encrpyt salary data

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • ljb

    encrpyt salary data

    Anyone have a good idea for encrypting salary data in US $? I have an Access
    database with some salary info connected to ASP on our intranet. My manager
    is somewhat apprehensive about the level of security currently provided. I'm
    using basic authentication (I think that's what it is called). It relies on
    NT directory permissions and code to query "AUTH_USER" . Does anyone have a
    simple encryption idea that can take US$, 5 digit employee ID, encrypt it
    and store it in Access' Currency data type? The database will store the
    salary encrypted. When an authorized user hits the ASP it will display
    decrypted values. All data maintenance is done with various ASP which must
    be able to do the encryption/decryption by vbscript.

    thanks
    LJB


  • Aaron Bertrand - MVP

    #2
    Re: encrpyt salary data

    Where are you going to display this "encrypted" data in a meaningful form?
    Once you've encrypted the information, great, now what you need to protect
    is the decryption algorithm.


    [color=blue]
    > Anyone have a good idea for encrypting salary data in US $? I have an[/color]
    Access[color=blue]
    > database with some salary info connected to ASP on our intranet. My[/color]
    manager[color=blue]
    > is somewhat apprehensive about the level of security currently provided.[/color]
    I'm[color=blue]
    > using basic authentication (I think that's what it is called). It relies[/color]
    on[color=blue]
    > NT directory permissions and code to query "AUTH_USER" . Does anyone have a
    > simple encryption idea that can take US$, 5 digit employee ID, encrypt it
    > and store it in Access' Currency data type? The database will store the
    > salary encrypted. When an authorized user hits the ASP it will display
    > decrypted values. All data maintenance is done with various ASP which must
    > be able to do the encryption/decryption by vbscript.
    >
    > thanks
    > LJB
    >
    >[/color]


    Comment

    • Chopper

      #3
      Re: encrpyt salary data


      "ljb" <.> wrote in message news:urvnLcRrDH A.360@TK2MSFTNG P12.phx.gbl...[color=blue]
      > Anyone have a good idea for encrypting salary data in US $? I have an[/color]
      Access[color=blue]
      > database with some salary info connected to ASP on our intranet. My[/color]
      manager[color=blue]
      > is somewhat apprehensive about the level of security currently provided.[/color]
      I'm[color=blue]
      > using basic authentication (I think that's what it is called). It relies[/color]
      on[color=blue]
      > NT directory permissions and code to query "AUTH_USER" . Does anyone have a
      > simple encryption idea that can take US$, 5 digit employee ID, encrypt it
      > and store it in Access' Currency data type? The database will store the
      > salary encrypted. When an authorized user hits the ASP it will display
      > decrypted values. All data maintenance is done with various ASP which must
      > be able to do the encryption/decryption by vbscript.
      >
      > thanks
      > LJB
      >
      >[/color]

      There are a number of encryption scripts here:

      To improve security there are a number of things you can do, including:
      1.If the users accessing this application are using IE then it's better to
      use 'Integrated authentication' set under 'directory security' in the
      website properties. This will prevent the login details being sent
      unencrypted across the network. If they are not running IE then you could
      still use basic authentication but do it over SSL.
      2.Make sure the server is patched with all the latest security updates.
      3.Password protect the database.
      4.If those using the application have static IPs then you could restrict
      access to the application by IP (in directory security under website
      preference).

      chopper




      Comment

      • ljb

        #4
        Re: encrpyt salary data

        Only when an authorized user views the single employee record by ASP will
        the data be meaningful.

        I realize that protection of the algorithm becomes critical. Since the NT
        directories don't allow Anonymous browsing I'm counting on that to protect
        the algorithm. I'm not expecting high security just something to hinder
        accidental release of the info.

        My original request was to store the encrypted data in Access' Currency data
        type. Is that easily possible? My goal was to not require a change to the
        table. Perhaps storing the data in a string is easier to accomplish.

