Block unauthorized access into an encrypted database

from the Artful SQL Server & Access Tips List


Do you fear breakins into your SQL Server database? You should. It is a real and dangerous possibility. First, I'll cite an example from a previous job to demonstrate how easy it is to access a database.

Why a DBA might break into your database

I used to be part of a team that was responsible for an enterprise application designed to run a pulp and paper mill. The software sold for $1.2 million as the base price. As the customer selected various options, the price went up in rather large increments. A sale of the application with all features working could amount to $3 million. We didn't create separate executables for each possible configuration because that would have been a nightmare. Instead, we created an encrypted procedure that read a table and made the functionality available that the client had licensed.

The local DBA with even a little savvy and an Internet connection could crack our code wide open in five minutes, gaining full functionality of the application and thereby saving her firm at least a million dollars. This is against the law, but some DBAs will take the chance to save their companies such large sums of money.

How a DBA can decrypt your database

If you think my scenario uinlikely, try it. Create one or more stored procedures, views, and triggers with encryption using the standard "with encryption" phrase. Then follow the steps in this recipe, and see how easy it is to shatter your alleged defense:

1. Install the free SQL decryption tool from http://www.derkeiler.com/Mailing-Lists/Securiteam/2001-12/0101.html.

2. Run it and choose the server and database of interest. (You must be able to log in.)

3. Select the procedures, views, and triggers you wish to decrypt.

4. Choose a directory in which to save the decrypted files and click Save.

Protect your database with these resources

The safest assumption is that a DBA will try to break into your database. If the DBA succeeds, the vendor of the application may be out a significant amount of money.

Simply adding encryption to your database will only protect you from entry-level or inexperienced DBAs. If encrypted procedures, views, and triggers are important to you and your firm (and they should be), then you have no choice but to spend some money and license real encryption, or to download one of the following alternatives (both commercial and free) and beef up your encryption efforts:

ActiveCrypt

SQL Encryption Toolkit: This free toolkit from Michael Coles is in the form of stored procedures.

NetLibEncryptionizer for SQL Server: You might want to consider this product if you want to encrypt your data as well as your database objects.

Return to the Artful SQL Server & Access Tips page