RE: Encrypt data - SQL Server 2000

• Previous message: Matthew Wagenknecht: "RE: Local Account Vs Domain Account"
• Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
• Next in thread: silkm_at_hushmail.com: "RE: Encrypt data - SQL Server 2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Jan 2004 14:52:39 -0800
To: kcasey@nanoweb.com, focus-ms@securityfocus.com, andreas@san-andreas.com

Yes, but as DBA's they don't need to know anything about encryption,
its all done in the code-side, you just happen to be storing it in
a database.

I don't know about "Best Practices", but my system for approaching
this has been to (once selecting an algorithm) append some random
bytes onto the data, encrypt, store. Then upon decrypting, simply
remove random bytes.

A quick search on "asp rijndael encryption" turns up:
http://www.freevbcode.com/ShowCode.Asp?ID=2389, and there would be
many many more resources for .Net and Java.

hope that helps ...
-- Michael

On Tue, 20 Jan 2004 13:39:05 -0800 andreas <andreas@san-andreas.com>
wrote:
>True, but my SQL guys are my ASP programmers. While correct application
>of
>DB encryption would preclude the DBAs from mucking about in the
>data, they
>very well may be the ones implementing the technology.
>
>There are plenty of resources, Microsoft being one of them, but
>as to it
>being applicable, understandable or available that is a different
>story.
>Technet is of little help when trying to figure out how to employ
>EFS for
>database protection or even get an idea of the best practices for
>having a
>single encrypted table.
>
>Andreas
>
>-----Original Message-----
>From: silkm@hushmail.com [mailto:silkm@hushmail.com]
>Sent: Tuesday, January 20, 2004 4:27 PM
>To: kcasey@nanoweb.com; focus-ms@securityfocus.com; andreas@san-
>andreas.com
>Subject: RE: Encrypt data - SQL Server 2000
>
>Well the point here is the DBA's don't need to know anything about
>the
>encrypted data ... just have them create tables to hold it.
>
>You need to educate your progammers on how to encrypt it, and there
>are
>plenty of resources for that no matter what language you choose.
>
>
>-----Original Message-----
>From: andreas [mailto:andreas@san-andreas.com]
>Sent: Wednesday, 21 January 2004 1:19 AM
>To: 'Kevin E. Casey'; focus-ms@securityfocus.com
>Subject: RE: Encrypt data - SQL Server 2000
>
>
>Any good resources for researching/educating my DBAs? I have not
>had luck
>finding specific enough information on the subjects. My DB skills
>here are
>not as strong as I would like them to be, and not as strong as they
>will
>need to be in the future.
>
>Thanks!
>
>Andreas Barbiero
>CTO ETS/Financialcampus
>
>-----Original Message-----
>From: Kevin E. Casey [mailto:kcasey@nanoweb.com]
>Sent: Friday, January 16, 2004 12:01 PM
>To: focus-ms@securityfocus.com
>Subject: RE: Encrypt data - SQL Server 2000
>
>If you need to encrypt data in 3 columns and 3 columns only, your
>best bet
>is to do the encryption at the application (in its data tier) level.
>Using .NET (or other tools), gives you a good range/assortment of
>tools and
>sencryption schemes to encrypt that confidential data. This keeps
>your DBAs
>from snooping around. Keeps backup copies safe from prying eyes
>and it also
>keeps the performance hit for en/decryption at the client (or web
>server
>level).
>
>
>
>
>-----Original Message-----
>From: Nero, Nick [mailto:Nick.Nero@disney.com]
>Sent: Thursday, January 15, 2004 5:09 PM
>To: Eduardo.Ortiz@alderwoods.com; focus-ms@securityfocus.com
>Subject: RE: Encrypt data - SQL Server 2000
>
>Encrypting data on a database is tricky. If you must have table/row
>level
>encryption, then it is really tough to find a decent product and
>performance
>is abyssmal. I recently authored a document that proposes using
>Microsoft's
>own EFS to encrypt the whole volume where the Database is. This
>solution
>was easy, performed great (about 5-25% hit on performance compared
>to 400%
>on DBCrypt) and best of all it is free. I would strongly recommend
>using
>Windows 2003 server for your SQL2k since its version of EFS uses
>AES at
>256bit. Otherwise you need to hack the reg on Win2k to enable 3DES
>encryption. Either is not gonna get cracked by someone anytime
>soon.
> The
>beauty of this solution is that you encrypt the database with the
>SQL
>Service account so that only that account can read the data. That
>way even
>an local admin on the box cannot access the data. You could even
>boot to a
>NTFS boot disk and the data would be encrypted. This depends on
>proper key
>management (as all crytpo plans do) so you have to ensure you use
>a domain
>account or roaming profile so the encryption key can not be exploited
>locally (see http://www.elcomsoft.com/aefsdr.html for more on this
>exploit)
>and domain recovery agent policy. Still we feel it delivers extremely
>secure databases, acceptable performance and zero cost.
>
>We tested several products and I believe DBEncrypt (or maybe DbCrypt)
>was
>one of them. They all were several thousand dollars per server
>(and that
>was for a license of over 100 servers), and would require massive
>hardware
>investments to compensate for the performance penalty. Like I said,

