Hi,

I would like to get some information on Encryption using Public/Private Key. Appreciate if someone could help me with the following:


1. When a client sends me the Public/Private Key Certificate how can I store this in my SQL Server database for later use in encrypting sensitive data?

2. If my client has got a certificate, is it possible for them to send me the public key only to me so that I could save it in my database instead of the certificate? Also, Can I store the Public Key as “varchar” in my database?

3. How can I encrypt for example, client’s credit card number with the public key for the above scenarios? Appreciate if someone could provide me a code snippet.

4. Can you please let me know the best way to manage encryption? Is it better to have them send the public key only or store the certificate?

I’m using SQL Server and C#.


Thanks & Regards!

Hi,

I would like to get some information on Encryption using Public/Private Key. Appreciate if someone could help me with the following:


1. When a client sends me the Public/Private Key Certificate how can I store this in my SQL Server database for later use in encrypting sensitive data?
It will probably be a text file
A client will never send you their private certificate, as doing so would allow you to impersonate them.


2. If my client has got a certificate, is it possible for them to send me the public key only to me so that I could save it in my database instead of the certificate?
If they have any brains at all, that is what they will do. If they have no brains, get them to generate a new priv/pub key pair and only send you the pub

Also, Can I store the Public Key as “varchar” in my database?
If it's a text file, yes


3. How can I encrypt for example, client’s credit card number with the public key for the above scenarios? Appreciate if someone could provide me a code snippet.
This is not the correct forum section. Additionally, if you are incapable of finding such a sample of code on the net (it's a simple thing to do), then perhaps you shouldnt be handling this task; youre dealing with other people's credit card details and have a PCI DSS compliance to adhere to. If youre very newbie at programming and asking questions such as these, I'd think it highly likely that you'll not comply with the standard and tbh, that isnt fair on all the people whose financial security youre putting at risk. For example, I don't think you'd be able to convince me that you've coded your processes such that, at no time in any part of the process, a credit card number is persisted on disk in unencrypted form.. Remember, computers store information in lots of ways and places and to be PCI DSS compliant you have to know every way, and ensure that no credit card number ever makes it onto disk in plain text. Can someone who is asking how encryption works possibly do that?


4. Can you please let me know the best way to manage encryption? Is it better to have them send the public key only or store the certificate?

I think youre really confused as to what pub/priv key encryption is.. Spend some time reading wikipedia

Hi,

Thanks for the reply.

I'm very new to the subject of encryption and C#. I have been searching the net for more than 2 days and couldn't get much information on what is the best way to achieve my requirement.

My requirement is as follows and would appreciate if anyone could help me with it:

Say for example, I have a customer who sends me transactions online and they have a requirement to process transactions on a later day with same credit card numbers. They dont want to enter the credit card numbers again but they want us to send them the encrypted credit card number and when processing Transaction2 they want to decrypt it and send it to me.

I was thinking of letting the customer generate the private/public key pair and send us only the public key. In that case, I will need to save the public key of my customer in my database. There can be several customers who will need this requirement.

As for my understanding public key is a bit string. So I believe I can convert it to string and store in the database and then retrieve it and encrypt the credit card numbers of that customer at any time. But, I dont know if there is a problem of converting it into a string and then again converting back to a byte [] for encryption.

1. I just wanted to know whether it is possible to save it as a varchar in the database? Or do I have to use blobs?

2. Is there any other method that you would think would be the best way to handle this?

3. What if the customer wants us to handle both encryption and decription. I searched on the net and found that you can hide the private key in a key container, registry etc., Is this secure?

Please let me know the best way of handing this requirement. Appreciate any help given.


Thanks & Regards!