Solved

MD5 viability in SS

Posted on 2013-06-24
6
271 Views
Last Modified: 2013-06-24
Is it possible to implement the below in sql server? if so, is there any microsoft tech paper on how to incorporate into r2 db?
http://en.wikipedia.org/wiki/MD5
0
Comment
Question by:25112
  • 2
  • 2
  • 2
6 Comments
 
LVL 8

Assisted Solution

by:didnthaveaname
didnthaveaname earned 250 total points
ID: 39272519
Can I ask a probing question as to what you are looking to do?  My primary point behind this is if you read that article:


In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and CMU Software Engineering Institute now says that MD5 "should be considered cryptographically broken and unsuitable for further use",[9] and most U.S. government applications now require the SHA-2 family of hash functions

I would, personally, encourage either hardware encryption or have you looked at TDE?  It has stronger encryption algorithms than MD5.  This is a good article: http://www.sql-server-performance.com/2008/Transparent-Data-Encryption/

Also: http://msdn.microsoft.com/en-us/library/bb934049.aspx
0
 
LVL 5

Author Comment

by:25112
ID: 39272546
Hi didnthaveaname,

actually, the real link i meant to submit was http://en.wikipedia.org/wiki/SHA-1 .. sorry ..

 I was checking into SHA , only because I read elsewhere it is more knock-proof than MD5. (as you pointed out)

For something sensitive like cc, we were suggested that in decryption, the key to unlock the data remains within the data, and hence it remains a security risk. If that is the only downside to native sql server encryption, what are recommendations to overcome that?
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 39272558
Here's the article for hashing with SQL Server: http://msdn.microsoft.com/en-us/library/ms174415.aspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Author Comment

by:25112
ID: 39272570
thanks.

for credit card in ss, would you see reasons to choose SHA1 over TDE or vice versa?

the key being stored within the database- is that a real concern?
0
 
LVL 8

Assisted Solution

by:didnthaveaname
didnthaveaname earned 250 total points
ID: 39272615
I can only speak from my experience with my company.  We do not use TDE.  We use an ingrian hardware encryption appliance to separate the two functions.  The encrypted values are persisted into SQL server for the very security reasons you mentioned.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 39272628
If you are going to be storing credit card data, you need to become familiar with PCI DSS.  https://www.pcisecuritystandards.org/security_standards/  There is a lot more than just encryption required.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Long way back, we had to take help from third party tools in order to encrypt and decrypt data.  Gradually Microsoft understood the need for this feature and started to implement it by building functionality into SQL Server. Finally, with SQL 2008, …
There have been several questions about Large Transaction Log Files in SQL Server 2008, and how to get rid of them when disk space has become critical. This article will explain how to disable full recovery and implement simple recovery that carries…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now