For the past two days I have been working on encrypting data using ASP.NET’s built-in cryptography classes. I experimented with TripleDES and Rijndael, also known as the Advanced Encryption Standard (AES). Rijndael is accepted as a government standard for data security so I’ve used it instead of 3DES. ASP.NET mostly uses encryption for cookie data and the viewstate data which can be seen in a web page’s source code. However you can also use these encryption methods to secure the data stored in your database.
As a developer, I would prefer that my data be viewable in ad hoc database queries and error reporting but for certain data like credit card numbers and social security numbers it is best that you don’t store the actual values in the database. Data can be stolen from a database. There are many media reports about companies that allowed customer data to be stolen from laptops, database back ups, or insecure web applications. Companies can be held liable for data theft. As long as the sensitive data is encrypted in the database, it is not going to matter if it is stolen. Even a SQL injection attack will be ineffective if the cleverly crafted SQL statements bypass the application logic and merely retrieve encrypted data.
I’m not going to show any source code on this topic because WordPress is giving me too much trouble with source code formatting and I don’t want this particular code to be publicly available (not that it is unique or anything special).