Re: Why use encryption at all?

From: "Adam Machanic" <amachanic@xxxxxxxxxxxxxxxxxx>
Date: Mon, 5 Nov 2007 18:12:46 -0500

What if the cracker has not actually gained access to your database, but merely to your data files? Encryption will keep him or her from getting your data via a hex editor. Or, what if you have multiple keys for different security principals, and the cracker only gains access to one principal? The other principal's keys will help protect some of the data so that the cracker can't get everything. Yes, if the cracker gets SA you're pretty much screwed, and that's why it's your job to lock down admin access much more thoroughly than non-admin principals...

--

Adam Machanic
SQL Server MVP - http://sqlblog.com

Author, "Expert SQL Server 2005 Development"
http://www.apress.com/book/bookDisplay.html?bID=10220

"Jason" <Jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A6CBA42C-E707-4A69-8737-029009C73E13@xxxxxxxxxxxxxxxx

I've recently spent a bit of time reviewing data encryption in SQL Server
2005 and understand all the how's and what's and when's. But I still don't
understand why. Many of my readings point to it as being the last layer of
security in case an intruder has gained access to your database. However, I
cannot see how it actually helps. For example, once hAckErKiD has gained
access to my db, what prevents him from doing the following:

OPEN SYMMETRIC KEY keyICanFindInSymmetricKeysCatalogView
DECRYPTION BY CERTIFICATE certICanFindInCertificatesCatalotView

SELECT fname, lname, Convert(varchar, DecryptByKey(SSN))
FROM HR.Employees

Am I missing something? Even if there were several keys and several
certificates/asym keys, it would seem encryption is a lot easier to get
through than hacking the sa account. So, why even use it? If your security
principals and securables are all well set up, and someone does get through,
it seems the final gate (encryption) is actually more like a screen door.

Prev by Date: Re: Specifying a logon account for SQL Server 2005 services
Next by Date: Re: challenge (permission denied) no sense, please help !
Previous by thread: Re: challenge (permission denied) no sense, please help !
Next by thread: Can not Log in with windows user after installing active directory
Index(es):
- Date
- Thread

Relevant Pages

Re: secure passwords
... >>Except that the whole idea of shadow passwords is that the cracker does ... >>not have direct access to the password hashes, so he must go through an ... able to crack a typical DES 8-character password in a matter of monghts, ... even if the robustness of the password encryption is *perfect*. ...
(comp.os.linux.security)
Re: How to protect my program from being cracked?
... Always assume that a detemined cracker has everything, ... generated from system characteristics: hard disk serial numbers, ... processor IDs, OS registration data, application registration data. ... these keys, while in fact it needs only to be able to verify them. ...
(comp.lang.pascal.delphi.misc)
hashing-algorithm encryption (was: Re: ABN Tape - Found )
... I've done a lot of reading on encryption recently, while helping to develop our recently released ... where the cracker can easily tell when they have found the right key. ... The first is that all useful encryption schemes use public algorithms the enumerative 'breaking' of which is in principle at once trivial and preternaturally tedious. ... During the last eighteen months, however, five hashing schemes are known to have been broken, and it may well be that all such schemes share fundamental weaknesses. ...
(bit.listserv.ibm-main)
Re: RSA private/public question
... would like to stress that such registration schemes can be by-passed. ... To crack your scheme the cracker will just have to flip the conditional so that execution exits if the key is valid and continues otherwise. ... Consequently, you might use RSA to make it practically infeasible for anyone to generate keys that will work with your *authentic* software, but you can't possibly prevent people from generating keys that will work with *cracked* versions of your software. ... Hence, your best bet might be to give your users incentive to stay away from cracked versions of your software, and one tool you might use for this is a spotless reputation for producing malware free software combined with instrumental use of MS Authenticode. ...
(borland.public.delphi.thirdpartytools.general)
Re: ABN Tape - Found
... time it would take to crack the key and decrypt the data. ... If this, then, is the measure of the strength of an encryption system, I ... I don't pretend to be an expert, but it appears that a lot of the cases where various kinds of encrypted data was "cracked" involved known data, where the cracker can easily tell when they have found the right key. ...
(bit.listserv.ibm-main)