Re: database password and encryption
From: Pavel Lebedinsky (m_pll)
Date: 12/23/04
- Next message: Frank Hickman [MVP]: "Re: Password filters"
- Previous message: Joseph Womack: "Password filters"
- In reply to: Zachovich: "Re: database password and encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Dec 2004 22:24:10 -0800
You can always encrypt sensitive data yourself - what's the point
of encrypting the entire database?
SQL Server 2005 does have some built in data encryption support
by the way - just Google for "sql server 2005 encryption" and
you'll find lots of info.
"Zachovich" wrote:
> OK, Let me break it down for you....
>
> BTW, i do not intend any offense with this message.
>
> First off, I understand what you are getting at - what you are trying to
> get
> across. You have a good point and I accept the theory behind what you are
> saying.
>
> I have read dozens, maybe hundreds of documents relating to protecting
> data,
> it's not new to me
> I have seen people use it in stupid ways
> I have seen people use it in smart ways
> I have seen people miss the whole objective when trying to implement it.
> I know the basic concepts about encryption.
> I know when and where to use it.
> I know when and where not to use it.
> I know when there is no point in using it.
> I take all that in consideration when I design applications.
>
>
> (a) I plan on install an application that also copies a database to a
> harddrive on a computer.
>
> (b) This database should be encrypted with a strong, proven encryption
> alogorithm; so anybody who doesn't have the key can *NOT* access the
> database
> ... follow?
>
> remember....NOT....database is a pile of garbled bits with no meaning.
> AES 256, my favorite!
>
> (c) in msde and sqlserver, if you are the admin, you can acess the
> database
> either way, which tells me the database is either not encrypted at all or
> the
> actual key is stored somewhere. Both are very, very bad and very, very,
> very,
> extremely stupid to say the least.
>
> As it is for those two, msde and sqlserver, you lose before you even
> start,
> because there is no, (NO) way you can protect the database AT ALL. You
> could
> perform a file encryption on the database and decrypt it with each use,
> but
> then you would have to write it to the disk in unencrypted form before
> using
> it, (back to the drawing board). If the database engine would allow
> passing a
> data stream instead of a filename, that would actually be solved.
>
> but the way things stand....give it up!
>
> See? if I had the database protected, that would at least be a start.
> I could encrypt the key several times and hide the new, resulting, keys on
> different places, obfuscate, etc.
>
> Like I said before, the applet won't see enough users to get much
> attention
> from software hackers. Also, it will be sold for a price comparable to
> freeware only, that will reduce the hackers' incentive.
>
> Thanks Valery, happy holidays!
>
> foreward....
>
> I asked a question about sql server 2005, does anyone know the answer?
- Next message: Frank Hickman [MVP]: "Re: Password filters"
- Previous message: Joseph Womack: "Password filters"
- In reply to: Zachovich: "Re: database password and encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
