General Question

LostInParadise's avatar

What is a simple and effective means of encrypting data?

Asked by LostInParadise (17945 points ) July 21st, 2012

I know the theory behind symmetric and asymmetric encryption keys but I do not know how to use them for a Web application. This is not a theoretical question. I work for a company that does Web programming for a government agency. It seems to me that the current encryption method is insecure for the following reasons:

1. It is done on the server side, which would seem to be completely useless.

2. Only the password is encrypted. If this were done on the client side, the encryption would at least prevent someone intercepting the data from stealing the password, but it would still allow someone to read the information and to inject information by using the encrypted password.

3. The encryption is done using a rather unsophisticated substitution cipher.

Our programming is done in .net. I have heard about TLS encryption, but I don’t know how it works. There are some Web articles that make it seem as if it is just necessary to configure a computer and it will then automatically use TLS. It can’t be that easy. I don’t need to know the specifics. I just need to know the general strategy.

Observing members: 0 Composing members: 0

7 Answers

anartist's avatar

can you “salt” the encryption of the password?
some basic info
some comments pro and con

jerv's avatar

To my knowledge, SSL and TLS both encrypt data based on a key based on your certificate. Some are self-signed, some are verified by a third party, but all rely on a key encrypted by a certain certification… one that may or may not be shared like an STD. One of the forums I frequent uses a self-signed cert that is automatically given to anybody who has a username; not very secure.

Having server-side encryption is essential, but even more important is controlling access to the decrytion key. Also, substitution ciphers suck; you need rolling encryption like the Enigma cipher to be even remotely secure. Don’t use something nearly as simple as the Enigma logarithm though; while complex to the human mind, it’s utterly simple to a decrypting computer. I can decrypt Enigma on my phone. Encryption is an arms race, and stuff that was impregnable ten years ago can be broken in less than a week now, and stuff that used to take weeks now takes seconds.

Research Bruce Schneier. If you want/need to know anything about encryption/decryption and you don’t know Schneier, you fail. Schneier == cryptography.

LostInParadise's avatar

@jerv, What is the benefit of server side encryption? What can possibly happen once the data makes it from the client to our local servers? Isn’t the problem about what happens en route from client to server? Are you familiar with PGP?

jerv's avatar

I was under the assumption that the data was stored on the server and accessed remotely by the client. Then again, “client” and “server” are relative terms anyways. I’ve been dealing with peer-to-peer networks for too long for “server” to have much meaning to me. Either way, whichever end has the data needs to encrypt it and encrypt it well before it ever sees a data line.

I am aware of PGP. I am unhappy that it is now a Symantec product, but so long as OpenPGP is around, I am not miserable. I also like that PGP is on many governments’ shit lists for refusing to introduce a government-accessible back door (something Symantec may decide to do, hence my preference for OpenPGP) and is uncrackable by current cryptographic techniques; any successful attacks against it have been the result of obtaining the passkey by other means (key logger, intimidating a key-holder, throwing them in prison for nine months…) rather than actually breaking the code.

LostInParadise's avatar

Is there a way of incorporating OpenPGP into a .net environment? What I want is a way for a client to be able to enter data, then have the data be encrypted and sent to the server and then finally have the server decrypt the data and send it to a local database. The government will have no objections in this case, because the work is being done for a government agency. I know that sites like PayPal use encryption and the process is fully automated. That is what I would like to have, but I have no idea where to begin.

jerv's avatar

I am sure there is, but I personally am not familiar enough with .NET to even begin to tell you how to go about it. I will have to ask my web-dev buddy. (I’m more of a hardware person; I let him handle the software end.)

Answer this question

Login

or

Join

to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
or
Knowledge Networking @ Fluther