Hello Everybody,
I have a Encryption - Decription Question.
In my project we are getting an XML File from a vendor which has a credit
card number in clear text. We use XML bulk load process to load table from
xml file.
How can i encrypt credit card number while storing into table.
Also i will have to decrypt CC number while i create comma separated file
for another vendor ?
Pls let me know.
thxA credit card number is typically not the type of attribute used for
indexing, sorting, grouping, or composing a primary key, so I see no reason
why it would not be a good candidate for encryption. It would be reasonable
and fairly simple to store it encrypted and decrypt it at the application
level only when needed for display on a customer information form or to
complete a business transaction.
However, a social security number is a different issue.
"mvp" <mvp@.discussions.microsoft.com> wrote in message
news:81898E3B-37E1-4B90-9F83-2E522A29D064@.microsoft.com...
> Hello Everybody,
> I have a Encryption - Decription Question.
> In my project we are getting an XML File from a vendor which has a credit
> card number in clear text. We use XML bulk load process to load table from
> xml file.
> How can i encrypt credit card number while storing into table.
> Also i will have to decrypt CC number while i create comma separated file
> for another vendor ?
> Pls let me know.
> thx|||I have a few line sof VB.Net code that Encrypts or Decrypts a string passed
to it; If interested then let me know and I will post the code for you.
"mvp" wrote:
> Hello Everybody,
> I have a Encryption - Decription Question.
> In my project we are getting an XML File from a vendor which has a credit
> card number in clear text. We use XML bulk load process to load table from
> xml file.
> How can i encrypt credit card number while storing into table.
> Also i will have to decrypt CC number while i create comma separated file
> for another vendor ?
> Pls let me know.
> thx|||Thanks for the reply
But can i know how can i do this encryption-decryption..
thanks
"JT" wrote:
> A credit card number is typically not the type of attribute used for
> indexing, sorting, grouping, or composing a primary key, so I see no reaso
n
> why it would not be a good candidate for encryption. It would be reasonabl
e
> and fairly simple to store it encrypted and decrypt it at the application
> level only when needed for display on a customer information form or to
> complete a business transaction.
> However, a social security number is a different issue.
> "mvp" <mvp@.discussions.microsoft.com> wrote in message
> news:81898E3B-37E1-4B90-9F83-2E522A29D064@.microsoft.com...
>
>|||I want to read from XML file (which has CC number in clear text, i use sql
bulk load to load xml into table) and load into sql server table in encrypt
form and then decrypt again when i create comma seperated file from table
again to provide feed to another vendor ?
Let me know, do u have similar thing ?
"Shariq" wrote:
> I have a few line sof VB.Net code that Encrypts or Decrypts a string passe
d
> to it; If interested then let me know and I will post the code for you.
> "mvp" wrote:
>|||If your entire input and output processing is done with SQL server then I
haven't done similar thing but you could possibly use ActiveX script to
Encrypt/Decrypt.
In a similiar type of situation when I had to encrypt/decrypt for input and
output; I use VB.Net application to re-process XML file as input, encrypted
the Credit Card numbers and output to an XML file. Then I executed a DTS
package to upload the XML formatted output file to a SQL Server.
When sending data to a client with decrypted CC numbers; I also used the VB
application to rad data from the SQL Server and during the data read,
decrypted the CC numbers and produced XML file.
"mvp" wrote:
> I want to read from XML file (which has CC number in clear text, i use sq
l
> bulk load to load xml into table) and load into sql server table in encry
pt
> form and then decrypt again when i create comma seperated file from table
> again to provide feed to another vendor ?
> Let me know, do u have similar thing ?
> "Shariq" wrote:
>|||Hello Shariq,
I'm Interesting about the encryption/decryption code that you wrote in VB.NE
T.
Would you like to post it me?
Thank you!
"Shariq" wrote:
> If your entire input and output processing is done with SQL server then I
> haven't done similar thing but you could possibly use ActiveX script to
> Encrypt/Decrypt.
> In a similiar type of situation when I had to encrypt/decrypt for input an
d
> output; I use VB.Net application to re-process XML file as input, encrypte
d
> the Credit Card numbers and output to an XML file. Then I executed a DTS
> package to upload the XML formatted output file to a SQL Server.
> When sending data to a client with decrypted CC numbers; I also used the V
B
> application to rad data from the SQL Server and during the data read,
> decrypted the CC numbers and produced XML file.