        "Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
        news:%23beZghRr DHA.2536@tk2msf tngp13.phx.gbl. ..[color=blue]
        > Where are you going to display this "encrypted" data in a meaningful form?
        > Once you've encrypted the information, great, now what you need to protect
        > is the decryption algorithm.[/color]


        Comment

        • Aaron Bertrand - MVP

          #5
          Re: encrpyt salary data

          > I realize that protection of the algorithm becomes critical. Since the NT[color=blue]
          > directories don't allow Anonymous browsing I'm counting on that to protect
          > the algorithm.[/color]

          Wow, you have a lot of faith. The problem here is that you have an ASP page
          which is responsible for decrypting things. So, whether you put that
          algorithm right in the ASP page, or in a DLL, there is going to be a vector
          for at least using, if not reverse engineering, the algorithm... and trust
          me, a determined person within your company is going to get to it. Also,
          Access is not the most secure place for this kind of sensitive
          information!!!
          [color=blue]
          > My original request was to store the encrypted data in Access' Currency[/color]
          data[color=blue]
          > type. Is that easily possible?[/color]

          Access doesn't support encryption natively, so what you are going to have to
          do is encrypt or encode the data OUTSIDE of the database, and store it in a
          VARCHAR column rather than a CURRENCY column. Alternatively, you could use
          some other numbering system which is NOT incremental, e.g. $60,000 = 45,
          $50,000 = 72, etc. etc. More like a code than encryption. Then, at least,
          you could continue to use a numeric-based column.


          Comment

          • ljb

            #6
            Re: encrpyt salary data

            Thanks for the pointer to some algorithms. Certainly enough there for me to
            pick one and get going. Looks like I will probably need to store the
            encrypted values as a string.


            Comment

            • Chopper

              #7
              Re: encrpyt salary data


              "ljb" <.> wrote in message news:ec4Mb7RrDH A.3504@TK2MSFTN GP11.phx.gbl...[color=blue]
              > Thanks for the pointer to some algorithms. Certainly enough there for me[/color]
              to[color=blue]
              > pick one and get going. Looks like I will probably need to store the
              > encrypted values as a string.
              >[/color]

              Yes, you'll have to store them as strings as the output from all the
              encryption functions are strings.


              Comment

              • ljb

                #8
                Re: encrpyt salary data

                I agree with every point. This application is not well thought out. I'm new
                to this work group and was immediately assigned the task of extending what a
                former secretary had developed. Around here they give anyone who wants one a
                day long class in Access then send them back to their desk with instructions
                to procreate. Soon after they get promoted because they have become "expert"
                and someone else is expected to complete and extend the application.


                "Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
                news:ex1X52RrDH A.964@TK2MSFTNG P10.phx.gbl...[color=blue][color=green]
                > > I realize that protection of the algorithm becomes critical. Since the[/color][/color]
                NT[color=blue][color=green]
                > > directories don't allow Anonymous browsing I'm counting on that to[/color][/color]
                protect[color=blue][color=green]
                > > the algorithm.[/color]
                >
                > Wow, you have a lot of faith. The problem here is that you have an ASP[/color]
                page[color=blue]
                > which is responsible for decrypting things. So, whether you put that
                > algorithm right in the ASP page, or in a DLL, there is going to be a[/color]
                vector[color=blue]
                > for at least using, if not reverse engineering, the algorithm... and trust
                > me, a determined person within your company is going to get to it. Also,
                > Access is not the most secure place for this kind of sensitive
                > information!!!
                >[color=green]
                > > My original request was to store the encrypted data in Access' Currency[/color]
                > data[color=green]
                > > type. Is that easily possible?[/color]
                >
                > Access doesn't support encryption natively, so what you are going to have[/color]
                to[color=blue]
                > do is encrypt or encode the data OUTSIDE of the database, and store it in[/color]
                a[color=blue]
                > VARCHAR column rather than a CURRENCY column. Alternatively, you could[/color]
                use[color=blue]
                > some other numbering system which is NOT incremental, e.g. $60,000 = 45,
                > $50,000 = 72, etc. etc. More like a code than encryption. Then, at[/color]
                least,[color=blue]
                > you could continue to use a numeric-based column.
                >
                >[/color]


