• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 277
  • Last Modified:

MD5 viability in SS

Is it possible to implement the below in sql server? if so, is there any microsoft tech paper on how to incorporate into r2 db?
http://en.wikipedia.org/wiki/MD5
0
25112
Asked:
25112
  • 2
  • 2
  • 2
4 Solutions
 
didnthaveanameCommented:
Can I ask a probing question as to what you are looking to do?  My primary point behind this is if you read that article:


In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions

I would, personally, encourage either hardware encryption or have you looked at TDE?  It has stronger encryption algorithms than MD5.  This is a good article: http://www.sql-server-performance.com/2008/Transparent-Data-Encryption/

Also: http://msdn.microsoft.com/en-us/library/bb934049.aspx
0
 
25112Author Commented:
Hi didnthaveaname,

actually, the real link i meant to submit was http://en.wikipedia.org/wiki/SHA-1 .. sorry ..

 I was checking into SHA , only because I read elsewhere it is more knock-proof than MD5. (as you pointed out)

For something sensitive like cc, we were suggested that in decryption, the key to unlock the data remains within the data, and hence it remains a security risk. If that is the only downside to native sql server encryption, what are recommendations to overcome that?
0
 
Dave BaldwinFixer of ProblemsCommented:
Here's the article for hashing with SQL Server: http://msdn.microsoft.com/en-us/library/ms174415.aspx
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
25112Author Commented:
thanks.

for credit card in ss, would you see reasons to choose SHA1 over TDE or vice versa?

the key being stored within the database- is that a real concern?
0
 
didnthaveanameCommented:
I can only speak from my experience with my company.  We do not use TDE.  We use an ingrian hardware encryption appliance to separate the two functions.  The encrypted values are persisted into SQL server for the very security reasons you mentioned.
0
 
Dave BaldwinFixer of ProblemsCommented:
If you are going to be storing credit card data, you need to become familiar with PCI DSS.  https://www.pcisecuritystandards.org/security_standards/  There is a lot more than just encryption required.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now