Asymmetric Key with Certificate

Question

Post reply

Asymmetric Key with Certificate

katjacurtis

SSC Rookie

Points: 38
More actions
October 13, 2011 at 3:54 am

#245203

I have a requirement to encrypt data using RSA, and to be able to make the public key available. I have read the following:
[font="Courier New"]"SQL Server provides three different paths to encrypting data:
Using an asymmetric key directly – the danger here is the password is exposed in the T-SQL
Using a certificate with a symmetric key – the issue here is performance. It is not well suited for internet facing applications
Using a certificate with an asymmetric key – this is highly secure and fine for internet facing applications."[/font]
[/url]
The third option seems to be what I need (and the application for this IS an internet application) but I cannot find any example of how this is implemented. I can see how to use Asymmetric keys with a password but do not won't to expose this password in the T-SQL. I also know how to use a symmetric key with a certificate but this does not meet my requirements. The logic and syntax for using a Symmetric Key with a Certificate does not seem to extend to Asymmetric Keys.
I also understand that SQL's encryption by Certificate is similar to using an asymmetric key, but in this case I cannot see how I can specify the algorithm or obtain the public key.
Please could someone clarify how this should be achieved.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply

Ignacio A. Salom Rangel SSC-Insane Points: 20443 More actions · Answer 1

Check this link http://msdn.microsoft.com/en-us/library/bb895327.aspx.

My blog

katjacurtis SSC Rookie Points: 38 More actions · Answer 2

Hi

Thanks for the link; unfortunately I've already seen that one and didn't get the information I need from it.

Ideally I'm looking for an example, or an outline of how the implementations of the first and third encryption methods in my original post differ.

I know when creating a Symmetric key one can specify ENCRYPTION BY CERTIFICATE [certificate], but this does not seem to be the case when creating an Asymmetric key.

Ignacio A. Salom Rangel SSC-Insane Points: 20443 More actions · Answer 3

katjacurtis (10/13/2011)
Hi
Thanks for the link; unfortunately I've already seen that one and didn't get the information I need from it.
Ideally I'm looking for an example, or an outline of how the implementations of the first and third encryption methods in my original post differ.
I know when creating a Symmetric key one can specify ENCRYPTION BY CERTIFICATE [certificate], but this does not seem to be the case when creating an Asymmetric key.

Forgive me for not replying before, but I have been very busy. I found another link that may help you

http://www.sqlservercentral.com/Forums/Topic524120-146-1.aspx. I hope the link helps you!

My blog

katjacurtis SSC Rookie Points: 38 More actions · Answer 4

Hi Ignacio

Thanks for your help. I've discovered I won't be able to use SQL directly for the encryption anyway due to size limits:

See "Limitations of Asymmetric Encryption" on page 225

The maximum that can be encrypted according to the reference above is 58 Unicode, or 117 ASCII, characters.

I am planning to use a C# class to calculate the encrypted value and write it back to the SQL table.

Thanks again

Katja

Ignacio A. Salom Rangel SSC-Insane Points: 20443 More actions · Answer 5

You are welcome Katje. I think it would be nice if you share the information on how you did the encryption. Maybe others may use it as well.

My blog

katjacurtis SSC Rookie Points: 38 More actions · Answer 6

I am trying to implement it as described in the following resource:

The encryption is being calculated for DGCI taxation requirements for Portuguese companies.

Ignacio A. Salom Rangel SSC-Insane Points: 20443 More actions · Answer 7

katjacurtis (10/20/2011)
I am trying to implement it as described in the following resource:
The encryption is being calculated for DGCI taxation requirements for Portuguese companies.

Thanks for sharing the information 🙂

My blog

Nadrek SSC-Insane Points: 20039 More actions · Answer 8

katjacurtis (10/13/2011)
I have a requirement to encrypt data using RSA, and to be able to make the public key available. I have read the following:

Check your requirement more carefully; almost all RSA encryption is actually performed by RSA encryption of a randomly generated symmetric cipher key, and then use of some mode of a symmetric cipher (Camellia, AES) for encryption of the data.

Can you simply use existing programs like GPG or PGP? Do you need to follow federal standards? Do you need to use products certified by federal agencies?

Check key length requirements carefully; go long rather than short. Remember that at least the U.S. government assesses two-key 3DES as equivalent to 80 bits of strength, and three-key 3DES is equivalent to 112 bits, not 168 bits (http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf).

If you are going to roll your own, have an outside consultant review your code, and try not to roll your own; there are many many pitfalls which are common, even in .NET examples; such as using a non-random IV or a fixed salt/nonce (both very common). It'll look like it works, but is much more vulnerable than a correct implementation.

Use cryptographic random number generators, not the normal random number generators.

Protect your private keys carefully.