1. Encrypt the PAN Value on the Client Side (in JavaScript)
You are already encrypting the PAN input on the client side using the CryptoJS library. The next step is to ensure that the encrypted PAN value is sent to the server via a hidden field (hdnPANEnc), which can be safely used in the backend.
Here's the code you already have for encrypting the PAN:
<input type="text" id="Panid" placeholder="Enter PAN" autocomplete="off" onkeyup="return capitalize(this);" />
<asp:HiddenField ID="hdnPANEnc" runat="server" />
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js" integrity="sha512-a+SUDuwNzXDvz4XrIcXHuCf089/iJAoN4lmrXJg18XnduKK6YlDHNRalv4yd1N40OKI80tFidF+rqTFKGPoWFQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
<script>
if (document.getElementById("Panid").value !== "") {
var secretKey = "$ASPcAwSNIgcPPEoTSa0ODw#";
var secretBytes = CryptoJS.enc.Utf8.parse(secretKey);
var txtPlain = document.getElementById("Panid").value.trim();
var encrypted = CryptoJS.AES.encrypt(txtPlain, secretBytes, {
mode: CryptoJS.mode.ECB,
padding: CryptoJS.pad.Pkcs7
}).toString();
document.getElementById("<%= hdnPANEnc.ClientID %>").value = encrypted;
return true;
}
</script>
2. Decrypt the PAN Value on the Server Side (in C#)
When the form is submitted, the encrypted PAN value will be sent to the server. On the server side, you will decrypt this value before performing any operations like querying the database.
Here is the decryption method in C#:
private string Decrypt(string encryptedText)
{
string secretKey = "$ASPcAwSNIgcPPEoTSa0ODw#";
byte[] secretBytes = Encoding.UTF8.GetBytes(secretKey);
byte[] encryptedBytes = Convert.FromBase64String(encryptedText);
using (Aes aes = Aes.Create())
{
aes.Key = secretBytes;
aes.Mode = CipherMode.ECB;
aes.Padding = PaddingMode.PKCS7;
using (ICryptoTransform decryptor = aes.CreateDecryptor())
{
byte[] decryptedBytes = decryptor.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);
return Encoding.UTF8.GetString(decryptedBytes);
}
}
}
3. Get the Encrypted PAN and Decrypt it in C#
In the server-side code, retrieve the encrypted PAN from the hdnPANEnc hidden field, decrypt it, and use it in your SQL query:
string encryptedText = Request.Form[hdnPANEnc.UniqueID];
string decryptedText = this.Decrypt(encryptedText);
SqlParameter[] param = {
new SqlParameter("@Panid", decryptedText)
};
string sqlGenerate = "SELECT DISTINCT PhoneNO, email, NAME FROM client_table WHERE PAN = @Panid";
4. Ensure PAN is Not Stored in _VIEWSTATE
If the PAN value is being bound to the ViewState, it should be avoided. One way to prevent this from happening is to ensure that the value of the PAN field is not added to the ViewState.
5. Avoid Exposing Sensitive Data in Request.Form or Network Payload
By encrypting the PAN on the client side and only sending the encrypted value to the server, you ensure that the sensitive data is not exposed in the Request.Form or network payload as plain text. On the server side, use the decryption logic to retrieve the PAN.