I've got a problem scenario w.r.t data cyphering or encryption/decryption in SQL Server 2005.
Scenario:
There is a specific table in the database
The table has a column, let's say "Credit Card"
The requirements is that the content or data in this column should be encrypted
Required (plausible) solution:
Data that is inserted in this table's column should be encrypted, i.e., is unreadable to people running direct queries on the database and/or table; or only by using a specific decryption logic, which requires a KEY of some sort
While reading the data in any application, the method-of-decryption should be easy, maybe KEY based
The process or methodology should be easy to use
But difficult to break
Please give me some suggestions or solution in this regards.
Thank you.
you encrypt data with a symmetric key
you encrypt the symmetric key with a certificate
you encrypt the certificate with a password
periodically you generate a new symmetric key to encrypt new data
priodically you rotate the certificate and re-encrypt the symmetric keys with the new certifictae, dropping the old certificate
Application requests password from the user and opens the certificate in the session. It then uses DECRYPTKEYBYAUTOCERT to encrypt the data. This is the general industry standard. It protects data rest and guards against accidental media loss as well as access from a person not knowing the password.
You will find a lot of bad advise ont his topic. Any scheme that is 'automated' and does not requests the user for a a decryption password is wrong. If you want 'automated' encryption or decryption you should look into Transparent Data Encryption which protects agains accidental media loss. TDE does not protect against other users browsing the data, if they have access priviledges.
Try looking into the DecryptByKey function.
Related
This looks a very nice feature, but what I understood its that only the app can see the unencrypted text of the columns, right?
Is it possible that the admin with a SQL query can see the unencrypted data? or does it have to be always from the app?
If yes, can you post a small query to show this
The answer is NO you cannot see encrypted data even if you are the data admin. The admin should not have access to Column Master Key (certificate). You can access it from a client machine that has certificate installed using SSMS or .Net application. Please check the MSDN blog
The new security layer addresses that vulnerability by keeping the
data encrypted even during transactions and computations, and by only
giving the client keys to decrypt it. That means that if anyone else,
including a database or system administrator, tries to access that
client’s database, the credit card information or other sensitive data
would just look like gibberish.
If you are an admin/DBA you can access plaintext data, if you have access to the column master key. To select and decrypt data, you can use any version of SSMS that supports Always Encrypted. Starting with SSMS 17.0, you can also insert, update, and filter by encrypted columns. For more details, please see:
https://msdn.microsoft.com/en-us/library/mt757096.aspx#Anchor_1
https://blogs.msdn.microsoft.com/sqlsecurity/2016/12/13/parameterization-for-always-encrypted-using-ssms-to-insert-into-update-and-filter-by-encrypted-columns/
We have a process where data is sent from one database to another for distribution. The process chosen at the time was to encrypt the data because of all the people that could access the database. However, de-crypting the data is a slow process.
What are the alternatives to securing the data on the servers to prevent access?
It all depends on your requirements.
If you really need to keep the data private from people whom have access to the database then you pretty much have no option but to encrypt.
If you are sending the data to other locations and it is the transfer itself that needs to be secure you can use encyption for just the communication, ie webservices over https or custom encryption over tcp/ip, or saving to flat files and encrypting it as a whole..
If the data itself needs to be hidden from the people whom have access to it then there is a question of how secure the data needs to be.. If you are just wanting to avoid clear text there are some pretty fast encryption algorithms that can be used, here is a List of different encryption algorithms.
But if you are storing things like medical history or banking information then you have no option but to either upgrade your hardware to improve performance or take the processing time like a man ;).
If we are talking about passwords, where you only need to know if the user entered the correct password or not, then you could hash the passwords with a salt, and compare with the database hash, read more about that here: Link.
Easy answer: none. The only way to prevent people with physical access to the database table (note: the database TABLE - most DBMS can set access rights for indivifual tables) from reading it, is encrypting the data. It really is that simple.
Couple of recommendations
Work with DBA to create roles and restrict access to sensitive columns. In this case you don't have to encrypt.
Few columns you have to encrypt due to regulatory requirements. Selectively encrypt only the columns having sensitive data.
Also use relatively faster algorithms like AES. You can also cache the crypto object if not already done.
I've been looking for finding the best solution to store highly sensitive information like an Amount or a balance in a banking application. Can I store that just as a numeric field or Do I need any encryption to encrypt that data? Am a bit worried about encryptions since these fields are frequently being accessed by the users. So when ever it gets accessed there needs to be some decryption mecahnism and to store back the new balance amount that again needs some encryption.
