question

Zindros avatar image
Zindros asked

Frame work encryption

I use SQL 2008 Express and C# for app developemnt. What we need is to encrypt some data using Framework. In other words, we need to encrypt that data from our code, and not using sql commands. Also, we need these encrypted data to be used by sql procedures. In other words, we need to decrypt from sql the encrypted data we encrypted from our C# code.
sql-server-2008encryption
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Wimbush avatar image
David Wimbush answered
The only thing I can think of is to develop your encryption/decryption code as a separate DLL and add a copy to SQL using the CLR integration. Then you could encrypt in the app and decrypt in SQL.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Zindros avatar image
Zindros answered
Sounds a good idea. I will try it and let you know.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Zindros avatar image
Zindros answered
Dear David, we developed what you suggested but still there is a security hole. If someone uses a profiler or other tool he can easily monitor the secret keys we use to encrypt/decrypt.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Wimbush avatar image
David Wimbush answered
Hmm. Cryptography is a highly specialised field and I'm not an expert. But I've read a bit so I'll have a go. I do know the weakness in symmetric encryption has always been key exchange. That's what was so great about public key / private key encryption. But as far as I know, you still need the key to be able to decrypt. Later and more expensive editions of SQL Server have all sorts of certificate and key management features. Maybe there's some crafty .NET stuff that can do this while still obscuring the key. When I hit a hard problem like this I stop and reconsider. Is there a way to get the same result without having to solve this bit that I'm stuck on? Is there a different solution? Look back to what problem you actually need to solve here and reconsider whether this encryption approach is the right one. If it really is the only answer, and you can't get a solution here try a programmer forum like Stack Overflow.
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.