An Encryption Primer Steve Jones Editor in Chief SQLServerCentral.

Slides:



Advertisements
Similar presentations
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Advertisements

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
1 Introducing Scenario Network Data Editing and Enterprise GIS January 27, 2010 Minhua Wang, Ph.D. Citilabs, Inc.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
How to Take Advantage of Contained Databases in SQL Server 2012 Steve Jones SQLServerCentral Red Gate Software.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Chapter 10: Authentication Guide to Computer Network Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Linux Networking and Security Chapter 8 Making Data Secure.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
April 10, Platinum and Gold Partners Data Encryption and Key Management in SQL Said Salomon Database Administrator Unitrin Direct Insurance.
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
11-Basic Cryptography Dr. John P. Abraham Professor UTPA.
A Brief Documentation.  Provides basic information about connection, server, and client.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
Private key
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Lecture Topics: 11/29 Cryptography –symmetric key (secret key) –public/private key –digital signatures.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
Introduction to SQL Server  Working with MS SQL Server and SQL Server Management Studio.
The Encryption Primer Steve Jones Editor SQLServerCentral.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Building Defense in Depth using the Full Spectrum of SQL Server Encryption.
Over 18 yrs experience with SQL Server
Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.
End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.
SQL Server Encryption Ben Miller Blog:
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Securing Data with SQL Server 2016
Chapter 5 : Designing Windows Server-Level Security Processes
Mike Furgal Director – DB and Pro2 Services March 20th, 2017
A Technical Overview of Microsoft® SQL Server™ 2005 High Availability Beta 2 Matthew Stephen IT Pro Evangelist (SQL Server)
Designing Database Solutions for SQL Server
Transparent Data Encryption (TDE)
What’s new in SQL Server 2016 Availability Groups
End to End Security and Encryption in SQL Server
File System Management
Building Defense in Depth using the Full Spectrum of SQL Server Encryption Michael Keleher Database Administrator Hays Consultant at PwC.
Presentation transcript:

An Encryption Primer Steve Jones Editor in Chief SQLServerCentral

Agenda What is encryption? Encryption in SQL Server Transparent Data Encryption Hashing Symmetric Keys Asymmetric Keys Communications

What is Encryption?

encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). informationplaintext algorithmcipherkey ciphertext - Wikipedia

Simple Ciphers ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC WKLV LV HQFUBSWHG

Simple Ciphers ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC WKLV LV HQFUBSWHG THIS IS ENCRYPTED

Complex Encryption Results: x00E2A26D824E DE6F450DA DE09EF3AD8D7C989E393BF 9FE1368D04C1B9BEE086EFFDF6F77AF9E3A3B8142F23723D536C72C216D6F9B 104A5E44A

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption in SQL Server Client SQL Server Instance Client file system Communication Link (the wire) SQL Server memory SQL Server data files Backup files

Encryption Hierarchy

Transparent Data Encryption TDE introduced in SQL Server 2008 Protects the data at rest by encrypting the data on disk. – The transaction log is encrypted – Backups are encrypted (this can eliminate compression advantages) – Tempdb is encrypted for all operations. – Replication data is not encrypted – Filestream data is not encrypted

Transparent Data Encryption Implemented with a simple ALTER DATABASE command ALTER DATABASE AdventureWorks2008R2 SET ENCRYPTION ON; GO Encryption is handled by the Database Encryption Key (DEK) Requires a Database Master Key (DMK) and a Certificate to protect the DEK Backups of the DEK are necessary to restore a backup of a TDE encrypted database (and the certificate protecting the key).

Transparent Data Encryption

For more information, see session SQL228: Transparent Data Encryption Inside and Out In SQL Server 2012

Hashing “A hash function is any algorithm or subroutine that maps large data sets, called keys, to smaller data sets.” - Wikipediaalgorithm subroutinedata sets

Hashing SQL Server uses the HASHBYTES functions there are other implementations using.NET/CLR that you can include. (Expert SQL Server Encryption, Michael Coles) CHECKSUM() or BINARY_CHECKSUM() can also be used.

Hashing In security applications, hashing is used to mask the actual data, but provide a way to still use the data. DEMO

Hashing or Encryption Hashing is not really encryption – Decryption is not supported (usually) Hashing is deterministic, encryption is not Hashing is quicker In general, a hash of searchable data can be used to allow indexing of encrypted data. – Caveat – Only hash the portion of the encrypted data needed for searching, e.g. last four digits of a credit card number. Choose the strongest algorithm available in your version. – SQL Server 2008 – SHA1 – SQL Server SHA2_512

Keys Multiple Keys in SQL Server – Service Master Key – Database Master Key – Database Encryption Key – Symmetric Keys – Asymmetric Keys – Certificates

The Encryption Hierarchy

Service Master Key Service Master Key = SMK The Service Master Key is created when it is first needed. No CREATE DDL Secured by Windows DPAPI (default) Accessed by Service Account for database engine, or a principal with access to the service account name and password

Service Master Key Must be manually backed up. BACKUP SERVICE MASTER KEY Must be restored in a DR situation to open other keys secured by this key (Database Master Keys) Can be regenerated if necessary. – This can cause data loss

Service Master Key A restore or regenerate requires a decryption and re-encryption of all keys protected by this key – VERY RESOURCE INTENSIVE The FORCE option in restores bypasses errors.

