RE: Encrypt data - SQL Server 2000

From: Kevin E. Casey (kcasey_at_nanoweb.com)
Date: 01/16/04

  • Next message: Rich Logan: "RE: About MS-Networking security."
    Date: Fri, 16 Jan 2004 12:00:52 -0500
    To: <focus-ms@securityfocus.com>
    
    

    If you need to encrypt data in 3 columns and 3 columns only, your best
    bet is to do the encryption at the application (in its data tier) level.
    Using .NET (or other tools), gives you a good range/assortment of tools
    and sencryption schemes to encrypt that confidential data. This keeps
    your DBAs from snooping around. Keeps backup copies safe from prying
    eyes and it also keeps the performance hit for en/decryption at the
    client (or web server level).

     

    -----Original Message-----
    From: Nero, Nick [mailto:Nick.Nero@disney.com]
    Sent: Thursday, January 15, 2004 5:09 PM
    To: Eduardo.Ortiz@alderwoods.com; focus-ms@securityfocus.com
    Subject: RE: Encrypt data - SQL Server 2000

    Encrypting data on a database is tricky. If you must have table/row
    level encryption, then it is really tough to find a decent product and
    performance is abyssmal. I recently authored a document that proposes
    using Microsoft's own EFS to encrypt the whole volume where the Database
    is. This solution was easy, performed great (about 5-25% hit on
    performance compared to 400% on DBCrypt) and best of all it is free. I
    would strongly recommend using Windows 2003 server for your SQL2k since
    its version of EFS uses AES at 256bit. Otherwise you need to hack the
    reg on Win2k to enable 3DES encryption. Either is not gonna get cracked
    by someone anytime soon. The beauty of this solution is that you
    encrypt the database with the SQL Service account so that only that
    account can read the data. That way even an local admin on the box
    cannot access the data. You could even boot to a NTFS boot disk and the
    data would be encrypted. This depends on proper key management (as all
    crytpo plans do) so you have to ensure you use a domain account or
    roaming profile so the encryption key can not be exploited locally (see
    http://www.elcomsoft.com/aefsdr.html for more on this exploit) and
    domain recovery agent policy. Still we feel it delivers extremely
    secure databases, acceptable performance and zero cost.

    We tested several products and I believe DBEncrypt (or maybe DbCrypt)
    was one of them. They all were several thousand dollars per server (and
    that was for a license of over 100 servers), and would require massive
    hardware investments to compensate for the performance penalty. Like I
    said, If you must have row/table level encryption to protect against
    other DBA's then you are stuck. At that point I would say you should
    either limit who has SA access, or more strongly background check those
    that do cause that level of encryption will cost you far more. A DB on
    an encrypted drive with strong application level security (ie, custom
    views), would only be breakable at the app or by getting SA credentials.
    There are far easier targets out there.

    -----Original Message-----
    From: Eduardo.Ortiz@alderwoods.com [mailto:Eduardo.Ortiz@alderwoods.com]

    Sent: Thursday, January 15, 2004 1:02 PM
    To: focus-ms@securityfocus.com
    Subject: Encrypt data - SQL Server 2000

    Hello,

    We are implementing an Enterprise Data Warehouse. We already have data
    regarding different business process. Now we need to include Payroll
    data in our SQL Server (2000) database. Business users have specific
    security requirements about this sensitive data. They want to secure the
    following
    information:
    * Annual employee salaries
    * Commissions
    * Wages
    This information is stored in two tables and are three different
    columns.
    We have already implemented a tight security schema for the server,
    database and user groups (active directory), but business users want
    more security. Now we are planning to encrypt the data (just these three
    columns) in the database. I did not find any function in SQL Server to
    encrypt data. I found a tool provided by Application Security Inc
    (http://www.appsecinc.com) called DbEncrypt. Have you guys heard or
    worked with tool? Do you any suggestion or recommendation to encrypt the
    data?

    Thanks,
    Eduardo Ortiz

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Rich Logan: "RE: About MS-Networking security."

    Relevant Pages

    • Re: Application security question
      ... you want to implement security. ... So you are protecting the database from direct querying and altering ... login credentials for the database from the application. ... Why encrypt the password? ...
      (comp.lang.java.programmer)
    • Re: Password encryption
      ... I have source code to the database including ODBC server and ... can encrypt the password before passing it to us so we can remain ignorant ... support for AD integration so that customers can logon to our database ... i.e. they enter it into the ODBC/JDBC client. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Can web site data be protected from access by the webmasters?
      ... create a development database with junk data. ... the changes to a staging server that uses the junk data. ... > I have advised the client to be wary of security. ... > But I don't see that there could be any way to completely encrypt that ...
      (microsoft.public.sqlserver.security)
    • Re: Password encryption
      ... support for AD integration so that customers can logon to our database ... i.e. they enter it into the ODBC/JDBC client. ... our ODBC/JDBC client and server code has access to this password in clear ... encrypt their password so the encrypted password could be passed through ...
      (microsoft.public.windows.server.active_directory)
    • Re: subtext search in encrypted text
      ... > that would mean that all clients would need to possess all the ... > keys that are used to encrypt the database. ... > server, but it does not seem to help when the clients are the most ...
      (sci.crypt)