> "mvp" wrote:
>|||If you are taking about decrypting data coming in from the source data or
encrypting data as it extract to another format, then this would be
implemented at the application level not the database level. It depends on
what application programming tool your are using.
"mvp" <mvp@.discussions.microsoft.com> wrote in message
news:8470213F-47A3-417A-B920-BB7759AC0738@.microsoft.com...
> Thanks for the reply
> But can i know how can i do this encryption-decryption..
> thanks
> "JT" wrote:
>|||x-rays,
You might be able to better technique but the technique I use works great
for me.
This function will either encrypt or decrypt depanding on what is passed to
it.
Public Function MyCryption(ByVal strInput As String) As String
' Encrypts/decrypts the passed string using
' a simple ASCII value-swapping algorithm
Dim strTempChar As String, i As Integer
For i = 1 To Len(strInput)
If Asc(Mid$(strInput, i, 1)) < 128 Then
strTempChar = CType(Asc(Mid$(strInput, i, 1)) + 128, String)
ElseIf Asc(Mid$(strInput, i, 1)) > 128 Then
strTempChar = CType(Asc(Mid$(strInput, i, 1)) - 128, String)
End If
Mid$(strInput, i, 1) = Chr(CType(strTempChar, Integer))
Next i
Return strInput
End Function
"x-rays" wrote:
> Hello Shariq,
> I'm Interesting about the encryption/decryption code that you wrote in VB.
NET.
> Would you like to post it me?
> Thank you!
> "Shariq" wrote:
>|||Keep in mind that whatever encryption you end up using, the encrypted data
is only as secure as the code you use for the encryption. If your
encryption code and key are stored in a source control system, everyone with
access to that system will be able to decrypt the data, provided they have
access to the table where the data is stored.
If your programmers do not have access to the production database, and your
DBAs do not have access to your application code, then you should be ok.
"mvp" <mvp@.discussions.microsoft.com> wrote in message
news:81898E3B-37E1-4B90-9F83-2E522A29D064@.microsoft.com...
> Hello Everybody,
> I have a Encryption - Decription Question.
> In my project we are getting an XML File from a vendor which has a credit
> card number in clear text. We use XML bulk load process to load table from
> xml file.
> How can i encrypt credit card number while storing into table.
> Also i will have to decrypt CC number while i create comma separated file
> for another vendor ?
> Pls let me know.
> thx
Showing posts with label project. Show all posts
Showing posts with label project. Show all posts
Tuesday, March 27, 2012
Encryption problem
Hi All,
Currently for a project for the company I work for, we are looking to migrate from SQL Server 2000 to 2005. As part of the investigation I am looking at the some of the new features in 2005.
Looking at the encryption facilities which we are looking to use I have come across a problem (or perceived problem)
I have the following test table (where in production we will replace CardNo with the CustomerID)
//--
USE [Encryption2]
GO
/****** Object: Table [dbo].[Cards] Script Date: 11/13/2006 11:42:44 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
SET ANSI_PADDING ON
GO
CREATE TABLE [dbo].[Cards](
[CardNo] [nvarchar](50) COLLATE Latin1_General_CI_AI NULL,
[Encrypted] [varbinary](max) NULL
) ON [PRIMARY]
GO
SET ANSI_PADDING OFF
//--
I'm creating test records using an INSERT as follows
insert into cards (cardno, encrypted) values ('1111-2222-3333-4444', ENCRYPTBYPASSPHRASE('adminpw', '1111-2222-3333-4444'))
in trying to replicate how we may send data to the db.
On retrieving the data using
select CardNo, Encrypted, convert(nvarchar(50), DECRYPTBYPASSPHRASE('adminpw', Encrypted)) as decrypted from cards
The 'decrypted' column is not returning the expected '1111-2222-3333-4444' but a corrupted value.
Update the data using
update Cards set encrypted = ENCRYPTBYPASSPHRASE('adminpw', CardNo) where CardNo = '1111-2222-3333-4444'
and the decrypted value returned is '1111-2222-3333-4444'.
Update using
update Cards set encrypted = ENCRYPTBYPASSPHRASE('adminpw', '1111-2222-3333-4444') where CardNo = '1111-2222-3333-4444'
and the value is once again invalid.
Am I doing anything wrong? Any ideas and help would be welcome.
Thanks
So I did a quick test. It looks like this is happening because you are encrypting a non-unicode string, then decrypting it and converting it to unicode, which results in garbled text. If you replace:
'1111-2222-3333-4444'
with
N'1111-2222-3333-4444'
On your insert, I believe this should work. Please let me know if it does not.
