My organization decided to encrypt certain data in our database, and I was entrusted with the implementation of encryption. I need to be able to encrypt data, store the encrypted version in the VARCHAR field in our database, and then retrieve it and decrypt it back to its normal state.
The surface seems to be a simple task. There are many ways to implement encryption. The one I used earlier is based on the AES encryption code found in https://stackoverflow.com/a/167958/ .
What complicates this, I need to write code to encrypt / decrypt data in various applications that access our database, some of which are developed using different technologies. We have applications written in Coldfusion 5, in classic ASP and in ASP.NET 2.0. I need to be able to encrypt data and store it in a database using Coldfusion code, and then read and decrypt it back to its original form in ASP.NET. Or encrypt it in classic ASP and decrypt it in Coldfusion. Or any other combination of these platforms.
It turned out to be harder than I expected. Different classes / objects / functions / libraries that claim to use the same algorithms seem to generate different results, even if they give the same data and the same shared secret. We used to use CAPICOM to provide encryption compatibility between Coldfusion and classic ASP. But I ran into difficulties trying to get this to work in ASP.NET. I read this article on how to get CAPICOM to work in .NET , but the suggestions do not work for me. I canβt even create an interop class or import a reference to a COM object without getting an error. In addition, some of our production servers have operating systems that do not appear to be compatible with CAPICOM, so it could be a dead end anyway.
Does anyone have any suggestions on how I can implement encryption so that any of the three platforms can decrypt what others have encrypted while using a reasonably robust algorithm?
Edit 2011-12-29:
As noted in the comments below, I am currently hoping to find an ASP.NET solution compatible with some of our existing Coldfusion / ASP Classic that use CAPICOM. The reason for this is because our team does not want me to introduce a new encryption method in our code for our current purpose, unless I also review our old applications using encryption to use the same method for another purpose. He wants to use the same encryption method for both purposes. Since revising old applications to use the new encryption method means not just changing the code, but also tracking all the data encrypted by older applications, decrypting them and re-encrypting using the new method, I hesitate to go this route if I shouldn't. I hope I find a way to get ASP.NET to read existing encrypted data.
The encrypted data from our other Coldfusion and ASP Classic applications has been encoded using the CAPICOM COM object. As far as I can tell, the settings were universally AES encryption, the maximum key size (which, in my opinion, is 256-bit in AES).
The @Leigh query here provides a simplified example of how our existing CF applications use CAPICOM:
<cfscript> encryptObject = CreateObject("com","CAPICOM.EncryptedData"); encryptObject.Algorithm.Name = 4; // 4 is AES encryptObject.Algorithm.KeyLength = 0; // 0 is MAX, I believe 256-bit in the case of AES encryptObject.SetSecret(sharedSecret); encryptObject.Content = stringToEncrypt; encryptedData = localScope.encryptObject.Encrypt(); </cfscript>