Share via


How Does the Profiles System Encrypt Data?

By using Commerce Server 2009, you can store your data in either clear text or in an encrypted format. If you opt to have your data encrypted, Commerce Server 2009 stores the data in one of two formats:

  • One-way

  • Asymmetric

One-way encryption uses a hashing algorithm that does not require a public/private key pair, so it is easier to implement than asymmetric encryption. One-way encryption stores data in an encrypted format, but it cannot be decrypted. Instead, when Commerce Server 2009 needs to read data from the database, you must compare it with clear-text data that you must first hash in your code. An example of one-way encryption is storing passwords. You would use one-way encryption because being able to read password values would cause security vulnerabilities in Commerce Server 2009. For more information about hashing, see How to Hash Passwords.

Commerce Server 2009 supports the following one-way hashing encryption algorithms, in order of preference:

  • SHA256. You use this algorithm to hash data in all editions of Commerce Server 2009. The Commerce Server Membership Provider uses SHA256 to verify one-way hashed passwords in all editions of Commerce Server 2009.

  • MD5. Commerce Server 2009 supports this algorithm for backward-compatibility only with Commerce Server 2002.

Asymmetric encryption, sometimes known as two-way encryption, uses a public/private key pair to encrypt and decrypt data in the database. You use asymmetric encryption whenever you need to decrypt the encrypted data from the database. For example, you may have credit cards or social security numbers that are encrypted in the database, but need to be decrypted.

See Also

Other Resources

Profiles Encryption and Decryption

How to Use Asymmetric Encryption with Profiles

How to Validate Passwords

How to Hash Passwords

Profile Key Manager

What Is the Commerce Server Membership Provider?