The encryption technique discussed in this section is perfect for securing short text strings such as credit card numbers stored in the database. The idea behind this technique is to use a random, rather than password-derived, 128-bit symmetric key. For the sake of simplicity, the encryption key itself will be stored unencrypted. We will store it in a "secret" location of the system registry which provides a reasonable degree of security to the entire system.

There are three code components in our system:

• Key generation and storage.
• Credit card encryption.
• Credit card decryption.

The following code snippet creates a 128-bit RC2 encryption key and stores it in the registry unencrypted. Notice that we use the "Exponent 1" public key (see previous section) to obtain the unencrypted key blob. To use the Exponent 1 key without any concurrency problems, you must use Version 2.1 or higher of AspEncrypt to take advantage of the "containerless" mode of operation. This mode is invoked by passing an empty string to the OpenContext method.

Notice also that we are creating a backup copy of our key in a file. You should take this precaution in case your server crashes and the registry information is lost, or you will never be able to decrypt your secure data.

You must use the Enhanced Cryptographic provider for this code to work as we are generating a 128-bit key. If you only have the Base Provider, change the key length from 128 to 40.

<!--METADATA TYPE="TypeLib" UUID="{B72DF063-28A4-11D3-BF19-009027438003}"--> <% Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True) ' we must use containerless mode Set key = Context.GenerateKey(calgRC2, 128) Set Exp1Key = Context.CreateExponentOneKey Set Blob = key.ExportToBlob( Exp1Key, cbtSimpleBlob ) ' to avoid the Access Denied error CM.LogonUser "domain", "administrator", "xxxx" ' key HKEY_LOCAL_MACHINE\Software\XYZ\AspEncrypt, value "MySecretLocation" Blob.DumpToRegistry &H80000002, "Software\XYZ\AspEncrypt", "MySecretLocation" ' Create a file backup Blob.DumpToFile "d:\path\creditcard.key" %>

  Encrypting a Credit Card Number

Once a random key is generated and placed into the registry and a backup file, we can proceed to the encryption phase. The code below retrieves the key from the registry, uses it to encrypt a text string and saves the encrypted value in the database. Here we are using the Base64 format to store the encrypted blob in a text field of the database table. We could also use the Hex or Binary formats.

<!--METADATA TYPE="TypeLib" UUID="{B72DF063-28A4-11D3-BF19-009027438003}"--> <% Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True) ' we must use containerless mode Set Exp1Key = Context.CreateExponentOneKey Set Blob = CM.CreateBlob ' to avoid the Access Denied error CM.LogonUser "domain", "administrator", "xxxx" ' Retrieve key from registry Blob.LoadFromRegistry &H80000002, "Software\XYZ\AspEncrypt", "MySecretLocation" Set Key = Context.ImportKeyFromBlob( Exp1Key, Blob, cbtSimpleBlob ) ' Encrypt text data Set EncryptedBlob = Key.EncryptText("1245-4354-3242-8654") ' Save it in the database in Base64 format set rs = Server.CreateObject("adodb.recordset") rs.Open "BlobTest", "dsn=crypto;uID=sa;PWD=;", 2, 3 rs.AddNew rs("CCNumber").Value = EncryptedBlob.Base64 rs.Update %>

  Decrypting Credit Card Numbers

The corresponding decryption code is very similar to the encryption code. Here, again, we retrieve the key from the registry, apply it to all encrypted values in the database and print out the decrypted results.

<!--METADATA TYPE="TypeLib" UUID="{B72DF063-28A4-11D3-BF19-009027438003}"--> <% Set CM = Server.CreateObject("Persits.CryptoManager") Set Context = CM.OpenContext("", True) ' we must use containerless mode Set Exp1Key = Context.CreateExponentOneKey Set Blob = CM.CreateBlob ' to avoid the Access Denied error CM.LogonUser "domain", "administrator", "xxxx" Blob.LoadFromRegistry &H80000002, "Software\XYZ\AspEncrypt", "MySecretLocation" Set Key = Context.ImportKeyFromBlob( Exp1Key, Blob, cbtSimpleBlob ) ' Decrypt all values Set EncryptedBlob = CM.CreateBlob set rs = Server.CreateObject("adodb.recordset") rs.Open "BlobTest", "dsn=crypto;uID=sa;PWD=;", 2, 3 while Not rs.EOF    EncryptedBlob.Base64 = rs("CCNumber").Value    CCNumber = Key.DecryptText( EncryptedBlob )    Response.Write CCNumber & "<BR>"    rs.MoveNext Wend %>