encrpyt salary data

Re: encrpyt salary data

On Mon, 17 Nov 2003 10:26:15 -0600, "ljb" <.> wrote:
[color=blue]
>The majority here are Civil Engineers as are all the managers.[/color]

Around here we'd prefer that neither engineers nor managers be allowed
to procreate... :)
[color=blue]
>"Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
>news:uw5sDLSrD HA.2772@TK2MSFT NGP12.phx.gbl.. .[color=green][color=darkred]
>> > then send them back to their desk with instructions
>> > to procreate.[/color]
>>
>> Geez, we can get fired around here for that. :-)[/color][/color]

Re: encrpyt salary data

Here's what I did with that particular problem at a gov't site with
international users. (This may sound complex, but it really isn't, and
worked out very nicely. It also got us blessed in a stringent security
review.)

Let me note that the problem in encryption is the problem of key management.
Therefore, I built the solution around the use of public key crypto.

1. In this approach, the user's password is the private key. We don't
store that, but rather its hash, for login authentication.
2. At login, that private key is carried in a form field to the script
doing the lookup, decrypt, and display.
3. The public key, calculated from the password/private key, is used by the
data load script for encryption. It's perfectly secure to retain this
public key in the database, since the private key, the user's password,
can't be derived from it.

What's stored in the database? Only the public key, which is universally
considered safe for publication, and an MD5 hash of the public key, also
safe. Secondly, the salary info is secure from what's widely known to be
the bigtime risk, the insider. And thirdly, even if one password is broken,
all the others remain secure.

I used a very nice COM product for this: see it at www.dyncrypto.com Quite
inexpensive, good sample scripts, and easy to use.

AS

Re: encrpyt salary data

Correction: That " ...MD5 hash of the public key ... " should be "MD5 hash
of the PRIVATE key", the user's password.

AS

Re: encrpyt salary data

Send Me an email and I pass a function onto you, .
support@assoft. com.au

"ljb" <.> wrote in message news:urvnLcRrDH A.360@TK2MSFTNG P12.phx.gbl...[color=blue]
> Anyone have a good idea for encrypting salary data in US $? I have an[/color]
Access[color=blue]
> database with some salary info connected to ASP on our intranet. My[/color]
manager[color=blue]
> is somewhat apprehensive about the level of security currently provided.[/color]
I'm[color=blue]
> using basic authentication (I think that's what it is called). It relies[/color]
on[color=blue]
> NT directory permissions and code to query "AUTH_USER" . Does anyone have a
> simple encryption idea that can take US$, 5 digit employee ID, encrypt it
> and store it in Access' Currency data type? The database will store the
> salary encrypted. When an authorized user hits the ASP it will display
> decrypted values. All data maintenance is done with various ASP which must
> be able to do the encryption/decryption by vbscript.
>
> thanks
> LJB
>
>[/color]

Re: encrpyt salary data

Thanks, but I have already found and implemented something based on RC4
encryption. The function I used came from


"Don Grover" <spamfree@assof t.com.au> wrote in message
news:OrLwdTlrDH A.1876@TK2MSFTN GP09.phx.gbl...[color=blue]
> Send Me an email and I pass a function onto you, .
> support@assoft. com.au[/color]