Encryption By Certificate and Security

Posted on 2007-10-05
Last Modified: 2010-03-19
I'm using SQL Server built in encryption security for some of my Data.  Specifically I'm going to use Certificates because they seem easier to migrate from one server to another.  Fine, no problem, I pretty much understand it all and anything I don't understand I can figure out.  

Here is something I'm not understanding.  Let's say someone breaks into my DB Server and Then breaks into one of my DB's.  They go into a table, see encrypted Credit Card data and then start fishing through my Stored Procedures.  They find the SP's i use to encrypt and decrypt the CC numbers.   Now they know exactly what Cert I use to do this with.  Since they are already in My DB, all they need to do is run my decrypt SP, and they have all those CC numbers.  WHAT AM I MISSING.  I know something in my logic is wrong or else encryption wouldn't be secure really at all.  Explain to me how I need to set this up to stop what I'm talking about from happening or explain to me why what i'm talking about won't happen.

Question by:davidcahan
    LVL 6

    Accepted Solution

    First, there is no such thing as PERFECT security. The idea of all these technologies is making it more difficult for the information to be accessed. I would first hope that no one would be able to gain SA access to your SQL server, because that is another security issue entirely. Your server should be well secured with accounts that have strong passwords and unauthenticated users should never be able to view and definitely not run your SPs. The scenario you are presenting seems like someone that gained physical access to the SQL server and found a sticky note with all the passwords. Let's just assume that isn't going to happen, because if that happens then of course it isn't going to be secured.

    Encrypting the data makes it so that no-one can just arbitrarily run queries to your database and extract meaningful information. Perhaps you have heard of SQL injection in web applications, this is where the cert would keep your data safe. Generally encryption is to keep data from being sent as plaintext to the user during standard operation of querying and presenting data.

    I don't know how else to put it, but your assuming too much by thinking that someone would be able to get that kind of access to your server, and encryption is not meant to stop someone once they have already compromised you that far.

    Author Comment

    that's all i wanted to hear.  I just wasn't sure how far the encryption was supposed to be able to secure my data.  

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    If you having speed problem in loading SQL Server Management Studio, try to uncheck these options in your internet browser (IE -> Internet Options / Advanced / Security):    . Check for publisher's certificate revocation    . Check for server ce…
    In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now