Q

How should I encrypt my Web site data?

I am developing an e-commerce site that will use SQL Server 2000 accessible via the ASP. I am using a public hosting company to host this Web site (and their SQL server).

I want the Web site users to enter their proprietary information via the usual form-based interface, and then I want to save that information in the SQL database in a safely encrypted form (so that I can decrypt it, if needed).

What publicly available tools would you suggest I use for encrypting the data, so that the data would be safe, even if both the database AND the Web site are hacked? Also at what point should I encrypt the data? In SQL? In ASP?
All of that is certainly possible if you store the authentication information using one-way hashes. Microsoft has a good article about doing that in .NET (I hope you're using ASP.NET and not ASP 3.0).

Of course, if someone hacks your ASP box, they could replace your login mechanism with their own and collect the usernames and passwords that are submitted from that point forward. Also, one-way hashes aren't foolproof, and may be compromised using brute-force attacks. Once your box is hacked, it's not yours anymore. It depends on what the site is used for. If you're with the government, you're likely to attract the attention of very sophisticated hackers. If you run a small Web site, most of your attacks will come from worms and viruses, with an occasional script-kiddie. Even the simplest encryption will be more than enough to keep these simpler attackers from misusing the stored credentials.

This was first published in December 2002
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close