Thanks,
Sung
|||Note, this works on the update where you select from the column because you are explicitly selecting from a unicode column. Thus in that one case you are using a unicode string whereas in the other cases you are using a non-unicode string.
Thanks,
Sung
|||Works a treat, thanks for the help. :)Thursday, March 22, 2012
Encryption and "WHERE encrypted_column LIKE"
I am starting an encryption project for my database and I'm performing
some tests on decryption speed. A lot of my application queries use a
LIKE parameter in the WHERE clause. To keep from changing my
application I am performing all the work on the back-end; creating
views, triggers and UDFs to encrypt/decrypt the data. A problem has
arisen around the LIKE parameter, though.
some tests on decryption speed. A lot of my application queries use a
LIKE parameter in the WHERE clause. To keep from changing my
application I am performing all the work on the back-end; creating
views, triggers and UDFs to encrypt/decrypt the data. A problem has
arisen around the LIKE parameter, though.
Currently:
SELECT SSN, FNAME, LNAME FROM USERS WHERE LNAME LIKE 'BON%'
will become:
SET @.NEWVALUE = dbo.decrypt_hash('BON%')
SELECT SSN, FNAME, LNAME FROM USERS_VIEW WHERE LNAME_HASH LIKE
@.NEWVALUE
This will not work. A hash can only compare a string value to a string
value. Has anyone else worked with this type of encryption and how did
you get around using LIKE?
Thanks,
JoshUsing TSQL to encrypt in a UDF is a non-starter. It's always going to
destroy performance because any non-trivial encryption algorithm is likely
to be unfeasibly slow implemented in TSQL.
Firstly, what is the goal of encrypting the data? Understand that encryption
is not a good way to control access to a database. There are legitimate uses
of encryption in a database but encrypting user's names seems a little
unusual. Since your example code doesn't even seem to include a key for the
decryption function I don't quite understand what you are trying to
implement here.
If you really need encryption then Google for some of the third-party
solutions available. You'll also find previous posts on this topic in the
microsoft.public.sqlserver.* hierarchy.
--
David Portas
SQL Server MVP
--|||David Portas (REMOVE_BEFORE_REPLYING_dportas@.acm.org) writes:
> Using TSQL to encrypt in a UDF is a non-starter. It's always going to
> destroy performance because any non-trivial encryption algorithm is likely
> to be unfeasibly slow implemented in TSQL.
You could call an extended stored procedure from the UDF to perform
the actual encryption. Of course, it will still be slow since the UDF
and XP calls are expensive in themselves. Then again, Encryption
and high performance do not really go well together.
As for the problem posted, I would suggest that what is needed is:
SELECT SSN, FNAME, LNAME FROM USERS_VIEW
WHERE dbo.decrypt(LNAME_HASH) LIKE 'BON%'
Which is not going to perform well at all.
--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp|||"joshsackett" <joshsackett@.gmail.com> wrote in message
news:1117212160.020006.275040@.z14g2000cwz.googlegr oups.com...
> I am starting an encryption project for my database and I'm performing
> some tests on decryption speed. A lot of my application queries use a
> LIKE parameter in the WHERE clause. To keep from changing my
> application I am performing all the work on the back-end; creating
> views, triggers and UDFs to encrypt/decrypt the data. A problem has
> arisen around the LIKE parameter, though.
I was just reading an article on this I think in this month's SQL Server
magazine.
I'll agree that encrypting last name is a bit "different".
One thing they suggested for things like credit card numbers is a) being
able to index on a column OTHER than the ccn so you can get the row(s) in
question and only decrypt that absolute minimum needed and if you DO need to
use the ccn, b) store the last 4 digits unencrypted to use that to help
narrow your search.
> Currently:
> SELECT SSN, FNAME, LNAME FROM USERS WHERE LNAME LIKE 'BON%'
> will become:
> SET @.NEWVALUE = dbo.decrypt_hash('BON%')
> SELECT SSN, FNAME, LNAME FROM USERS_VIEW WHERE LNAME_HASH LIKE
> @.NEWVALUE
> This will not work. A hash can only compare a string value to a string
> value. Has anyone else worked with this type of encryption and how did
> you get around using LIKE?
