Encryption In SQL Server


Published on

From DevLink 2010:

Learn to protect data in your application by leveraging the built in encryption functionality in SQL Server 2005/2008 by taking a brownfield application and bringing it up to modern standards. Topics covered will include column level data encryption, providing lookups of encrypted data, basics of key management and the transparent data encryption capabilities of SQL Server 2008.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Encryption In SQL Server

  1. 1. Encryption in SQL Server<br />By: Joe Kuemerle / @jkuemerle<br />www.preemptive.com / @PreEmptive<br />
  2. 2. Background of Joe Kuemerle<br />Lead Developer at PreEmptive Solutions<br />Over 15 years of development experience with a broad range of technologies<br />Focused on application and data security, coding best practices and regulatory compliance<br />Presenter at community, regional and national events.<br />
  3. 3. What is encryption<br />Encryption is the process of mathematically altering data in a consistent, reversible fashion. It should be used to store sensitive information that will need to be retrieved later. Encryption relies on a secret that is the only viable way to reverse the mathematical process<br />Encryption can be Symmetric where a single value (the encryption key) is used to both encrypt and decrypt the data<br />Or Encryption can be Asymmetric where there are two values in that data encrypted with Value 1 can only be decrypted with Value 2 and vice versa. This is also know as Public Key Encryption<br />
  4. 4. What is encryption<br />“Encryption is the process of substituting a small secret in place of a large secret”<br />
  5. 5. Symmetric Encryption<br />Asymmetric Encryption<br />
  6. 6. Certificates<br />Certificates are used to store asymmetric keys and consist of a private key and public key.<br />SQL Server provides built in management of certificates<br />Do not use use certificates to encrypt data, it is slow and can be vulnerable when storing lengthy values. Use a symmetric key to encrypt the data and a certificate to encrypt the symmetric key.<br />
  7. 7. Hashes<br />
  8. 8. Hashes<br />Hashes are not an encryption method. A hash takes an input value and transforms it to a unique value that is infeasible to convert back to the original value.<br />Hashes are not for storing data that needs to be re-read but are for proving knowledge of a secret without the actual secret being revealed.<br />Hashes are ideal for storing passwords as the password is not important but that the user prove that they know the password.<br />
  9. 9. Hashes<br />The .NET Framework includes built in support for a number of hash functions<br />Best practices call for the use of SHA256, SHA384 or SHA512 functions<br />Do not use MD5 <br /> or SHA1as there are <br />proven methods for <br />undermining the <br />hash results.<br />
  10. 10.
  11. 11. Transparent Data Encryption<br />
  12. 12. Demos<br />Yay! No more bullet points.<br />
  13. 13. Questions<br />
  14. 14. References<br />LaurentiuChristofor: http://blogs.msdn.com/lcris/<br />Raul Garcia: http://blogs.msdn.com/raulga<br />Bruce Schneier: http://www.schneier.com/<br />http://blogs.msdn.com/b/sqlsecurity/archive/2010/06/14/database-encryption-key-dek-management.aspx<br />Demo source:<br />http://sqlcrypto.codeplex.com<br />
  15. 15. Photo Credits<br />http://www.flickr.com/photos/wwworks/4612188594<br />http://www.flickr.com/photos/joyosity/3358614462<br />http://www.flickr.com/photos/jmrosenfeld/315825815<br />
  16. 16. Feedback<br />Please fill out your evaluation form. Thanks!<br />http://speakerrate.com/jkuemerle<br /> @jkuemerle / joe@kuemerle.com<br />