                Comment

                • Aaron Bertrand - MVP

                  #9
                  Re: encrpyt salary data

                  > then send them back to their desk with instructions[color=blue]
                  > to procreate.[/color]

                  Geez, we can get fired around here for that. :-)


                  Comment

                  • TomB

                    #10
                    Re: encrpyt salary data

                    They must have an in-house daycare

                    "Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
                    news:uw5sDLSrDH A.2772@TK2MSFTN GP12.phx.gbl...[color=blue][color=green]
                    > > then send them back to their desk with instructions
                    > > to procreate.[/color]
                    >
                    > Geez, we can get fired around here for that. :-)
                    >
                    >[/color]


                    Comment

                    • ljb

                      #11
                      Re: encrpyt salary data

                      The majority here are Civil Engineers as are all the managers. They are
                      quite confident in whatever they do. In their opinion end user development
                      is just fine. They also believe IS projects are always late, over budget and
                      short on promised functionality.

                      "Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
                      news:uw5sDLSrDH A.2772@TK2MSFTN GP12.phx.gbl...[color=blue][color=green]
                      > > then send them back to their desk with instructions
                      > > to procreate.[/color]
                      >
                      > Geez, we can get fired around here for that. :-)
                      >
                      >[/color]


                      Comment

                      • ljb

                        #12
                        Re: encrpyt salary data

                        I picked the RC4 algorithm. Do you know if the encrypted string generated by
                        RC4 can be stored in an Access string type field? Not all characters in the
                        encrypted string are printable. Do Select and Insert handle these properly?

                        thanks
                        LJB


                        Comment

                        • Aaron Bertrand - MVP

                          #13
                          Re: encrpyt salary data

                          I think we have a different perception of the term "procreate" :-)


                          "ljb" <.> wrote in message news:uDiWqdSrDH A.3180@TK2MSFTN GP11.phx.gbl...[color=blue]
                          > The majority here are Civil Engineers as are all the managers. They are
                          > quite confident in whatever they do. In their opinion end user development
                          > is just fine. They also believe IS projects are always late, over budget[/color]
                          and[color=blue]
                          > short on promised functionality.
                          >
                          > "Aaron Bertrand - MVP" <aaron@TRASHasp faq.com> wrote in message
                          > news:uw5sDLSrDH A.2772@TK2MSFTN GP12.phx.gbl...[color=green][color=darkred]
                          > > > then send them back to their desk with instructions
                          > > > to procreate.[/color]
                          > >
                          > > Geez, we can get fired around here for that. :-)
                          > >
                          > >[/color]
                          >
                          >[/color]


                          Comment

                          • Aaron Bertrand - MVP

                            #14
                            Re: encrpyt salary data

                            > I picked the RC4 algorithm. Do you know if the encrypted string generated
                            by[color=blue]
                            > RC4 can be stored in an Access string type field? Not all characters in[/color]
                            the[color=blue]
                            > encrypted string are printable. Do Select and Insert handle these[/color]
                            properly?

                            Well, you could always try it.


                            Comment

                            • Chopper

                              #15
                              Re: encrpyt salary data

                              "ljb" <.> wrote in message news:%23Qj0%23m SrDHA.2620@TK2M SFTNGP09.phx.gb l...[color=blue]
                              > I picked the RC4 algorithm. Do you know if the encrypted string generated[/color]
                              by[color=blue]
                              > RC4 can be stored in an Access string type field? Not all characters in[/color]
                              the[color=blue]
                              > encrypted string are printable. Do Select and Insert handle these[/color]
                              properly?[color=blue]
                              >
                              > thanks
                              > LJB
                              >
                              >[/color]

                              You shouldn't have a problem storing it in a field of type 'text' providing
                              the ciphertext doesn't exceed 255 characters.
                              The only character you will have problems with is the apostrophe. Here's
                              some info:


                              chopper


                              Comment

                              Working...