Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

MD5 viability in SS

Posted on 2013-06-24
6
Medium Priority
?
276 Views
Last Modified: 2013-06-24
Is it possible to implement the below in sql server? if so, is there any microsoft tech paper on how to incorporate into r2 db?
http://en.wikipedia.org/wiki/MD5
0
Comment
Question by:25112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 8

Assisted Solution

by:didnthaveaname
didnthaveaname earned 1000 total points
ID: 39272519
Can I ask a probing question as to what you are looking to do?  My primary point behind this is if you read that article:


In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions

I would, personally, encourage either hardware encryption or have you looked at TDE?  It has stronger encryption algorithms than MD5.  This is a good article: http://www.sql-server-performance.com/2008/Transparent-Data-Encryption/

Also: http://msdn.microsoft.com/en-us/library/bb934049.aspx
0
 
LVL 5

Author Comment

by:25112
ID: 39272546
Hi didnthaveaname,

actually, the real link i meant to submit was http://en.wikipedia.org/wiki/SHA-1 .. sorry ..

 I was checking into SHA , only because I read elsewhere it is more knock-proof than MD5. (as you pointed out)

For something sensitive like cc, we were suggested that in decryption, the key to unlock the data remains within the data, and hence it remains a security risk. If that is the only downside to native sql server encryption, what are recommendations to overcome that?
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 39272558
Here's the article for hashing with SQL Server: http://msdn.microsoft.com/en-us/library/ms174415.aspx
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 5

Author Comment

by:25112
ID: 39272570
thanks.

for credit card in ss, would you see reasons to choose SHA1 over TDE or vice versa?

the key being stored within the database- is that a real concern?
0
 
LVL 8

Assisted Solution

by:didnthaveaname
didnthaveaname earned 1000 total points
ID: 39272615
I can only speak from my experience with my company.  We do not use TDE.  We use an ingrian hardware encryption appliance to separate the two functions.  The encrypted values are persisted into SQL server for the very security reasons you mentioned.
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1000 total points
ID: 39272628
If you are going to be storing credit card data, you need to become familiar with PCI DSS.  https://www.pcisecuritystandards.org/security_standards/  There is a lot more than just encryption required.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been several questions about Large Transaction Log Files in SQL Server 2008, and how to get rid of them when disk space has become critical. This article will explain how to disable full recovery and implement simple recovery that carries…
Naughty Me. While I was changing the database name from DB1 to DB_PROD1 (yep it's not real database name ^v^), I changed the database name and notified my application fellows that I did it. They turn on the application, and everything is working. A …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question