14 June 2009

Encrypt Sensitive Data in SQL Server 2005

SQL Server 2005 provides easier functions for encrypting and decrypting user sensitive information such as credit card numbers or bank account details, so as to deter any hacking attempts.

Data encryption in SQL Server 2005 can be done either by using password mechanism or by making use of keys and certificates. These methods are as follows:

1.Encryption by PassPhrase
This is a simple method in which we use the SQL method EncryptByPassPhrase('password','original_value') with our insert,update,select queries.

For an example suppose we have a table named user_info with the column named credit_card_no (varchar) in which we have to stored the encrypted credit card no then the query would be as follows:

Update user_info set credit_card_no=EncryptByPassPhrase('password',@credit_card_no);

where password is the key used to generate the encrypted value.
The same key is used to decrypt the credit_card_no as follows:

Select DecryptByPassPhrase('password',credit_card_no) as decrypted_no from user_info.

Note:The password has to be protected and remembered by the programmer. Hence can be vulnerable.


2.Encryption by Keys

The limitation of encryption by passphrase method is that we have to supply the password each time the data has to be accessed. But if we encrypt our symmetric key with a certificate then we won't have to pass the passphrase each time. To create a key or its certificate, we must first create or open the master key for the database.
The following command creates a master key:

create master key encryption by password='password';

Now we can create a certificate and then a symmetric key that is attached to that certificate. The following SQL script creates the certificate 'DemoCert' and a key 'DemoKey' associated with that certificate:

create certificate DemoCert with subject='Demo Certificate;

create symmetric key DemoKey with algorithm=AES_256 encryption by certificate DemoCert;

Now that we possess a key we can do encryption using the EncryptByKey() method and considering the previous table user_info as follows:

open symmetric key DemoKey decryption by certificate DemoCert;
update user_info set credit_card_no=EncryptByKey(Key_GUID('DemoKey'),@credit_card_no);

Similarly we can decrypt it as follows:

open symmetric key DemoKey decryption by certificate DemoCert;
select cast(DecryptByKey(credit_card_no) as varchar(16)) as decrypted_no from user_info;

This is a lenghty method but is very secure as we do not have to pass the password for the process of encryption/decryption.


So this is one advance features of SQL Server 2005 that not many of us use. But it can surely come in handy when dealing with large user database that requires some security features!!

03 June 2009

Directory, Files Listing using GridView

Web Hosting Control Panel Type Directory Listing!!
Have you ever seen a Control Panel provided for a web hosting account? Notice the way they use, to show all the files and folders inside your sites folders? Well just in case you were wondering how to do the same using ASP.NET 2.0 then let me tell you that i have achieved the same using quiet a simple technique that i found Googling around!

The following piece of code demonstrated how by using the System.IO namespace and the ASP.NET 2.0 GridView, we can achieve the task of folder/files listing very easily........

ASPX Page:

<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="true" />

<asp:GridView ID="GridView2" runat="server" AutoGenerateColumns="true" />


Code Behind:

protected void page_load()
{
ListFolder();
}

protected void ListFolder()
{
string basepath="~/myfolder";
DirectoryInfo dirInfo = new DirectoryInfo(Server.MapPath(basepath));

//For All Files
FileInfo[] fileInfo = dirInfo.GetFiles("*.*",SearchOptions.AllDirectories);

//For All Subdirectories
DirectoryInfo[] subDirInfo = dirInfo.GetDirectories("*.*",AllDirectories);

GridView1.DataSource = fileInfo;
GridView1.DataBind();

GridView2.DataSource = subDirInfo;
GridView2.DataBind();
}

As you can see this method takes very little code and you can even customize it to provide delete functionality. Furthermore by combining the files and folders dataset we can achieve a complete directory listing.