> Thanks,
> Josh|||Josh,
Hashing is not encryption, and hashing something like a last name
is useless, except for obfuscation. Only the 1,000,000 most common
last names in the world (if not 10,000) account for virtually everyone,
so if someone has a hash (say SHA1) of a last name, they basically
have the last name and can look up the hash in a small dictionary of
hashed last names. When hashing is appropriate, such as for creating
a message digest, it is not reversible. The sum of this is that
something based on the idea of "decrypting a hash" is flawed.
That said, the more you want to do efficiently with the encrypted
value, the less useful the encryption. If you can use LIKE or
other comparisons efficiently in predicates with the encrypted value,
you're letting your users play "Twenty Questions" with your data:
1. Does Secret start with the letter 'L' (LIKE 'L%')?
2. It does? Good. Does it satisfy WHERE Secret >= 'LN'?
3. No? Ok, does it satisfy WHERE Secret > 'LG'?
...
If you're just obfuscating the data with a reversible obfuscator,
you might just as well do this when someone needs a LIKE result:
select ...
from users_view
where dbo.deobfuscate(LNAME) like ' BON%'
If that's too slow, maybe you can manage to add dbo.deobfuscate(LNAME)
to the underlying table and index that computed column, hoping the
index will be used by the query. I'm not sure whether you can make
this work, but as Erland said, encryption and performance don't
go well together. Security and availability are Heisenbergian: you
can't have both, and the more of one you have, the less you have of
the other. This is as unavoidable as any law of physics.
Steve Kass
Drew University
joshsackett wrote:
> I am starting an encryption project for my database and I'm performing
> some tests on decryption speed. A lot of my application queries use a
> LIKE parameter in the WHERE clause. To keep from changing my
> application I am performing all the work on the back-end; creating
> views, triggers and UDFs to encrypt/decrypt the data. A problem has
> arisen around the LIKE parameter, though.
> Currently:
> SELECT SSN, FNAME, LNAME FROM USERS WHERE LNAME LIKE 'BON%'
> will become:
> SET @.NEWVALUE = dbo.decrypt_hash('BON%')
> SELECT SSN, FNAME, LNAME FROM USERS_VIEW WHERE LNAME_HASH LIKE
> @.NEWVALUE
> This will not work. A hash can only compare a string value to a string
> value. Has anyone else worked with this type of encryption and how did
> you get around using LIKE?
> Thanks,
> Josh|||First off, thanks to everyone who has provided their input. Secondly,
let me continue down the path I started:
My client performs searches on SSN, FNAME & LNAME. Any of these columns
can currently be included in a "LIKE" search. I am researching
encryption methods for the database that have minimal impact on the
application. The only way to accomplish this is to change the table
names, encrypt the data and create views to access the tables. The
problem (as you know) is that in order to perform a comparison on an
encrypted column is to completely decrypt the column and then compare.
This is not acceptable performance wise.
The next option is to not change the DB but the application. So to have
the application perform a search against an indexed, encrypted column I
would write (in essence)
SELECT dbo.decrypt(ENC_SSN), dbo.decrypt(ENC_FNAME),
dbo.decrypt(ENC_LNAME), ADDRESS FROM UserTable WHERE ENC_LNAME =
dbo.encrypt(SMITH) .
This is MUCH faster. The problem now is how to perform a LIKE search?
dbo.encrypt(SMITH) will look nothing like dbo.encrypt(SMI). The only
thing I can think of is to create another column containing the first 2
(or so) characters of the last name and perform a straight comparison
on that column using a SUBSTRING of the original LastNameString and
then decrypt all the matching columns and perform a like search on
those. Example:
@.LastNameString = 'WILLI%'
@.ShortLNS = SUBSTRING(@.LastNameString,1,2)
SELECT dbo.decrypt(ENC_SSN), dbo.decrypt(ENC_FNAME),
dbo.decrypt(ENC_LNAME), ADDRESS
FROM UserTable
WHERE dbo.decrypt(ENC_LNAME) LIKE @.LastNameString
AND
-- This next section limits the search result but only by
26^ShortColumnLength.
-- So in this case 26^2 = 676 unique rows (max.. assuming someone's
last name starts with "ZZ" :)
dbo.decrypt(ENC_LNAME) IN
(
SELECT dbo.decrypt(ENC_LNAME) from UserTable
WHERE SHORT_LNAME = @.ShortLNS
)|||I got it! This can be performed for every searchable column. Wrap the
entire thing in a stored procedure (expand as needed) and viola!
