Best Encryption method

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2005 » SQL Server 2005 General Discussion » Best Encryption method

12 posts, Page 1 of 2

1 2 »»

Best Encryption method

Rate Topic

Display Mode

Topic Options

Author

Message

JoyKing

Posted Tuesday, September 09, 2008 8:47 AM

SSC Rookie

Group: General Forum Members
Last Login: Sunday, April 21, 2013 8:02 PM
Points: 38, Visits: 429

Hi,

In one of my project I am using Hashbytes('SHA1') encryption method to store user password.

As per my understanding this password cannot be decrypted.
Can any one tell me is this is the best method of encryption or not.

If no what are the other alternatives I have?

I am using MS SQL Server 2005.

Thanks,

Keerthy

Post #566218

dmc-608719

Posted Tuesday, September 09, 2008 2:45 PM

Old Hand

Group: General Forum Members
Last Login: Monday, April 23, 2012 7:35 AM
Points: 373, Visits: 761

It depends on your needs. There are various encryption methods that can be used both internal and external to SQL. Usually its a trade-off between performance and the quality of encryption.

From what I have read the use of Asymmetric keys is the most secure method, but its the slowest. So you could use that with the function EncryptByAsmKey(). Microsoft documentation indicates to use a symmetric key for better performance. And finally encrypt by password is the weakest.

For general password I have always used external code like .net to hash and store passwords as they are stored/retrievefrom the database. I always placed it there because until recent version it was never very robust to store using SQL Code.

If you don't want to be able to retrieve the password I think the HashBytes is a sufficient method to use inside the database for general security.

Post #566487

Steve Jones - SSC Editor

Posted Tuesday, September 09, 2008 9:24 PM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 1:48 PM
Points: 31,423, Visits: 13,737

Not sure about that algorithm, but one way hashes seem to work well. Just be careful that someone can't copy the hash and submit that in your application. Only plaintext should be accepted and you should run the hash yourself.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #566575

JoyKing

Posted Wednesday, September 10, 2008 9:12 AM

SSC Rookie

Group: General Forum Members
Last Login: Sunday, April 21, 2013 8:02 PM
Points: 38, Visits: 429

Thanks for your inputs,

Is there is any method to encrypt the stored procedure other than "with encryption" (RC4 Method) method.

As I need to send all my procedures to my client I wanted to secure this data so that he cannot access the procedure logic.

I can use "With Encryption" but it can be easily decrypted.

Advance thanks,

Keerthy

Post #567017

GilaMonster

Posted Wednesday, September 10, 2008 9:33 AM

SSC-Dedicated

Group: General Forum Members
Last Login: Today @ 1:43 PM
Points: 37,712, Visits: 29,969

Not really. The thing is, the SQL engine needs to be able to decrypt the procedure in order to compile and run it, so you can't use some third party form of encryption unless you can modify the SQL engine itself.

Does the SQL server that the procedures are going on to belong to your client?

Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #567047

dmc-608719

Posted Wednesday, September 10, 2008 9:59 AM

Old Hand

Group: General Forum Members
Last Login: Monday, April 23, 2012 7:35 AM
Points: 373, Visits: 761

The with Encryption is the only way I know. If you are concerned about providing it, maybe creating a CLR stored procedure is a better option. Compile a dll and obfuscate it or otherwise protect it.

Post #567074

bcronce

Posted Wednesday, September 10, 2008 11:58 AM

SSC-Enthusiastic

Group: General Forum Members
Last Login: Tuesday, April 03, 2012 7:36 AM
Points: 127, Visits: 517

Remember to put some salt on that hash, incase someone get ahold of your DB some how. SHA1 should be plenty for storing someone's password. HASH's work great anytime you only need to compare two inputs without ever knowing what they originally were. You don't need to know a users password, just that they're the same.

Post #567175

JoyKing

Posted Thursday, September 11, 2008 12:20 AM

SSC Rookie

Group: General Forum Members
Last Login: Sunday, April 21, 2013 8:02 PM
Points: 38, Visits: 429

Thanks a lot for your inputs.

Gila Shaw: Yes, We need to deploy all procedures in the client environment (Database Server).

Post #567492

Ross McMicken

Posted Monday, September 15, 2008 6:21 AM

Old Hand

Group: General Forum Members
Last Login: Today @ 11:35 AM
Points: 346, Visits: 1,818

Does it really matter if the client sees the logic? With a one way hash/encryption routine, the logic is going to be pretty standard. PGP Corporation will send you their source code for testing, so they aren't afraid of you knowing how the process works.

Post #569370

Steve Jones - SSC Editor

Posted Monday, September 15, 2008 6:34 AM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 1:48 PM
Points: 31,423, Visits: 13,737

Hiding your logic from clients is overrated. If that's all you're selling them with the software, you're not providing much service. Don't forget that you schema, the code oyu use, etc. is subject to copyright. clients can't just copy it and use it.

Most clients will never decrypt the procedures, heck most of them don't care. That's why they're buying your software. They don't have the time or inclination to write it themselves.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #569381

« Prev Topic | Next Topic »

12 posts, Page 1 of 2

1 2 »»

Permissions