A few days ago, there were several news that someone could access the database from the outside-usually a commercial solution that should be protected-to find sensitive information in the database, for example, the user's name, password, credit card number, or address are all stored in plain text, which is too much. Therefore, the first design decision for a database-driven solution is
A few days ago, there were several news that someone could access the database from the outside-usually a commercial solution that should be protected-to find sensitive information in the database, for example, the user's name, password, credit card number, or address are all stored in plain text, which is too much. Therefore, the first design decision for a database-driven solution is
A few days ago, there were several news that someone could access from the outside-usually a commercial solution that should be protected-sensitive information found, for example, the user's name, password, credit card number, or address are all stored in plain text, which is too much. Therefore, the first design decision for a database-driven solution created by most people is how to encrypt and store data so as to ensure its security and avoid spying.
Which of the following SQL Server support can be used to encrypt objects and data? It is wise to discuss from the very beginning what SQL Server lacks, or what you should not do for the encryption part of SQL Server.
First, SQL Server has two built-in cryptographic functions: pwdencrypt () and pwdcompare (). At the same time, there are two functions that SQL Server does not officially record to manage the password hash: pwdencrypt () stores the password after hash; pwdcompare () compare the provided string with the hash string. Unfortunately, this hash function is not very secure and can be cracked through dictionary attack algorithms (similar to command line applications !).
These functions are constantly modified with the development of the SQL Server version, which is another reason for not using them. The hash of passwords in earlier versions of SQL Server cannot be decrypted in later versions. Therefore, if you depend on functions in a previous version, all your encrypted data is useless unless you can decrypt it first-This violates the original purpose of encryption.
Second, you may try to create a self-made encryption solution for your database, but there are three reasons for this:
Unless you are an encryption expert, a random encryption system will only provide very low-level protection with low value. What's new is that one-way password hashing or "ROTx" encryption can be easily defeated without any effort.
If encryption is cracked due to your lack of capabilities, your data will be ruined. You need to back up everything without encryption, right? (Is there a security vulnerability even if you encrypt it ?)
When there is a professional-level, industrial-intensive encryption solution available on the market, it is not worth the time to do it on your own. Use your time to build a good, strong database, instead of re-inventing the wheel.
So what is a good way to encrypt data?
For beginners, Microsoft provides its own encryption solution, CryptoAPI. For lightweight encryption, military-Level Security is beyond consideration. It has the advantage of relatively easy implementation: the administrator can install an ActiveX control named CAPICOM, it provides CryptoAPI functionality in T-SQL stored procedures. CAPICOM supports various types of bidirectional encryption and one-way hash algorithms. Therefore, administrators can select the most suitable part for application problems.
If you are not interested in using Microsoft's solutions, there are some good third-party solutions available. A software company named ActiveCrypt has created XP_CRYPT, a plug-in for SQL Server, encryption can be completed in views, programs, and triggers by extending stored procedures and user-defined functions (in SQL Server 2000. You can use a free version of the application that Supports Wireless MD5, DES, and SHA1 hashing. Other encryption models are implemented in BIT depth. (The full version is infinite .) In your own code, you can use XP_CRYPT, which is the same as ActiveX control (in restricted free versions ). For ASP programmers, a component named AspEncrypt provides a simple way to integrate advanced encryption into your code.
How about encrypting database files or providing security protection on the transport layer? For the former, you can continue to use the encrypted file system in Windows. However, you must save the backup of the encryption key. In case of any problems, this data may be lost. For the latter, both IPSec and SQL Server SSL encryption are provided by SQL Server and Windows. You should focus on avoiding storing sensitive data in plain text, because extracting unencrypted data from the database is also the most vulnerable to attacks.
