Is There A Best .NET Algorithm For Credit Card Encryption?
System.Security.Cryptography namespace has a rather bewildering collection of algorithms that I could use for encryption of credit card details. Which is the best?
It clearly needs to be secure for a relatively short string.
EDIT: I'm in the UK, where I understand we're OK storing encrypted credit card details so long as the three-digit CVV number is never stored. And thanks all for the great responses.
No offense, but the question is a little "misguided". There is no "silver bullet" solution. I would recommend to read up on cryptography in general and then do some threat modeling. Some questions (by no means a comprehensive list) you should ask yourself:
- Is the module doing the encryption the one which needs to decrypt it (in this case use symmetric crypto) or will it send data to an other module (on an other machine) which will use it (in which case you should consider public-key crypto)
- What do you want to protect against? Someone accessing the database but not having the sourcecode (in which case you can hardcode the encryption key directly into the source)? Someone sniffing your local network (you should consider transparent solutions like IPSec)? Someone stealing your server (it can happen even in data centers - in which case full disk encryption should be considered)?
- Do you really need to keep the data? Can't you directly pass it to the credit card processor and erase it after you get the confirmation? Can't you store it locally at the client in a cookie or Flash LSO? If you store it at the client, make sure that you encrypt it at the server side before putting it in a cookie. Also, if you are using cookies, make sure that you make them http only.
- Is it enough to compare the equality of the data (ie the data that the client has given me is the same data that I have)? If so, consider storing a hash of it. Because credit card numbers are relatively short and use a reduced set of symbols, a unique salt should be generated for each before hashing.
Later edit: note that standard encryption algorithms from the same category (for example 3DES and AES - both being symmetric block cyphers) are of comparable strength. Most (commercial) systems are not broken because somebody bruteforced their encryption, but because their threat modelling was not detailed enough (or flat out they didn't have any). For example you can encrypt all the data, but if you happen to have a public facing web interface which is vulnerable to SQL injection, it won't help you much.
- → Function Undefined in Axios promise
- → React formatting dates with momentjs server side
- → Using ReactJs, How do I update my form fields when my parent object sent in from props changes?
- → Visual Studio 2012 Express: Browser returning 500 status trying to download jsx file
- → AngularJS directive: "templateUrl" doesn't work while "template" works
- → how to add cannonical tag for ASPX .NET page
- → Selecting an element by its attribute when it has a colon in its name
- → Function works for NON dynamically loaded images
- → URL routing requires /Home/Page?page=1 instead of /Home/Page/1
- → There are "gaps" between rows in my masonry cards
- → creating sef links and changing plus sign (+) with dash (-)