Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Published byJared Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia "— Presentation transcript:

1 Jim McLeod MyDBA Jim.mcleod@mydba.com

2  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia  MCITP:Database Administration

3  Examine the basics of encryption  Determine when to use encryption  Explore how SQL Server handles encryption technology  Examine how to structure your tables in order to encrypt information efficiently  Consider how to protect your data from the DBA

4  Plaintext  “This is a plaintext message.”  Codes  “Fred likes to eat cake.”  Fred = This, likes = is, to = a, eat = plaintext, cake = message.  Not terribly useful in computing  Ciphertext  “Guvf vf n cynvagrkg zrffntr.”  Operates on a group of letters, individual letters or bits

5  Key based encryption uses mathematical algorithms to encrypt data by use of a key  Typically non-deterministic  Symmetric Keys  The same key will encrypt and decrypt the message  Asymmetric Keys  A public key is used to encrypt the message  Only the private key can be used to decrypt the message  For a given key length:  Symmetric algorithms are faster to encrypt/decrypt  Asymmetric algorithms are more secure  Compromise: encrypt data with a symmetric key, and encrypt the symmetric key with an asymmetric key.

6  Business Requirements  Hide sensitive data  Passwords, Credit Card numbers, etc  Hide sensitive data from the DBA  Protect against unauthorised changes

7  On disk encryption  Encrypted file system  Transparent Data Encryption – SQL Server 2008  Backup encryption – 3 rd Party  Client Connections (SSL)  Network Traffic  Individual Columns  Stored Procedures, Triggers, Functions, Views, etc

8  Data can be encrypted at one of two points  Before it gets to the database engine (Application)  After it gets to the database engine (Database)  Application encryption:  Key must be stored in the application/another tier  Prevents Profiler from sniffing unencrypted data passed into stored procedures  Database cannot search efficiently  Database Encryption  Unencrypted data accessible inside the database  Unencrypted data passed to the database engine  Key may be held in an Hardware Security Module  via Extensible Key Management (2008)  via Extended Stored Procedures/SQLCLR (2005)

9  A deterministic, one-way method of obfuscating data  Original source data cannot be retrieved  Easy to compute  Extremely difficult to construct a string with a given hash  A single bit changed in the source string will radically alter the result  Extremely unlikely that two source strings will produce the same hash  Deterministic means dictionary attacks are possible

10  SUM() is a hashing function  SELECT SUM(1 + 50 + 20 + 25) = 96  HashBytes() function  128 bit - MD2, MD4, MD5  160 bit - SHA, SHA1

11  Passwords and authentication  Salting  Data integrity  Protect your data from changes via Management Studio  Detecting changes in a table  Creating indexes for types that cannot be indexed  Images, varchar(max)  Demonstration – enforcing row integrity

12  EncryptByPassphrase()  DecryptByPassphrase()  Uses a Triple-DES symmetric key  AES128, AES192, AES256 are stronger  No Database Master key, or certificate management required  If the passphrase is lost, the data is lost  Demonstration

13  Profiler can expose data that should be encrypted  Stored Procedures  Passphrase or unencrypted data can be passed through as a parameter in plaintext  Passphrase can be hardcoded into the stored procedure  Ad Hoc Queries  Passphrase may be visible over the network  Profiler will hide the event details  Application must supply the passphrase

14

15  Service Master Key  Instance scope  Is created the first time it is required to encrypt something  Can be regenerated.  Database Master Key  Database scope  Created by the DBA when the database needs to use encryption

16  Asymmetric Keys  If VIEW DEFINITION is granted, the user can encrypt data  If CONTROL is granted, the user can encrypt and decrypt data  Public Key Certificates  Expiry Dates  Self Signed X.509 Standard (1024 bit)  Signed by a Certification Authority (384-3456 bit)  Used for encryption and authentication  Demonstrations  Asymmetric Key Encryption  Certificate Encryption

17  A symmetric key is similar to Passphrase  Not restricted to Triple-DES  Fast to encrypt, but if you know how to encrypt, you can also decrypt  Symmetric Key with Certificate Demonstration

18  Encrypted data cannot be searched on without decrypting the data, resulting in a table scan  Need some way of narrowing the search  Reduce the number of rows requiring decryption from 1 million to 100.  AdventureWorks comes with an index on Email, indicating that they search for customers based on an Email Address  Non-deterministic encryption means we can’t index the encrypted value  Create a hash of the first part of the email  Doesn’t give away any information about the Contact  Can be indexed  Demonstration

19  DBA has control over all certificates in all databases  Database Master Keys encrypted via the Service Master Key will be wide open to the DBA  Certificates/keys protected by passwords will be hidden from the DBA via Profiler  Demonstration

20  Feature of SQL Server 2008 Enterprise Edition  Encrypts data on disk, and is unencrypted when loaded into memory  Uses a symmetric key called the Database Encryption Key  Replication or memory dumps may expose unencrypted data  No application architecture changes required.  Small performance hit on every disk I/O  Recovery of an encrypted database MUST be tested on a separate server before a disaster  Backup your keys/certificates  Backups of encrypted database will not compress well, but Page Compression will still work

21  Roll your own encryption functions  Try the SQL 2000 DBA Toolkit  Uses extended stored procedures  http://www.sqlservercentral.com/articles/Sec urity/sql2000dbatoolkitpart1/2361/ http://www.sqlservercentral.com/articles/Sec urity/sql2000dbatoolkitpart1/2361/  Encrypt data at the application layer  Put database files on an encrypted partition

22  Examine the basics of encryption  Determine when to use encryption  Disk, Connection, Column, Network, Backups  Explore how SQL Server handles encryption technology  Hashing, Certificates, Symmetric Keys, Asymmetric Keys, Transparent Data Encryption, Extensible Key Management  Examine how to structure your tables in order to encrypt information efficiently  Indexes of hashes  Consider how to protect your data from the DBA

Download ppt "Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia "

Similar presentations

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.

1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Similar presentations

Ads by Google