?
Solved

PGP and SQL server

Posted on 2014-08-11
11
Medium Priority
?
891 Views
Last Modified: 2014-08-13
Dear all,

right now I have a project that I expected to use PGP encryption with MS SQL, I didn't heard about that before.

Any one can suggest the relationship between PGP and MS SQL?
0
Comment
Question by:marrowyung
  • 5
  • 5
11 Comments
 
LVL 11

Assisted Solution

by:John Easton
John Easton earned 400 total points
ID: 40252830
I assume the data being used is somewhat private.  Therefore I would expect the data would be encrypted (using a PGP key) before saving to the database, and then decrypted in order to display the data.

This would prevent anyone who manages to hack the database server from being able to read the data.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40252952
It seems an odd combo.

PGP is largely associated with email traffic or encrypting files; MS SQL has its own crypto subsystem (which is even FIPS!) for encryption of column data, so using PGP for data encryption would be unusual; if nothing else, it would be massive overkill - PGP is distinguished from openssl or less formalized solutions by its support for identity verification - in this case, the "Web of Trust" - and a DB solution would be unlikely to benefit from that.
0
 
LVL 1

Author Comment

by:marrowyung
ID: 40253573
"PGP is largely associated with email traffic or encrypting files; MS SQL has its own crypto subsystem (which is even FIPS!) for encryption of column data, so using PGP for data encryption would be unusual;"

I am thinking about that too! SQL sever can use TDE for example, PGP can be use for web site login page, right?

Any use for ETL and data warehousing ?

please explain "Web of Trust"
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 1600 total points
ID: 40253633
No, PGP can't be used for website logins, can't be used for very much really (it is quite good, but has a very tightly restricted problem domain)

Web of Trust is a more complex concept than X509 validation; when validating a key, the trusting application considers thresholds set by its administrator and counts up how many of the signatures on a currently untrusted key lead back to trusted keys.

While X509 has a much simpler concept (if the chain of signatures lead back to a root cert, then the current cert is considered to be valid proof of identity during its validity period), pgp will require a definable total of keys marked valid (either directly, or to a maximum depth away from a directly set keytrust) or a larger number marked partially valid (again, to a definable depth)

While X509 has the assertion "because a CA said so" PGP is more flexible in that it has the assertion "because 'n' people I trust said so"

In practice however, most of the time you assign trust yourself to PGP keys, having verified validity with its owner.
0
 
LVL 1

Author Comment

by:marrowyung
ID: 40254825
so really nothing to do with MS SQL !

ok one quick thing, any real use of that PGP?
0
 
LVL 1

Author Comment

by:marrowyung
ID: 40254849
any example of how to use PGP, any PGP application ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40255092
It is worth remembering that the GOAL of pgp encryption is to securely send data to another person; you CAN use it for local storage, but it is a poor solution for that.

To play with pgp, download and install the free app GnuPG For Windows - that should get you a gui (gpg is a command line tool) so you can create your own pgp key, and an email client so you can send and receive encrypted mail. To really see the system in action though, you need to get a friend to also do this, generate a key, and send the public (not private) half of their key to you. You can then send them messages or files encrypted to their key, and signed by your key (and the reverse for them, of course) and decrypt messages encrypted to your key, plus verify data signed by their key.
0
 
LVL 1

Author Comment

by:marrowyung
ID: 40255249
"It is worth remembering that the GOAL of pgp encryption is to securely send data to another person; you CAN use it for local storage, but it is a poor solution for that."

I agree!

but should I say PGP is just a framework which contain even web of trust ? not exactly a tools ?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40255335
(open)PGP is an internet standard (RFC 2440, although the bis rev.22 draft version has some important changes) and there are a number of programs that implement this standard - Pretty Good Privacy (a commercial product owned by symantec) is the first and hence original program family; Gnu Privacy Guard is the open source code family for the same standard, and Legion of the Bouncy Castle (gotta love their name :) supply java and C# libraries that can be used to integrate PGP support into those languages.

The WoT is the default key verification mechanism used by the PGP standard to validate keys; it would be possible to use WoT without PGP (although you would still need some sort of digital signature to do so) or PGP without WoT (by manually defining trust for each key)
0
 
LVL 1

Author Comment

by:marrowyung
ID: 40257571
tks, so PGP is really only a framework.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40258357
Depends on how you look at it.

PGP (1.0) was an individual cli package, limited to just RSA(<1023 bits) for the PKI component and IDEA(@128 bits) for the symmetric component. The file formats were defacto, made up by the author on the spot, and worked ok.

PGP 2.x was a more popular package, but used the same file format (and had the same key limitations) as 1.0. there was a commercial "version" of 2.x, and two different free versions (one of which, for US use, used the RSAREF library, and the other (for international use) didn't.

Versions released later (and the first gui package really was 5.x, although 4.x saw some use on unix platforms) expanded on the file format and supported key types, supported larger keys, and were produced by a commercial company founded by the original author. Other packages began to appear to interoperate with the "classic" package, and the concept of PGP as a file format and standard (rather than a package with its own defacto standard) followed naturally from there.

So now, PGP is more of a standard for non-hierarchical encryption, being a file format, a principle for key location and verification, a very specific chaining mode and a mimetype, than a package per se - the package still exists, but its like pkzip, which originally was a package with a defacto standard file, but is now almost entirely seen as a file format standard (and people who have even SEEN the pkzip "offical" package are few and far between).
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question