@.LastNameString = 'WILLI%'
@.ShortLNS = SUBSTRING(@.LastNameString,1,2)
DECLARE @.tbl_enc_lname TABLE
(enc_lname varchar(30))
INSERT INTO @.tbl_enc_lname
SELECT enc_lname FROM users WHERE short_lname = @.ShortLNS
SELECT
dbo.decrypt(enc_ssn),dbo.decrypt(enc_fname),dbo.de crypt(enc_lname),
address from users
WHERE
dbo.decrypt(enc_lname) LIKE @.LastNameString
AND
enc_lname IN
(
SELECT enc_lname from @.enc_lname_holder
)
SQL Statistics:
44 unique last names out of 100,000 rows
2,301 rows returned
SQL Server Execution Times:
CPU time = 5428 ms, elapsed time = 7118 ms.
SQL Server IOSTATS:
Table '#21D600EE'. Scan count 0, logical reads 4494, physical reads 0,
read-ahead reads 0.
Table 'users'. Scan count 2, logical reads 497, physical reads 0,
read-ahead reads 0.
Table 'users'. Scan count 2, logical reads 7234, physical reads 0,
read-ahead reads 0.
Table '#21D600EE'. Scan count 1, logical reads 22, physical reads 0,
read-ahead reads 0.
Hardware:
Single Pentium 4 - 1.7GHz
384MB RAM
Dell Inspiron 8200 Notebook
SQL Server Desktop Edition|||SELECT enc_lname from @.enc_lname_holder
should read
SELECT enc_lname from @.tbl_enc_lname|||> The only way to accomplish this is to change the table
> names, encrypt the data and create views to access the tables.
This makes no sense at all. You would be better off creating SPs to access
the data unencrypted and then denying all permissions on the base tables. As
I said before, encryption is not the way to control access to data.
--
David Portas
SQL Server MVP
--|||I agree.. what good does it do to encrypt the DB data when the method
for decrypting it exists in the database? If anyone gets the database
(which is I assume what you are worried about) they can simply use the
routine that already exists in the DB to get the data. I assume this is
some sort of privacy feature...
I will say though, that we had a product where people kept asking us if
the usernames and passwords were encrypted in the database. We got sick
of repeatedly explaining why not, so we did a simple encryption on them
so that we could say, "yes, they are" and move on to the next topic.|||David: If someone steals my physical database files or the backups then
they have access to the data, so it must be encrypted. I am not merely
trying to keep people out, I am trying ot make sure that if someone
gets the data they cannot read it.
pb: The routine to decrypt the data exists in the database but you must
run a stored procedure with the routine alias and password before your
run a query if you wish to pull unencrypted data. Check out the program
XP_CRYPT (search Google) and you'll see where I am going with this.
Wednesday, March 21, 2012
Encrypting confidential data including foreign keys
Hi,
I am currently working on a project for a client. The project is to create
an intranet site to maintain confidential employee data. There is a master
employee table, containing name, date of birth etc. However, the table also
links to some look-up tables, such as grades, ethnicity, citizenship etc.
I was wondering what was the best solution for encrypting the data in SQL
Server 2000, so that someone with database access cannot read the
confidential data. Encrypting the free text data is fairly simple, but I am
not sure how to encrypt the foreign keys while preserving referential
integrity.
For example, if an employee has citizenship = 5, it is quite easy to workout
the citizenship from the look-up table. Even if 5 is encrypted to ABC, it is
quite easy to see the pattern on the table.
Also, the client wants to do some reporting on the tables, so run queries
with filters (such as Citizenship=UK) on encrypted data.
We looked at xpcrypt, but it appears to create automatically a view
containing the decrypted data for the duration of the SQL session, so I am
not sure how appropriate it is for a web application, maintaining pretty
much a constant connection/session to the DB.
Any advice welcome!
Thanks,
TomOn Fri, 28 Oct 2005 21:29:31 +0100, "Tom" <Tom@.nospam.com> wrote:
> but I am
>not sure how to encrypt the foreign keys while preserving referential
>integrity.
>
Hmm, I doubt you'll find any encryption product that can encrypt a
foreign key column.
Scott
http://www.OdeToCode.com/blogs/scott/|||Hi,
well try our software for SQL server side encryption for that , visit and
refer :
http://database-encryption.com/ it will serve your purpose
Regards
--
Andy Davis
Activecrypt Team
---SQL Server Encryption Software
http://www.activecrypt.com
"Tom" wrote:
> Hi,
> I am currently working on a project for a client. The project is to create
> an intranet site to maintain confidential employee data. There is a master
> employee table, containing name, date of birth etc. However, the table als
o
> links to some look-up tables, such as grades, ethnicity, citizenship etc.