Database Master Key Database Master Key = DMK The Database Master Key is created by an administrator (CREATE/ALTER DDL) This is secured by the SMK and a password (TripleDES encryption) This can be secured by password only (DROP ENCRYPTION BY SERVICE MASTER KEY option)

Database Master Key Backup and restore using DDL commands BACKUP MASTER KEY RESTORE MASTER KEY OPEN/CLOSE manually if not protected by the SMK Attach/restore of an encrypted database requires the password for the DMK You can alter the DMK to add SMK encryption after attach/restore

Symmetric Encryption Like a normal key lock The key that encrypts the data also decrypts the data

Symmetric Keys Symmetric Keys are created in a database and are always in that database (cannot be backed up/restored) Symmetric Keys are deterministic, and can be duplicated with the same creation parameters. Symmetric keys require less resources than asymmetric keys, but there is still an additional CPU load from their use.

Symmetric Keys DEMO

Symmetric Keys The identity value always generates the same GUID for the key. These must be unique in a session. The KEY_SOURCE and IDENTITY can be used to recreate a key. If you choose the same ones, and the same algorithm, you’ll get the same key You can, and should, secure these keys with asymmetric keys

Symmetric Keys The algorithm used is stored in the header of the encrypted data. You can generate temporary keys for encryption/decryption CREATE SYMMETRIC KEY #MyTempKey Encryption with passphrases uses symmetric keys (TripleDES)

Asymmetric Encryption Asymmetric keys are unlike keys and locks in the real world. Based on factoring very large prime numbers. More secure than symmetric keys Require more resources for encryption/decryption than symmetric keys

Asymmetric Encryption Now is the time for all good men to come to the aid of their country Asymmetric Algorithm Key 1 0x26CD66B61E50369 CBBDB42F E02238EEAE588E0 6D00F8D0C6FAB5C 48F68639ABB CFB48A41BA373CF A411E99D3AB31A1 B7CE40CB35 Asymmetric Algorithm Key 1 0xE7A518047A8D38 36B76006D9CE04DA 2F803607A57CD7F9 EE855FC3451EB02A 076F28DD614BA841 AC756E52CFEC C8204D C4AD0D627CAD24

Asymmetric Encryption Now is the time for all good men to come to the aid of their country Asymmetric Algorithm Key 1 0x26CD66B61E50369 CBBDB42F E02238EEAE588E0 6D00F8D0C6FAB5C 48F68639ABB CFB48A41BA373CF A411E99D3AB31A1 B7CE40CB35 Asymmetric Algorithm Key 2 Now is the time for all good men to come to the aid of their country

Asymmetric Encryption Key 1 – Private Key Key 2 – Public Key Keys 1 and 2 are paired and generated together. One is referred to as a private key and the other a public key. Only the user has the private key, but the public key is distributed to everyone

Asymmetric Encryption Now is the time for all good men to come to the aid of their country Asymmetric Algorithm Anyone encrypts with Steve’s Public Key 0x26CD66B61E50369 CBBDB42F E02238EEAE588E0 6D00F8D0C6FAB5C 48F68639ABB CFB48A41BA373CF A411E99D3AB31A1 B7CE40CB35 Asymmetric Algorithm Only Steve can decrypt with his private key Now is the time for all good men to come to the aid of their country

Asymmetric Encryption Now is the time for all good men to come to the aid of their country Asymmetric Algorithm Steve can encrypt with his private key 0x26CD66B61E50369 CBBDB42F E02238EEAE588E0 6D00F8D0C6FAB5C 48F68639ABB CFB48A41BA373CF A411E99D3AB31A1 B7CE40CB35 Asymmetric Algorithm Anyone can decrypt with Steve’s public key Now is the time for all good men to come to the aid of their country

Asymmetric Encryption Now is the time Steve can encrypt with his private key 0x26CD66B61E50369 CBBDB42F Steve encrypts again with Andy’s Public Key 0x48385D8A87BD329 FF328E476BC234 0x26CD66B61E50369 CBBDB42F

Asymmetric Encryption 0x48385D8A87 BD329FF328E 476BC234 Andy decrypts the outer message with his private key 0x26CD66B61E50369 CBBDB42F Andy then decrypts with Steve’s Public key to verify the message is from Steve Now is the time 0x26CD66B61E50369 CBBDB42F

Asymmetric Encryption Use DDL to create asymmetric keys (CREATE/DROP/ALTER) Can be created outside the server (FROM FILE option) – SN.exe (Visual Studio SDK) – Makecert (Windows SDK)

Asymmetric Encryption Create parent keyCreate child key protected by parent key Encrypt data with child key Open parent keyOpen child key decryption by parent key Decrypt data with child key

