>>(a) To handle the encryption in a tier that will make it back-end agnostic.
Not sure what you mean by this. Please explain.
>>I'm putting together some table to manage users, roles, and rights.
>>
>>Anyone see any problems with encrypting all the data in all three tables?
>
>I'm working on a similar thing at the moment. Your needs are probably different but I decided:
>(a) To handle the encryption in a tier that will make it back-end agnostic.
>(b) To only secure the password - and then by hash value rather than encryption.
>
>FWIW, here's the class I use for hashing/comparing.
static public class HashFunctions
> {
> public static Byte[] GetHashValue(string s)
> {
> byte[] source = ASCIIEncoding.ASCII.GetBytes(s);
> return new MD5CryptoServiceProvider().ComputeHash(source);
> }
>
> public static bool CompareHash(byte[] first, byte[] second)
> {
> bool equal = false;
> if (first.Length == second.Length)
> {
> int i=0;
> while (i < first.Length && (first[i] == second[i]))
> i++;
> equal = i == first.Length;
> }
> return equal;
> }
>
> public static bool CompareHash(byte[] b,string s)
> {
> return CompareHash(b, GetHashValue(s));
> }
> }
The password is stored as a byte array (varbinary() in MSSQL)
Everything makes sense in someone's mind
public class SystemCrasher :ICrashable
In addition, an integer field is not for irrational people