> I was wondering what was the best solution for encrypting the data in SQL
> Server 2000, so that someone with database access cannot read the
> confidential data. Encrypting the free text data is fairly simple, but I a
m
> not sure how to encrypt the foreign keys while preserving referential
> integrity.
> For example, if an employee has citizenship = 5, it is quite easy to worko
ut
> the citizenship from the look-up table. Even if 5 is encrypted to ABC, it
is
> quite easy to see the pattern on the table.
> Also, the client wants to do some reporting on the tables, so run queries
> with filters (such as Citizenship=UK) on encrypted data.
> We looked at xpcrypt, but it appears to create automatically a view
> containing the decrypted data for the duration of the SQL session, so I am
> not sure how appropriate it is for a web application, maintaining pretty
> much a constant connection/session to the DB.
> Any advice welcome!
> Thanks,
> Tom
>
>|||http://www.sqlservercentral.com/col...oolkitpart1.asp
You can't really encrypt foreign key columns to any useful degree, since
they'll have to be encrypted on the referenced table as well and once again
you've got an easily visible link... What you can do is encrypt the
descripition data in the referenced table to make it unreadable. So instead
of storing "NATIVE AMERICAN" in plain text on the ethnicity table, you could
encrypt that description and store it.
"Tom" <Tom@.nospam.com> wrote in message
news:raydnZJ8BOyXF__eRVnyjw@.pipex.net...
> Hi,
> I am currently working on a project for a client. The project is to create
> an intranet site to maintain confidential employee data. There is a master
> employee table, containing name, date of birth etc. However, the table
> also links to some look-up tables, such as grades, ethnicity, citizenship
> etc.
> I was wondering what was the best solution for encrypting the data in SQL
> Server 2000, so that someone with database access cannot read the
> confidential data. Encrypting the free text data is fairly simple, but I
> am not sure how to encrypt the foreign keys while preserving referential
> integrity.
> For example, if an employee has citizenship = 5, it is quite easy to
> workout the citizenship from the look-up table. Even if 5 is encrypted to
> ABC, it is quite easy to see the pattern on the table.
> Also, the client wants to do some reporting on the tables, so run queries
> with filters (such as Citizenship=UK) on encrypted data.
> We looked at xpcrypt, but it appears to create automatically a view
> containing the decrypted data for the duration of the SQL session, so I am
> not sure how appropriate it is for a web application, maintaining pretty
> much a constant connection/session to the DB.
> Any advice welcome!
> Thanks,
> Tom
>|||you can use built in database security to accomplish your goal|||What SQL 2000 function is that?
"Alexander Kuznetsov" <AK_TIREDOFSPAM@.hotmail.COM> wrote in message
news:1147967032.280063.193550@.u72g2000cwu.googlegroups.com...
> you can use built in database security to accomplish your goal
>
I am currently working on a project for a client. The project is to create
an intranet site to maintain confidential employee data. There is a master
employee table, containing name, date of birth etc. However, the table also
links to some look-up tables, such as grades, ethnicity, citizenship etc.
I was wondering what was the best solution for encrypting the data in SQL
Server 2000, so that someone with database access cannot read the
confidential data. Encrypting the free text data is fairly simple, but I am
not sure how to encrypt the foreign keys while preserving referential
integrity.
For example, if an employee has citizenship = 5, it is quite easy to workout
the citizenship from the look-up table. Even if 5 is encrypted to ABC, it is
quite easy to see the pattern on the table.
Also, the client wants to do some reporting on the tables, so run queries
with filters (such as Citizenship=UK) on encrypted data.
We looked at xpcrypt, but it appears to create automatically a view
containing the decrypted data for the duration of the SQL session, so I am
not sure how appropriate it is for a web application, maintaining pretty
much a constant connection/session to the DB.
Any advice welcome!
Thanks,
TomOn Fri, 28 Oct 2005 21:29:31 +0100, "Tom" <Tom@.nospam.com> wrote:
> but I am
>not sure how to encrypt the foreign keys while preserving referential
>integrity.
>
Hmm, I doubt you'll find any encryption product that can encrypt a
foreign key column.
