2

Let me start by saying....yes I have read tons of posts on here in the last two days. No, I don't know anything about encryption, so don't bother...with the you shouldn't playing with fire comments..

I have a asp.net MVC3 application and want to encrypt the photos that users upload using a key for each user. I want to save this key and use it for any further uploads by the same user and for the decryption. (Although, I suppose I could store a key for each photo instead, not really relevant to this problem but...)

I started with the code from here: http://www.codeproject.com/Articles/33344/Photo-Video-Viewer-with-Encryption-Capability

It works fine. It encrypts the photos and decrypts them to a new file and all is well. The "on the fly version" also works and returns a MemoryStream that I can use for my WebImage. However, as you can see the example is encrypting and decrypting in one pass and the key is a global variable (I don't know what it was, I just used the autogenerated key when I tested.

So, I need someone to tell me how to store the generated key (and IV I guess??? Told you I know nothing about enc...) in the database for each user and then pull that (those) value(s) back out to use for on the fly decryption. I am not going to bother to post all my code yet, as it is almost identical to what is on the above site.

I read another post on here and it said to use:

string x = Convert.ToBase64String(RMCrypto.Key);

Then when I wanted to decrypt I used:

RMCrypto.Key = Convert.FromBase64String(x);

I stored both the key and IV in this manner in my SQL DB, but when I pull the values and try to decrypt I get an error that the data is not the expected length.

Maybe I'm totally off base or maybe it's three lines of code... Please let me know if more information is needed.

Thanks!

Shog9
  • 156,901
  • 35
  • 231
  • 235
KMW_Denver
  • 57
  • 1
  • 8

2 Answers2

0

You should store the actual byte arrays (yes; both key and IV) in the database.
You don't need strings at all.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • If you could please tell me how to add that to the encrypt and decrypt methods from the link above (codeproject link) I will gladly send you the $100. – KMW_Denver Jul 20 '12 at 04:04
0

You can store them as binary columns values. That being said the protection of encrypted data is only as safe as the key protecting it. In other words storing the key with the data your protecting is sorta fox guarding the hen house kind of thing. But if your not worried about it for things like PCI compliance then it's probably not too bad a deal.

How you might convert it to binary

private void UpdateDb(byte[] key, byte[] iv)
{
    using (SqlConnection db = new SqlConnection(connectionString))
    using (SqlCommand cmd = new SqlCommand("insert into (key, iv) values (@key, @iv)", db))
    {
        db.Open();
        cmd.Parameters.AddWithValue("@key", key);
        cmd.Parameters.AddWithValue("@iv", iv);
        cmd.ExecuteNonQuery();
    }

}

To make it a little harder you could generate a new key and IV for each record (image) your protecting and then store that so that if someone we're to get one key at least they wouldn't have all your data wide open. Good luck!

likestoski
  • 1,901
  • 4
  • 24
  • 41
  • I did store the Generated values in a binary column in my DB using Convert.ToBase64String. But was unable to use them when I pulled them back out to use in the decrypt method. That is what I want help with. If you could please tell me how to add that to the encrypt and decrypt methods from the link above (codeproject link) I will gladly send you the $100. Thank you. K – KMW_Denver Jul 20 '12 at 04:03
  • Also, just one note the datatbase and file are on separate servers and so I don't think there is anything wrong w/ storing the keys in the db. And since I will have different keys for every users files, even if someone breaks one they will only have access to that one file not any others, they would have to start all over. In some bizarro case where they got all the files from one server and hacked SQL on another server they would have to match the files to the keys. Is it perfect? No...Is it safe enough for me...yes. – KMW_Denver Jul 20 '12 at 04:03
  • You can convert it back to byte[] using System.Security.Cryptography.RijndaelManaged mng = new System.Security.Cryptography.RijndaelManaged(); mng.Key = System.Convert.FromBase64String(stringInBase64); I certainly don't want payment :) just up vote and mark as an answer and that will be plenty thanks! – likestoski Jul 20 '12 at 09:17
  • So.....your answer was what I already had BUT it made me think...well if that's what you're supposed to do maybe it's something else. And this is one of those AWWWW F*** moments. Since I was just testing I wasn't changing the name of the file to the encrypted name in my db automatically, I was changing it manually, and I CHANGED THE WRONG DAMN record. It was trying to decrypt an unencrypted file. DUH DUH DUH! But thanks for your response. Don't you love days like that? :) – KMW_Denver Jul 20 '12 at 15:41