Or is there is a better solution for that.
Database is SQL Server 2008 R2 and the platform is .NET 4.0
This is an important topic to think about, there are lots of ways to do it.
However encryption in the best possible way when we have confidential data and to save things from Hackers you should surely encrypt it.
Take a look at this
http://msdn.microsoft.com/en-us/library/ms179331.aspx
and this
http://msdn.microsoft.com/en-us/library/ms174361.aspx
You should not need to store the data in an encrypted manner.
When it comes to security of data you should always work on preventing access via firewalls and correct login protocols.
Also only allows users to access data for which they have clearance.
When it comes to encryption - you could encrypt the disk but encrypting columns is not really worth the access time it will take in decrypting the data and if someone has access to the database invariably they will have access to the decryption routines.
This is one for all you security gurus out there.
I have a SQL Server 2005 database with a database master key, which is encrypted with a very strong password using the server key, which in turn is encrypted using the service account credentials in the Windows Data Protection layer.
I have a certificate which is encrypted using the database master key.
I have a symmetric key using AES256 which is encrypted using the certificate, and I am using the symmetric key to encrypt and decrypt confidential fields in the database.
What does someone need to crack the encrypted fields in the database? My only assumption is that brute force can't be employed due to the strength of the symmetric encryption algorithm, and the symmetric key itself is protected by 4 additional layers of encryption:
Windows DPAPI -> Server -> Database -> Certificate -> Symmetric Key
which seems pretty tight to me.
Let's not include the obvious answer of "get the system administrator's username and password by drugging and sleeping with him", which is definitely relevant but not what I'm after.
Here is a potential attack. It assumes you already have a way to run arbitrary code as the service account. For example, you might exercise a remote code execution bug to get. Having done so, it is relatively trivial to use DPAPI to get the server key. Having done that, you can get the master database key, although you'd need some brute force method to break the password.
It sounds like it would be pretty difficult to do, depending on the strength of the password maybe impossible. Is the service account low or high privileged? If it is an admin account, you could maybe use that (assuming it was broken) to install a keylogger to get the password.
K. Brian Kelley specializes in SQL Server security, and he's written several good articles about how encryption gets bypassed in SQL Server environments, like these:
http://www.sqlservercentral.com/blogs/brian_kelley/archive/2009/02/20/you-must-trust-someone.aspx
http://www.sqlservercentral.com/blogs/brian_kelley/archive/2009/02/27/a-security-control-inconsistently-applied-is-not-a-control.aspx
http://www.sqlservercentral.com/blogs/brian_kelley/archive/2009/02/20/you-must-trust-your-dbas.aspx
If you're really into security, I'd highly recommend subscribing to his blog. He's also available on Twitter at http://twitter.com/kbriankelley.
Somewhere in memory this un-encrypted key is stored to be able to encrypt against it, is there a way for an attacker to gain access to SYSTEM level to then be able to basically scan memory, or attach an extra thread to MSSQL.
Also, these encrypted fields, are they used in any front-end applications? Are they visible when you SELECT * FROM table? For example, you can have as much security on your database and fields as you want but if someone is able to use an SQL injection to write their own SQL queries and thus view the value of the fields you are still back at square one.
Assuming no human-engineering attacks are possible I would try to attach a debugger to the program reading it, obtain a snapshot of it's memory and try every set of bytes in a brute-force attack.
Even if I couldn't obtain the memory image I would try the same thing with the source file in case the key is in there.
Realistically, you have to ensure the key never appears intact anywhere to defeat such attacks.
I have some data in my user database that I would prefer to be encrypted. Most of the data will need to be decrypted when requested, but there are also passwords that can stay encrypted (in the old days we would use pwdcompare but I believe this is obsolete now).
I have followed the steps here, so I have now successfully encrypted my data.
What I don't understand is the correct way to open the master key at runtime, in order to encrypt/decrypt data. If I want to use stored procedures to retrieve encrypted data, how do I go about opening the master key? Do I pass in the master key's password using a stored proc parameter?
As I have understood, you should create master key once (you can do this during installation process) and this is the first and last time password is needed. After that, using master key create encryption key (symmetric or asymmetric) without a password and use it to encrypt/decrypt your data. You don't have to give a password for it, all you need is use your encryption key and have CONTROL permission on it. The only issue is that your DBA can have it too :)
See this article: Using Asymmetric Encryption and Digital Signatures in a SQL Server 2005 Database