Scott
http://www.OdeToCode.com/blogs/scott/|||Hi,
well try our software for SQL server side encryption for that , visit and
refer :
http://database-encryption.com/ it will serve your purpose
Regards
--
Andy Davis
Activecrypt Team
---SQL Server Encryption Software
http://www.activecrypt.com
"Tom" wrote:
> Hi,
> I am currently working on a project for a client. The project is to create
> an intranet site to maintain confidential employee data. There is a master
> employee table, containing name, date of birth etc. However, the table als
o
> links to some look-up tables, such as grades, ethnicity, citizenship etc.
> I was wondering what was the best solution for encrypting the data in SQL
> Server 2000, so that someone with database access cannot read the
> confidential data. Encrypting the free text data is fairly simple, but I a
m
> not sure how to encrypt the foreign keys while preserving referential
> integrity.
> For example, if an employee has citizenship = 5, it is quite easy to worko
ut
> the citizenship from the look-up table. Even if 5 is encrypted to ABC, it
is
> quite easy to see the pattern on the table.
> Also, the client wants to do some reporting on the tables, so run queries
> with filters (such as Citizenship=UK) on encrypted data.
> We looked at xpcrypt, but it appears to create automatically a view
> containing the decrypted data for the duration of the SQL session, so I am
> not sure how appropriate it is for a web application, maintaining pretty
> much a constant connection/session to the DB.
> Any advice welcome!
> Thanks,
> Tom
>
>|||http://www.sqlservercentral.com/col...oolkitpart1.asp
You can't really encrypt foreign key columns to any useful degree, since
they'll have to be encrypted on the referenced table as well and once again
you've got an easily visible link... What you can do is encrypt the
descripition data in the referenced table to make it unreadable. So instead
of storing "NATIVE AMERICAN" in plain text on the ethnicity table, you could
encrypt that description and store it.
"Tom" <Tom@.nospam.com> wrote in message
news:raydnZJ8BOyXF__eRVnyjw@.pipex.net...
> Hi,
> I am currently working on a project for a client. The project is to create
> an intranet site to maintain confidential employee data. There is a master
> employee table, containing name, date of birth etc. However, the table
> also links to some look-up tables, such as grades, ethnicity, citizenship
> etc.
> I was wondering what was the best solution for encrypting the data in SQL
> Server 2000, so that someone with database access cannot read the
> confidential data. Encrypting the free text data is fairly simple, but I
> am not sure how to encrypt the foreign keys while preserving referential
> integrity.
> For example, if an employee has citizenship = 5, it is quite easy to
> workout the citizenship from the look-up table. Even if 5 is encrypted to
> ABC, it is quite easy to see the pattern on the table.
> Also, the client wants to do some reporting on the tables, so run queries
> with filters (such as Citizenship=UK) on encrypted data.
> We looked at xpcrypt, but it appears to create automatically a view
> containing the decrypted data for the duration of the SQL session, so I am
> not sure how appropriate it is for a web application, maintaining pretty
> much a constant connection/session to the DB.
> Any advice welcome!
> Thanks,
> Tom
>|||you can use built in database security to accomplish your goal|||What SQL 2000 function is that?
"Alexander Kuznetsov" <AK_TIREDOFSPAM@.hotmail.COM> wrote in message
news:1147967032.280063.193550@.u72g2000cwu.googlegroups.com...
> you can use built in database security to accomplish your goal
>
Wednesday, March 7, 2012
Enabling SQL audit Logging for SELECT queries
Hi all,
We have a requirement in our project where we need to audit log any query
(SELECT queries inclusive) that are fired on a specific set of objects (Tabl
e
and views) in our database. We need to capture information like Who fired th
e
query, When and the actual query itself.
The approach we have thought of is:
Run SQL Profiler and log the output of the trace into a SQL table
Create an INSERT trigger on the SQL table.
Trigger should write data into a custom Audit table with limited information
.
However the di
vantages we see here are performance issues due to profiler
being run continuously, maintenance overhead to clear the SQL table where th
e
trace is written etc.
Can anyone suggest any other better alternative for this requirement?
Thanks
GSNot sure if it ius an option for you, but SQL 2005 contains DML
triggers which allow you to audit Select statements.
Markus|||How about using any of the 3:rd party tools put there? Check the log reader
tools, they tend to have
this support (possibly in special versions): http://www.karaszi.com/SQLServer/link
s.asp
These tools does use the transaction log to audit modifications and Profiler
to audit SELECT.