> If you
>must have row/table level encryption to protect against other DBA's
>then you
>are stuck. At that point I would say you should either limit who
>has SA
>access, or more strongly background check those that do cause that
>level of
>encryption will cost you far more. A DB on an encrypted drive with
>strong
>application level security (ie, custom views), would only be breakable
>at
>the app or by getting SA credentials.
>There are far easier targets out there.
>
>-----Original Message-----
>From: Eduardo.Ortiz@alderwoods.com [mailto:Eduardo.Ortiz@alderwoods.com]
>
>Sent: Thursday, January 15, 2004 1:02 PM
>To: focus-ms@securityfocus.com
>Subject: Encrypt data - SQL Server 2000
>
>Hello,
>
>We are implementing an Enterprise Data Warehouse. We already have
>data
>regarding different business process. Now we need to include Payroll
>data in
>our SQL Server (2000) database. Business users have specific security
>requirements about this sensitive data. They want to secure the
>following
>information:
>* Annual employee salaries
>* Commissions
>* Wages
>This information is stored in two tables and are three different
>columns.
>We have already implemented a tight security schema for the server,
> database
>and user groups (active directory), but business users want more
>security.
>Now we are planning to encrypt the data (just these three
>columns) in the database. I did not find any function in SQL Server
>to
>encrypt data. I found a tool provided by Application Security Inc
>(http://www.appsecinc.com) called DbEncrypt. Have you guys heard
>or worked
>with tool? Do you any suggestion or recommendation to encrypt the
>data?
>
>Thanks,
>Eduardo Ortiz
>
>
>
>----------------------------------------------------------------
>-----
>---
>---
>----------------------------------------------------------------
>-----
>---
>---
>
>
>
>----------------------------------------------------------------
>-----
>---
>---
>----------------------------------------------------------------
>-----
>---
>---
>
>
>----------------------------------------------------------------
>-----
>------
>----------------------------------------------------------------
>-----
>------
>
>
>
>
>----------------------------------------------------------------
>-----
>------
>----------------------------------------------------------------
>-----
>------
>
>
>
>
>
>Concerned about your privacy? Follow this link to get FREE encrypted
>email:
>https://www.hushmail.com/?l=2
>
>Free, ultra-private instant messaging with Hush Messenger
>https://www.hushmail.com/services.php?subloc=messenger&l=434
>
>Promote security and make money with the Hushmail Affiliate Program:
>>
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
>
>
>

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Matthew Wagenknecht: "RE: Local Account Vs Domain Account"
• Maybe in reply to: Eduardo.Ortiz_at_alderwoods.com: "Encrypt data - SQL Server 2000"
• Next in thread: silkm_at_hushmail.com: "RE: Encrypt data - SQL Server 2000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]