What is the best method to encrypt data in tables?
Lets say if special program or user calls select * from names
then all data is visible and normal, but all athers get "crap" with select *
from names
;)
Best Regards;
Mex
Hello,
Take a look into Symmetric or Asymmetric encryptions in SQL 2005.The below
URL details various encryption methods and algorithems
which is available in SQL Server.
http://www.microsoft.com/technet/itshowcase/content/sqldatsec.mspx
Thanks
Hari
"Meelis Lilbok" <meelis.lilbok@.deltmar.ee> wrote in message
news:uNYS7XSdHHA.4344@.TK2MSFTNGP02.phx.gbl...
> Hi
> What is the best method to encrypt data in tables?
> Lets say if special program or user calls select * from names
> then all data is visible and normal, but all athers get "crap" with select
> * from names
>
> ;)
> Best Regards;
> Mex
>
|||let me explain what i want
this "encrpyt" function is needed for web application.
lets say, we have a bad/lazy programmer in our comapny;). he writes bad code
and hackers can use sql injection attack
to get data from database.
when data is encrypted even with sqlinjection hackers can't get sensitive
data.
sry my english is not very good
Mex
"David Portas" <REMOVE_BEFORE_REPLYING_dportas@.acm.org> wrote in message
news:1175523112.383268.101970@.b75g2000hsg.googlegr oups.com...
> On 2 Apr, 13:53, "Meelis Lilbok" <meelis.lil...@.deltmar.ee> wrote:
> Do you really want to return "crap" to some users? I suspect not. I
> think your real requirement is to deny user access to data certain
> data. You can do that using GRANT / DENY and no encryption is
> required.
> Encryption is not a substitute for data access control.
> --
> David Portas, SQL Server MVP
> Whenever possible please post enough code to reproduce your problem.
> Including CREATE TABLE and INSERT statements usually helps.
> State what version of SQL Server you are using and specify the content
> of any error messages.
> SQL Server Books Online:
> http://msdn2.microsoft.com/library/ms130214(en-US,SQL.90).aspx
> --
>
|||Hi
"Redivivus" wrote:
> let me explain what i want
> this "encrpyt" function is needed for web application.
> lets say, we have a bad/lazy programmer in our comapny;). he writes bad code
> and hackers can use sql injection attack
> to get data from database.
> when data is encrypted even with sqlinjection hackers can't get sensitive
> data.
> sry my english is not very good
> Mex
>
Hari has suggested using SQL 2005 encryption features, but you have not said
if you are using SQL 2005!
If you have left yourself vulnerable to SQL Injection attacks then the
hacker may be able to find out what encryption keys are being used or in a
worse case if the victim procedure has opened the keys he may still be able
to see the data through the injection anyhow. This could apply to any method
of server based encryption, you may want to read
http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspx
Part of your solution should be to make sure that all code is reviewed and a
coding standards implemented and maybe justification should be required when
it is necessary to use dynamic SQL. You may want to read the following
http://www.sommarskog.se/dynamic_sql.html#good_practices
HTH
John
|||On 2 Apr, 17:01, "Redivivus" <meelis.lil...@.deltmar.ee> wrote:
> let me explain what i want
> this "encrpyt" function is needed for web application.
> lets say, we have a bad/lazy programmer in our comapny;). he writes bad code
> and hackers can use sql injection attack
> to get data from database.
> when data is encrypted even with sqlinjection hackers can't get sensitive
> data.
>
You are mistaken. If you allow arbitrary code execution through SQL
injection then anything could be possible within the security context
of the connection. If the authentication layer for your encryption
(password, certificate or some other method) is compromised as a
result then your encryption is worthless. Encryption is no substitute
for controlling data access.
David Portas, SQL Server MVP
Whenever possible please post enough code to reproduce your problem.
Including CREATE TABLE and INSERT statements usually helps.
State what version of SQL Server you are using and specify the content
of any error messages.
SQL Server Books Online:
http://msdn2.microsoft.com/library/ms130214(en-US,SQL.90).aspx
|||"Redivivus" <meelis.lilbok@.deltmar.ee> wrote in message
news:ew3rnAUdHHA.1080@.TK2MSFTNGP02.phx.gbl...
> let me explain what i want
> this "encrpyt" function is needed for web application.
> lets say, we have a bad/lazy programmer in our comapny;). he writes bad
> code and hackers can use sql injection attack
> to get data from database.
> when data is encrypted even with sqlinjection hackers can't get sensitive
> data.
Sure they can. Because if you have programmers that bad, you'll also do
encryption that poorly.
Ok, granted, I do agree that some encryption is a good idea, but I'd spend
more time with better hiring. :-)
Note, regardless, you still do NOT want to encrypt every column. You really
can't get performance that way. (as in you'll get NONE).
> sry my english is not very good
> Mex
>
> "David Portas" <REMOVE_BEFORE_REPLYING_dportas@.acm.org> wrote in message
> news:1175523112.383268.101970@.b75g2000hsg.googlegr oups.com...
>
Greg Moore
SQL Server DBA Consulting Remote and Onsite available!
Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html
