Re: Field Encryption

From: Fernando G. Guerrero (fernan@guerrerog.org)
Date: 09/17/02 

From: "Fernando G. Guerrero" <fernan@guerrerog.org>
Date: Mon, 16 Sep 2002 22:58:41 -0400

Although using the CryptoAPI from a middle layer object could give you some
extra flexibility, you could use the following example, which creates a
table with encrypted passwords:

-- Table to store addresses and
-- encrypted passwords

CREATE TABLE UserAccounts (
 LoginAddress varchar(100)
 PRIMARY KEY,
 LoginPassword varbinary(100)
)
GO

-- Procedure to store
-- encrypted passwords

CREATE PROCEDURE CreateAccount
 @Address varchar(100),
 @Password varchar(100)
WITH ENCRYPTION
AS
 INSERT UserAccounts
 SELECT @Address, ENCRYPT(@Password)
 WHERE NOT EXISTS (
  SELECT *
  FROM UserAccounts
  WHERE LoginAddress = @Address
 )

 IF @@ROWCOUNT = 0
  RAISERROR('Impossible to create repeated account', 16, 1)
GO

-- Procedure to test
-- encrypted passwords

CREATE FUNCTION TestAccount (
 @Address varchar(100),
 @Password varchar(100))
RETURNS bit
WITH ENCRYPTION
AS
BEGIN
 RETURN CASE
  WHEN (
  SELECT ENCRYPT(LoginPassword)
  FROM UserAccounts
  WHERE LoginAddress = @Address
  ) = ENCRYPT(@Password) THEN 1
 ELSE 0 END
END
GO

-- Example

EXEC CreateAccount 'myname@mydomain.com', 'mypassword'

-- This account is correct
-- therefore it returns 1

SELECT dbo.TestAccount( 'myname@mydomain.com', 'mypassword') AS
'Correct'

-- This password is not correct
-- therefore it returns 0

SELECT dbo.TestAccount( 'myname@mydomain.com', 'MypassworD') AS 'Bad
password'

I would recommend using encryption at the network protocol level as well to
avoid passing passwords through the network as clear text.

You could something similar for SQL Server 7.0 by replacing the UDF by a
stored procedure.

I hope this helps 

--
Fernando G. Guerrero
SQL Server MVP
QA plc., UK
PASS Spanish Group
www.sqlserverbyexample.com
www.callsql.com
www.qa.com
"Share what you know, learn what you don't"
"Widi" <widi711@hotmail.com> wrote in message
news:OoP#90jWCHA.1660@tkmsftngp09...
> Dear All,
>
> I have a table contain users accounts and passwords
>
> how to encrypt password fields
>
> Regards
> Mohamed Talaat
>
>

Relevant Pages

  • Re: X.509 and ssh
    ... encryption which may be illegal in some jurisdictions, ... supposedly hiding an account number. ... authorty industry embellishing the role of digital certificate as the ... the issue with LDAP isn't so much that real-time, ...
    (comp.security.ssh)
  • Re: How to securely store a password on a PC
    ... password - so locking the data to ONE account will not solve that problem. ... Full disk encryption can protect against EXTERNAL attackers (who ... full encryption - not only Vista's BitLocker but any 3rd party solution. ... Security is not about the secrecy of the algorithm. ...
    (microsoft.public.platformsdk.security)
  • Re: decrypt help...
    ... > i've tried re-establishing a user account with the same name as when i ... then importing the cert/key combo into that account ... You would need a backup of the user profile and machine system state as well ... >> a slippery slope that most stay as far away from encryption as possible. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: EFS Certificates and Keys when Changing Password
    ... What that meant is that changing the password of the account only ... this case that the system will upon an encryption attempt generate a new ... Then I exported the certificate/key pfx file to a floppy disk. ... Then I encrypted more data files. ...
    (microsoft.public.windowsxp.security_admin)
  • File Encryption
    ... I wasn't logged into Administrator ... account appears to be the only account whose security ... my certificate and security information is intact (the ... related files, encryption keys, etc). ...
    (microsoft.public.windowsxp.security_admin)