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
Blog: http://solidqualitylearning.com/blogs/tibor/
"GS" <GS@.discussions.microsoft.com> wrote in message
news:6A359D6A-CCD1-4EC5-AEA2-C74C7F551971@.microsoft.com...
> Hi all,
> We have a requirement in our project where we need to audit log any query
> (SELECT queries inclusive) that are fired on a specific set of objects (Ta
ble
> and views) in our database. We need to capture information like Who fired
the
> query, When and the actual query itself.
> The approach we have thought of is:
> Run SQL Profiler and log the output of the trace into a SQL table
> Create an INSERT trigger on the SQL table.
> Trigger should write data into a custom Audit table with limited informati
on.
> However the divantages we see here are performance issues due to profil
er
> being run continuously, maintenance overhead to clear the SQL table where
the
> trace is written etc.
> Can anyone suggest any other better alternative for this requirement?
> Thanks
> GS
>
We have a requirement in our project where we need to audit log any query
(SELECT queries inclusive) that are fired on a specific set of objects (Tabl
e
and views) in our database. We need to capture information like Who fired th
e
query, When and the actual query itself.
The approach we have thought of is:
Run SQL Profiler and log the output of the trace into a SQL table
Create an INSERT trigger on the SQL table.
Trigger should write data into a custom Audit table with limited information
.
However the di
vantages we see here are performance issues due to profilerbeing run continuously, maintenance overhead to clear the SQL table where th
e
trace is written etc.
Can anyone suggest any other better alternative for this requirement?
Thanks
GSNot sure if it ius an option for you, but SQL 2005 contains DML
triggers which allow you to audit Select statements.
Markus|||How about using any of the 3:rd party tools put there? Check the log reader
tools, they tend to have
this support (possibly in special versions): http://www.karaszi.com/SQLServer/link
s.asp
These tools does use the transaction log to audit modifications and Profiler
to audit SELECT.
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
Blog: http://solidqualitylearning.com/blogs/tibor/
"GS" <GS@.discussions.microsoft.com> wrote in message
news:6A359D6A-CCD1-4EC5-AEA2-C74C7F551971@.microsoft.com...
> Hi all,
> We have a requirement in our project where we need to audit log any query
> (SELECT queries inclusive) that are fired on a specific set of objects (Ta
ble
> and views) in our database. We need to capture information like Who fired
the
> query, When and the actual query itself.
> The approach we have thought of is:
> Run SQL Profiler and log the output of the trace into a SQL table
> Create an INSERT trigger on the SQL table.
> Trigger should write data into a custom Audit table with limited informati
on.
> However the di
vantages we see here are performance issues due to profiler
> being run continuously, maintenance overhead to clear the SQL table where
the
> trace is written etc.
> Can anyone suggest any other better alternative for this requirement?
> Thanks
> GS
>
Wednesday, February 15, 2012
Empty Lines in the Report Title Lines
Hi,
When I open a report from my aspx page I get empty lines in the Title,
but when I choose preview from the report Service Project I dont see these
empty lines.
What do I need to do to see the report exactlly as I see it in the report
Service Project.
Thanks,
LimorIn most cases, while designg, you saw this issue and corrected it. But, the
problem is that IE sometimes caches webpages. Closing and reopening IE should
do the trick. If that doesn't work, remove the report from the server and
deploy it again.
hope it helps
Kind regards
"Limor Bellison" wrote:
> Hi,
> When I open a report from my aspx page I get empty lines in the Title,
> but when I choose preview from the report Service Project I dont see these
> empty lines.
> What do I need to do to see the report exactlly as I see it in the report
> Service Project.
> Thanks,
> Limor
When I open a report from my aspx page I get empty lines in the Title,
but when I choose preview from the report Service Project I dont see these
empty lines.
What do I need to do to see the report exactlly as I see it in the report
Service Project.
Thanks,
LimorIn most cases, while designg, you saw this issue and corrected it. But, the
problem is that IE sometimes caches webpages. Closing and reopening IE should
do the trick. If that doesn't work, remove the report from the server and
deploy it again.
hope it helps
Kind regards
"Limor Bellison" wrote:
> Hi,
> When I open a report from my aspx page I get empty lines in the Title,
> but when I choose preview from the report Service Project I dont see these
> empty lines.
> What do I need to do to see the report exactlly as I see it in the report
> Service Project.
> Thanks,
> Limor
Subscribe to:
Posts (Atom)