Solved

Is it possible to encrypt the login table (username and password) with AES or DES

Posted on 2008-10-12
9
184 Views
Last Modified: 2010-03-19
Thanks
0
Comment
Question by:turbot_yu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 60

Accepted Solution

by:
Kevin Cross earned 400 total points
ID: 22697773
I usually do this from the application that logging into.  And I have never tried with username, but in theory should work the same as password.

What the methodology is using encryption/hashing is to NOT try to decrypt the data in the database, but instead encrypt/hash the data coming in from user and compare to database.

So what application platform are you using?  Each has their own API for this.
0
 
LVL 60

Assisted Solution

by:Kevin Cross
Kevin Cross earned 400 total points
ID: 22697785
For encryption within SQL server itself, which would allow you to use the same mechanism from application to application without having to copy code or use a shared web service like I use:

http://www.example-code.com/sql/aes_stringEncryption.asp
http://aspnet.4guysfromrolla.com/articles/022107-1.aspx
0
 
LVL 22

Assisted Solution

by:dportas
dportas earned 100 total points
ID: 22697822
Encrypting passwords is bad practice. Better to generate a password hash and verify that at login. Hashing should be used in conjunction with password complexity rules to guard against dictionary-based attacks.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:turbot_yu
ID: 22699893
The client side will be a PDA, windows mobile 6.

The server side will be a server, windows xp or windows server 2003, not fixed yet.

They request for AES or DES.
0
 

Author Comment

by:turbot_yu
ID: 22700033
http://www.example-code.com/sql/aes_stringEncryption.asp

Is it just work on the server side, the client just call the sql-pro?
Since I am quite new, may you give more details how it works.
0
 
LVL 60

Assisted Solution

by:Kevin Cross
Kevin Cross earned 400 total points
ID: 22707390
That procedure would work on the SQL server side, that is correct.  If you made this procedure take in a password as parameter and return you the encrypted/hashed version you could then utilize this procedure to hash the password before it is stored into database and then on your login process your username and password would be sent and this same procedure could be used to hash the client supplied password and then compare hash with value stored in database.

I too do not ever decrypt the passwords for this purpose, which is why I refer to as a has even though you are encrypting.  I would basically ignore the decrypt side of this. :)

What you will find is this is just protecting exposure of that data from attacks on the backend.  If you are transmitting this data from PDA to SQL server clear text (non-SSL) connection, then exposure is in the points between PDA and server (if goal here is security just thought I would mention).

Hope that helps.

Regards,
Kevin
0
 

Author Comment

by:turbot_yu
ID: 22708137
Hi Kevin

If I want to encrypt the password transfer between the cllient and server, do it mean I need to encrypt and decrypt the password at client side. Is there any way to do it, thanks.
0
 
LVL 60

Assisted Solution

by:Kevin Cross
Kevin Cross earned 400 total points
ID: 22708201
Are you talking about SSL communication?  As for encrypt/decrypt client side it would be up to the abilities of the program created to run on PDA.  Would be based on the language used and ability to use certain API/SDK toolsets on a mobile device.
0
 

Author Comment

by:turbot_yu
ID: 22710501
I am trying to encrypt the password in client device and send it into SQL server.

Also I will try to get the password from the server and decrypt it in the client device.

Is it possible, thanks.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2012 r2 and SQL 2014 6 34
Need more granular date groupings 4 45
sql trace 4 29
SQL: Default Database Integrity Jobs Failing 6 27
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question