Solved

store procedure to save secure information like dob, ssnumber, etc..

Posted on 2011-03-14
10
517 Views
Last Modified: 2012-05-11

Is there a way to store some important information so when I send the password parameter it returns the stored character string?

I am using
Microsoft SQL Server Management Studio                                    10.0.2531.0
ms sql express 8
0
Comment
Question by:goodk
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 19

Expert Comment

by:Bhavesh Shah
Comment Utility
Hi,

There not any option by passing password, you got that information on specific column.

What you can do is,

1. You can create one database user to control specific table.
   Only that user having access to table.

2. you can use encryption for hiding specific column value.

If you need more info on any one, let me know.


- Bhavesh
0
 
LVL 28

Assisted Solution

by:Ryan McCauley
Ryan McCauley earned 100 total points
Comment Utility
The most secure way to store these things is so normal users don't have SELECT access on the table and only a stored procedure can access it - that way, when the user calls the stored procedure with a key of some kind (like you're suggesting), and then the stored procedure returns the details for that record. DBA-level users (or at least one) would still need to be able to view the raw data in the table - though you can encrypt it if you'd like - since somebody will need to create the structure and troubleshoot any issues that arise.

You'd have to ensure a couple of things:

Your application doesn't have DBO rights on that database, and can't either view the data or grant permissions on the data
The key you're using (to call your stored procedure and pull a certain row) has to be long enough to make the possibility of guessing it highly unlikely
This goes along with the previous point, but the key CANNOT BE AN INCREMENTING INT. I've seen this before and you could view other peoples' data just by incrementing your key value - very bad

What you're describing can be done, and it can be done safely, but you'll have to ensure that you protect your data, since all the security in the world doesn't matter if there's a backdoor in to view everything and the application can gain access to it.
0
 
LVL 23

Assisted Solution

by:OP_Zaharin
OP_Zaharin earned 50 total points
Comment Utility
-here is a sample on sql server encryption on a column:
http://www.sqlsolutions.com/articles/articles/Encrypted_Columns_and_SQL_Server_Performance.htm

-here is another sample that might be useful to use hash on password field: http://blogs.msdn.com/b/sqlcat/archive/2005/09/16/469257.aspx
0
 

Author Comment

by:goodk
Comment Utility
thanks, guys -

So is it not possible to create an encrytion key and corresponding encryptic text?  I wanted to save incription key in column and encrypted text in the other column.  Is this not possible? if yes, how?

thanks
0
 
LVL 28

Expert Comment

by:Ryan McCauley
Comment Utility
Sure, it's possible to do this, but why encrypt it at all if you're just going to store the key along with the data? Anybody who compromises the data will have access to the key as well, so it defeats the purpose.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Expert Comment

by:OP_Zaharin
Comment Utility
ryan have a point there.
you should use the hash or encryption feature made available by the database.
0
 

Author Comment

by:goodk
Comment Utility

thanks,

you are absolutely right that if someone gets hold of the data they have all the information.

ok, correct me on what I am thinking, if it is right?

I was going to use the password with the encrytion key as an added key.

I already know how to write a stored procedure to secure and verify the password.  I, however, do not know how to encrypt some thing and the get the original back.  That is what I am asking. thanks

0
 
LVL 28

Assisted Solution

by:Ryan McCauley
Ryan McCauley earned 100 total points
Comment Utility
Here's the Microsoft walk-through for using a server certificate to encrypt a column's data:

http://msdn.microsoft.com/en-us/library/ms179331.aspx

This is the safest way to do it, since you're letting SQL Server protect your certificate (decryption key). If you prefer to handle the password and decryption yourself, SQL also supports password-based symmetric en/decryption:

http://dotnetslackers.com/articles/sql/IntroductionToSQLServerEncryptionAndSymmetricKeyEncryptionTutorial.aspx

The second one is more what you're asking for, but I'd lean you towards the first since it lets the server handle more of the details, and I'm always a fan of not re-rolling what's already been build for me :)
0
 
LVL 19

Accepted Solution

by:
Bhavesh Shah earned 350 total points
Comment Utility
Hi,

Checkout this function too which is I'm using.

We are using "EncryptByPassphrase" for encryption.

For more info on

http://technet.microsoft.com/en-us/library/ms190357.aspx


- Bhavesh
CREATE Function [dbo].[Encrypt] (@Key VARCHAR(50), @Password VARCHAR(150)) Returns VARBINARY(MAX)
As
	
Begin

	DECLARE @EncryptedPassword VARBINARY(MAX)

	SET @EncryptedPassword = EncryptByPassphrase(@Key, @Password)

	Return @EncryptedPassword
End

Open in new window

DECLARE @Key VarChar(50)
Declare @Password Varchar(50)
Declare @EncryptedPassword Varchar(50)


SET @Key = 'bj12@*$%98rs'
SET @Password = 'patience'
SET @EncryptedPassword = DBO.encrypt(@Key,@Password)

SELECT @Password OriginalPassword,@EncryptedPassword 'EncryptedPassword',DBO.Decrypt(@Key,@EncryptedPassword)DecryptedPassword

Open in new window

CREATE Function [dbo].[Decrypt] (@Key VARCHAR(50), @EncryptedPassword varchar(MAX)) Returns VARCHAR(150)
As
	
Begin

	DECLARE @DecryptedPassword VARCHAR(150)

	SET @DecryptedPassword = CAST(DecryptByPassphrase(@Key, @EncryptedPassword) AS VARCHAR(MAX))
	
	Return @DecryptedPassword
End

Open in new window

0
 

Author Closing Comment

by:goodk
Comment Utility
thanks
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now