Re: Search encrypted column in SQL 2005http://msdn.microsoft.com/w

Yes it is slow, that is the nature of the encryption

On Jan 28, 12:16 pm, Brian <B...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
We are required to encrypt SSN and customer credit card number. The user
will need to perform an exact or partial search on the encrypted SSN or
credit card number. Below select statement can do the job but very slow...
I am still searching the net to see if I can find a solution.

Is there any sample that you can share how the Hashbytes() function work?
Can we do like search on Hashbytes function?



"Erland Sommarskog" wrote:
Brian (B...@xxxxxxxxxxxxxxxxxxxxxxxxx) writes:
Can someone provide me a sample of how to search encrypted column? Using
below method seems pretty slow.

select FirstName, LastName,
convert(varchar,decryptbykey(SSN)) as SSN
from PatientTable
WHERE convert(varchar,decryptbykey(SSN)) = '123-45-6789'

Yes, if you encrypt key columns it will be very very slow. There is no
way an index can be used, and the decryption is expensive too.

Take a look at the HashBytes() function. This gives a deterministic
hash of the key value, which is good for quick key lookups. It's of
course less good for security, since an intruder who is looking for a
person with a known SSN easily will find what he is looking for. But
security and performance don't go hand in hand.

The alternative is to use application-specific keys like customer numbers.
Then you can encrypt the SSN fully. But this also means that if the
customer calls in, and don't know his customer number, but only the SSN,
the helpdesk will not be able to find his data.

--
Erland Sommarskog, SQL Server MVP, esq...@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books...
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx- Hide quoted text -- Show quoted text -

.

Relevant Pages

  • Re: SSN encryption
    ... > state of issuance of SSN. ... You're overestimating the ability of encryption to solve the problem. ... > the database, that may be much harder. ... hole will break your security. ...
    (sci.crypt)
  • Re: SSN encryption
    ... Andrew Swallow wrote: ... > Assuming the researches are using their own computers and that they will ... > Use AES encryption to encrypt all zeros to produce 128 random bits; ... > using the secret key variable and an IV equal to the SSN. ...
    (sci.crypt)
  • Re: Search encrypted column in SQL 2005http://msdn.microsoft.com/w
    ... As HashBytesdefeats the purpose of the Random IV generated during ... encryption process, I'll look at Raul Garcia's proposed MAC indexing method. ... For a full string exact match (like a full CC# or full SSN) you can do as ... Erland suggested and use HashBytes() to store hashes of the encrypted data ...
    (microsoft.public.sqlserver.security)
  • Re: SSN encryption
    ... Assuming the researches are using their own computers and that they will ... Copy the database a record at a time. ... Use AES encryption to encrypt all zeros to produce 128 random bits; ... using the secret key variable and an IV equal to the SSN. ...
    (sci.crypt)
  • Re: SQL 2005 - Searching Encrypted SSN
    ... SQL Server Engine ... specify their own salt/IV values for encryption in the future? ... probably hash the SSN and forget about encryption altogether. ... for and compare that to the already-encrypted columns. ...
    (microsoft.public.sqlserver.security)