Asymmetric Encryption Create parent key CREATE SYMMETRIC KEY CREATE ASYMMETRIC KEY CREATE CERTIFICATE Create child key protected by parent key CREATE SYMMETRIC KEY Encrypt data with child key ENCRYPTBYKEY ENCRYPTBYASYMKEY Open parent key OPENSYMMETRIC KEY OPEN ASYMMETRIC KEY OPEN CERTIFICATE Open child key decryption by parent key OPEN SYMMETRIC KEY DECRYPTION BY XXX Decrypt data with child key DECRYPTBYKEY DECRYPTBYASYMKEY

Asymmetric Encryption Demo

Asymmetric Encryption You can encrypt an asymmetric key with a password. – This will be required for decryption – Not required for encryption (strange) Asymmetric keys are usually used to encrypt symmetric keys, which encrypt the data. This balances security with resources You can remove the private key (prevents decryption in that db).

Certificates Certificates have additional metadata with the public/private keys. Expiration dates are not enforced by SQL Server for encryption purposes. – Administrators must decrypt/re-encrypt the data and remove the old certificates – Useful for marking the key rotation dates (query sys.certificates) To restore certificates, use CREATE CERTIFICATE.

Communications Encrypt the connection to/from SQL Server Two options – SSL encryption from SQL Server – IPSec encryption at the Windows host network layer.

Communications SSL encryption across the wire Install certificate on SQL Server, set the FORCE ENCRYPTION options – Yes = required – No = client option Certificate must be valid based on the system time All rules in BOL – Encrypting Connections to SQL Server Encrypting Connections to SQL Server – How to: Enable Encrypted Connections to the Database Engine How to: Enable Encrypted Connections to the Database Engine DO NOT USE SELF SIGNED CERTIFICATES

The End Questions? Don’t forget to fill out your evaluations Resources at the end of the PPT Enjoy DevConnections

References Encryption - Understanding TDE - us/library/bb aspxhttp://msdn.microsoft.com/en- us/library/bb aspx Hash Function - Rainbow Tables - TDE and Backup Compression - backup-compression-part-2.aspx backup-compression-part-2.aspx Encrypting Connections to SQL Server - us/library/ms aspxhttp://msdn.microsoft.com/en- us/library/ms aspx

References BACKUP SERVICE MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx RESTORE SERVICE MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx ALTER SERVICE MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx BACKUP MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx RESTORE MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx ALTER MASTER KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx OPEN MASTER KEY - CLOSE MASTER KEY - us/library/ms aspx

References HASHBYTES - us/library/ms aspxhttp://msdn.microsoft.com/en- us/library/ms aspx CHECKSUM() - us/library/ms aspxhttp://msdn.microsoft.com/en- us/library/ms aspx BINARY_CHECKSUM() - us/library/ms aspx Expert SQL Server Encryption - g=redgatsof- 20&linkCode=as2&camp=1789&creative=9325&am p;creativeASIN= Data Hashing in SQL Server - hashing.aspx hashing.aspx

References CREATE ASYMMETRIC KEY - us/library/ms aspx ALTER ASYMMETRIC KEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx CREATE CERTIFICATE - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx ALTER CERTIFICATE - BACKUP CERTIFICATE - us/library/ms aspx sys.certificates - ENCRYPTBYPASSPHRASE - us/library/ms aspx ENCRYPTBYKEY - ENCRYPTBYASYMKEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx

References ENCRYPTBYCERT - DECRYPTBYKEY - DECRYPTBYASYMKEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx DECRYPTBYCERT - DECRYPTBYKEYAUTOASYMKEY - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx DECRYPTBYKEYAUTOCERT - us/library/ms aspxhttp://technet.microsoft.com/en- us/library/ms aspx

References Windows SDK (Makecert) - us/windowsserver/bb aspxhttp://msdn.microsoft.com/en- us/windowsserver/bb aspx SN.EXE - Subway Hacked - subway-a-30-million-lesson-in-point-of-sale-security.arshttp://arstechnica.com/business/news/2011/12/how-hackers-gave- subway-a-30-million-lesson-in-point-of-sale-security.ars Install SSL Certificate - connection-on-sql-server-2005-clustered-installation.aspx connection-on-sql-server-2005-clustered-installation.aspx Encrypting Connections to SQL Server - us/library/ms aspxhttp://msdn.microsoft.com/en- us/library/ms aspx SQL Server 2005: A look at the master keys - part

Images Enigma Machine - The Encryption Hierarchy from BOL - US/library/ms189586%28v=SQL.90%29.aspxhttp://msdn.microsoft.com/en- US/library/ms189586%28v=SQL.90%29.aspx Hashing Image - 1_0_0_1_0_LL.svg/240px-Hash_table_4_1_1_0_0_1_0_LL.svg.png 1_0_0_1_0_LL.svg/240px-Hash_table_4_1_1_0_0_1_0_LL.svg.png TDE Structure -

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.