information will be stored in the database in a simple table with two columns: MachineID and EncryptedSharedKey.
At startup, the service will check the machine information, generate its password, use it to generate its key, and use that key to decrypt the public key from the database table. He will then be able to use that shared key to encrypt / decrypt data.
When setting up a new machine with the service, you will have a separate program that will read the shared key from a text file, generate the machine key, create a row in the table with the machine ID and the encrypted shared key, then delete the program and text file using the unencrypted shared key.
It would be reasonably safe if someone was copying your program to another machine, but really just relied on obscurity. If someone figures out how you create a machine key and has access to one of the machines with the service on it, they can generate the machine key themselves using information from the compromised machine.
source to share
You can use Database-Level Encryption (assuming Sql Server as you said .net) and use Encrypted connections on Sql Server. This ensures data protection during storage and transfer to the application server.
This provides security without any special passwords - based on this, authentication to the database server can be based. Same as you, no encryption.
source to share
Save the password as a one-way hash. When the user enters a password for verification, hash their attempts in the same way as the password, and make sure the hash results match.
Here is an example in Php, but the concept is the same regardless of the language: How to store passwords in databases
Edit
You might want to look into database-level encryption. I am assuming you are using SQLServer: http://msdn.microsoft.com/en-us/library/cc278098.aspx
Oracle has similar encryption methods where the application using the table is unaware of the encryption. If you bind this to encrypted connections from your service and from the database, you should accomplish what appears to be yours after.
source to share