0

After scouring the web to find countless similar questions, I still find it important enough to ask based on my client's specific requirements. Now I know most if not all are not a lawyer, but if you've had experience in this field, please share.

  1. Environment - ASP.net c#, SQL Server
  2. It's my server on AWS, with multiple client sites on it.
  3. Site is protected with SSL certificate

My client has requested that I create an onboarding process for their hiring managers, that of which is accessed via private website (username, password) and controlled by security roles as to who can access these specific pages.

This onboarding process can take as little as a day, and as long as a month. They need to store the employee's social security number and other personal identification information during this time, in their website's database. The flow works like this:

  1. Manager role fills out an initial hire request with basic information
  2. When approved, manager is notified and completes the rest of the documentation (including SSN)
  3. Then another manager is notified and goes through the process of background checks and various other enrollments that all require the SSN.

Aside from me being paranoid about any legal requirements of this, the following is what I'm thinking:

  1. I store a symmetric key in web.config
  2. Also, instead of storing this key broken up in a few places, take a hybrid approach and when initially encrypting, use the key in web.config and a few other items (i.e. created date, guid, last name) to encrypt. I was thinking of this approach (https://www.aspsnippets.com/Articles/AES-Encryption-Decryption-Cryptography-Tutorial-with-example-in-ASPNet-using-C-and-VBNet.aspx)
  3. When client loads the detail view to access this information, in order to see this SSN they enter in one of those partials that I previously mentioned, like created in the form of mmddyyyyhhmm and then that pieces the key back together: web.config key + mmddyyyyhhmm user input + guid

So I'm trying to eliminate the possibility of access to this information if a manager's user account on the website was breached. An attacker would have no immediate notion that the created date needs to be entered. At this point it seems the remaining danger is if someone somehow gets access to the sever itself and decompiles the assembly to see how the unique encryption key for each employee is being generated in order to decrypt what's in the database.

Then when the process is complete for that employee the associated record in the database would be removed.

Is there anything blatantly wrong with this approach?

user1447679
  • 246
  • 1
  • 5
  • What does "Site is protected with SSL certificate" mean? SSL (TLS) is a secure connection, not site protection. – zaph Feb 11 '19 at 20:55
  • @zaph As in https. – user1447679 Feb 11 '19 at 20:57
  • 1. https does not protest the site, it provided secure communications and site validation. 1. Assume the attacker will gain admin access to the server. 3. Hiding the process/method is not security, security by obscurity does not work. 4. Hire a seasoned security professional to design and validate the final implementation. – zaph Feb 11 '19 at 21:01
  • 2
    Side note: you usually don't want to put any keys into `web.config`, because that's normally going to be in source control. You want to use some sort of merge-on-deploy, or other mechanism for any such keys (Azure, for example, has a way to provide secured keys for this sort of thing). Besides any issues with bumping up against [Kerckhoffs's principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle), you have another problem with your idea - why do you assume your managers will remember what to "add" for the decryption? – Clockwork-Muse Feb 12 '19 at 00:36
  • @Clockwork-Muse I've been reading all afternoon and looking into Azure Key Vault and AWS KMS, but bottom line is it seems that if a user account is breached that has the proper security role to access the data, there's no way to get around that (The reason I wanted to include user input, even at a greater level where they internally have policies for creating a security key and that key is never-ever store anywhere on my server). Thank you for a far more helpful comment. I'm reading your link. – user1447679 Feb 12 '19 at 00:42

0 Answers0