In this article Brian Patterson will cover some of the encryption classes provided in the .NET Framework. Once you have got a grasp on how to use these algorithms, he will wrap things up with a sample order application that will encrypt credit card information before saving it to either a SQL Server or Oracle database server.
String Encryption With Visual Basic .NET - Encryption and Byte Arrays (Page 3 of 7 )
When you encrypt information, and in our case we will be encrypting text, each encrypted letter can be transformed into 1 of the 256 possible ASCII characters. Not all of these letters are screen printable, therefore, showing the encrypted text on the screen becomes a bit of a chore. To ease the process of passing encrypted information around, the encryption algorithms used here rely on byte arrays. String information is passed into the functions and a byte array of encrypted information is returned. That means even if we decrypt data we pass in the original encrypted information as a byte array and we are returned a byte array. If we then want to save or display the information to the user we must convert the byte array to the actual characters they represent.
Byte arrays also affect the way we must save our data within a database. Defining an NVARCHAR column in SQL Server just won't do, because it was meant to handle string information, not binary data. Let's take a look at the two databases we will use and how we will store the information.
Storing Encrypted Data in SQL Server To store byte arrays in SQL Server we must use one of two data types. The binary data type can hold from 1 to 8000 bytes of information and is fixed in size. This means that if you define a column of Binary type and 10 in size, even if you are only storing 2 bytes in this column, you are still using the full 10 bytes. This is a waste of space and, therefore, the Binary type should only be used when all your data is constant. In our case we will be encrypting credit card numbers that vary in size, so using a binary data type wouldn't make much sense.
The next option we have is the varbinary data type, which can hold 1-8000 bytes of binary data. As you may have guessed, the varbinary data type is variable sized and is much more suited to our application size so we aren't wasting any space when storing the credit card numbers in encrypted format.
If you need to store binary data larger than 8000 bytes, such as a large document or even a picture you are left with one option, the image data type. The image data type is variable length and can hold 2,147,483,647 bytes of data!
Storing Encrypted Data in Oracle Oracle contains two data types that would serve our purposes when it comes to storing binary data. There is the RAW type which is variable sized and can hold up to 2000 bytes of information. There is also the BLOB (Binary Large OBject) that can hold up to 4 GB of data. For our purpose, we will only be storing approximately 20 bytes of information so the RAW data type is sufficient.
Example: An Order Entry Application Now we will begin to build an order entry application. This application will take typical name and address information as well as credit card information for billing purposes. Once the information has been entered, you may click a button to save the order and then click a button to view all orders in the database. There are things missing from this application, such as a billing amount, so it isn't meant to be a framework for order entry design, merely an application that uses TripleDES encryption for a distinct purpose.
Designing the Main Interface The main interface for our application consists of 8 text boxes, 1 combo box and 2 buttons. Create a new Windows application project and place the controls on the form. Arrange your controls similar to those show here in Figure 1:
The form shown above also contains a graphic across the top, but that is merely for aesthetic purposes and is not needed for this demonstration. Once you have placed all the controls in their appropriate locations, set the appropriate properties on the controls as shown here in Table 1.
The labels on the main form serve no practical purpose except to identify each control so naming the labels is not strictly necessary. Once you have added the ComboBox, you must use the Properties explorer and edit the Items property of this control. Within the Items property, you can type in the name of several Credit Cards. For the purposes of this demonstration I have used American Express, Discover, MasterCard, and Visa.
Aside form the main interface, we are going to need another form in this application that allows us to see all of the orders we have saved, unencrypted. Add a new Windows Form to the project and name it AllOrders.vb. This form, seen below, needs only a button and a ListView control. You may leave the default name for the ListView control. Set the Name Property of the button to btnOK. I have set the anchor properties for both controls to expand and contract as the window is resized, but this isn't a necessary step.