Commerce Server Encryption-Collection of common programming errors

11 years ago
admin
3 minutes

Commerce Server Encryption


  • msdn So commerce server provides two encryption methods. First is a one way hash for password type storage and the second is asymetric RSA (Public,Private key) for credit card data. Why was asymetric chosen? Is it to allow for interoperability between varying systems that might be outside of your network? This is where asymetric is needed because I can provide a third party my public key to encrypt messages to my system. Second when and where is the encryption happening? I know you can go into Commerce Server manager and set a property to be encrypted, but then I assume using either the business manager web services or a local agent API is the only way to ensure a property marked as encrypted actually does get encrypted. As an example if I just opened a connection to the profile database and inserted a credit card row into the creditcards table would the number get encrypted? Thirdly if I just want to encrypt data and do not want to exchange that encrypted data with another system should I just not use symmetric aes? The extensibility kit has an encryption helper object that uses aes Thanks, John

  • 2 Answers


  • msdn1 John,You are correct – you can start encrypting (using asymetric) the data which can be shared to the third party or other applications within LOB.The encryption code is totally abstracted to the developer. The runtime takes the keys from web.config and apply while getting or pushing data into database. If you are inserting data directly in to database (which we should avoid doing) then the data is not encrypted. Check below link for more details.

    http://msdn.microsoft.com/en-us/library/aa544648(CS.70).aspx

    Symmetric is much faster than Asymetric but the only disadvantage is that the both parties have keys and they can able to decrypt the data. Unfortunately, commerce server support (OOB) hash key and asymetric encryption. You can manually inject symmetric encryption before API call. Hope this helps.Regards,

    -Ravi Kanth Koppala


  • msdn2 The EncryptionHelper in the extensbility kit pulls the keys from the web.config (Encryption.IV, Encryption.Key). These two entries would have to be the same in on all servers within a farm similar to the RSA public and private keys need to be duplicated across all servers in a farm? Thanks for the help I think I  will use symmetric aka EncryptionHelper as the data being stored is only temporary and there’s only one party involved in accessing the encrypting and decrypting of the data.

Web site is in building

  • tagged Related
  • commerce-server-forums
  • commerce-server-2009

This site is an open source site, the purpose is to guide more people to practice Test-Driven Development, details click here—more