My organization has decided to encrypt certain data in our database, and I’ve been given the task of implementing the encryption. I need to be able to encrypt the data, store the encrypted version in a VARCHAR field in our database, and later retrieve it and decrypt it back to its usual state.
On the surface it seems like a simple task. There are a number of ways to implement encryption. One I’ve used before is based on the AES encryption code found in this StackOverflow question.
What makes it harder in this case, is I need to write code to encrypt/decrypt the data in various applications that access our database, some of which are developed using different technologies. We have applications written in Coldfusion 5, in Classic ASP, and in ASP.NET 2.0. I need to be able to encrypt data and store it in the database with Coldfusion code, and then read and decrypt it back to its original form in ASP.NET. Or encrypt it in Classic ASP and decrypt it in Coldfusion. Or any other combination of these platforms.
This has proven to be harder than I expected. Different classes/objects/functions/libraries that claim to use the same algorithms seem to generate different results even when given the same data and the same shared secret. In the past, we’ve used CAPICOM to provide encryption interoperability between Coldfusion and Classic ASP. But I’ve run into trouble trying to get that to work in ASP.NET. I’ve read this article about how to get CAPICOM to work in .NET, but the suggestions haven’t been working for me. I can’t even seem to generate an interop class or import a reference to the COM object without getting an error. Also some of our production servers have operating systems that don’t appear to be compatible with CAPICOM, so that may be a dead end anyway.
Does anyone have any suggestions as to how I can implement encryption in such a way that any of the 3 platforms can decrypt what the others have encrypted, while still using a reasonably-strong algorithm?
Edit 2011-12-29:
As noted in the comments below, I am currently hoping to find an ASP.NET solution that is compatible with some of our existing Coldfusion/ASP Classic code that uses CAPICOM. The reason for this is that our team lead doesn’t want me to introduce a new encryption method into our code for our current purpose unless I also revise our older apps using encryption for a different purpose to use the same method. He wants to use the same encryption method for both purposes. Since revising our old apps to use a new encryption method means not just changing the code, but also tracking down all the data encrypted by the older apps, decrypting it, and re-encrypting it using the new method, I’m hesitant to go that route unless I have to. Hopefully, I’ll find a way to get ASP.NET to read the existing encrypted data.
The encrypted data from our other Coldfusion and ASP Classic applications was encoded using the CAPICOM COM object. As far as I can tell, the settings have universally been AES encryption, maximum key size (which I believe is 256-bit in AES).
At @Leigh’s request, here is a simplified example of how our existing CF apps use CAPICOM:
<cfscript>
encryptObject = CreateObject("com","CAPICOM.EncryptedData");
encryptObject.Algorithm.Name = 4; // 4 is AES
encryptObject.Algorithm.KeyLength = 0; // 0 is MAX, I believe 256-bit in the case of AES
encryptObject.SetSecret(sharedSecret);
encryptObject.Content = stringToEncrypt;
encryptedData = localScope.encryptObject.Encrypt();
</cfscript>
Since you have the common database platform between all of the systems, I would leave your encryption/decryption there. Here’s an article about column-specific encryption within SQL 2005:
http://msdn.microsoft.com/en-us/library/ms179331(v=sql.90).aspx