2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.
-
Upload
angelica-montgomery -
Category
Documents
-
view
219 -
download
0
Transcript of 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.
![Page 1: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/1.jpg)
![Page 2: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/2.jpg)
2
![Page 3: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/3.jpg)
Core ConceptsCore ConceptsExecution ContextsExecution ContextsModule SigningModule SigningCryptographyCryptographyAuditingAuditing
![Page 4: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/4.jpg)
An endpoint exposes SQL Server services on networkExposed Services:
TSQLSOAP (Web Services)Service BrokerDatabase Mirroring
Works over TCP and HTTP transportService must be compatible with the transport (TSQL works with TCP only)
TSQL endpoints are created by defaultHTTP endpoints deprecated in SQL Server 2008
![Page 5: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/5.jpg)
![Page 6: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/6.jpg)
• CONNECT SQL permission on SERVER• For all types of services (TSQL, SOAP, …)• Implicitly granted when login is created
• CONNECT permission on ENDPOINT• CONNECT on TSQL ENDPOINT is granted to
PUBLIC by default• Login enabled or disabled
• Login attribute not a real permission• Allows disabling SA and sysadmin
![Page 7: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/7.jpg)
Authenticates identity within SQL ServerEndpoint basedVerifies access rights to the serverEstablishes primary security context
![Page 8: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/8.jpg)
SQL AuthenticationIn-built authentication protocolLogin/password basedIndependent of Windows OS authentication
Windows AuthenticationWorks with passwords, smartcards, thumb readers, etc.Recommended in most cases
![Page 9: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/9.jpg)
Windows onlySQL logins cannot connect
MixedSQL logins and Windows logins allowed
Mode can be changed after installation
![Page 10: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/10.jpg)
Requires SQL logins
Login handshake encrypted using SSLCertificate to be used determined at connection
Validates passwordEnforces account policy
Account is locked out, must change password
Supports password change on login
CREATE LOGIN Alice WITH PASSWORD = ‘…’
![Page 11: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/11.jpg)
SQL authentication is not un-secureUsed when
No rights to create Windows usersAvoiding delegation double-hop issuesNon-Windows clientsApplication logins outside of Windows
NotesEncrypted when using SNACNo SID from operating systemPrincipal is not guaranteed unique
![Page 12: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/12.jpg)
{OK}
TSQL TCPendpoint
SQL Server box{Alice, pwd} SSLAlice’s box
Alice
TCP/IP
SQL Server
SSL certificate
![Page 13: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/13.jpg)
Designed to deter brute force attacksPassword must not contain all or part of the account name
Part of an account name is defined as three or more consecutive alphanumeric characters delimited on both ends by whitespace or some special chars
Min 8 chars, max 128 charsContains characters from three of the following four categories:
Latin uppercase letters (A through Z) Latin lowercase letters (a through z) Base 10 digits (0 through 9) Non-alphanumeric characters
![Page 14: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/14.jpg)
Leave CHECK_POLICY onSet CHECK_EXPIRATION on to avoid old passwordsSet MUST_CHANGE for new logins
![Page 15: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/15.jpg)
Uses Windows OS usersCREATE LOGIN [REDMOND\SQLTest1] FROM WINDOWS
Secure using Kerberos or NTLMWindows creates client security token on the serverThe Windows token contains
User identityGroup membershipsWindows privileges
![Page 16: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/16.jpg)
{OK}
TCP/IP TSQL TCPendpoint
SQL Server box{Alice, NULL}
LSA
SQL Server
Domain Controller
Alice’s token
Alice
LSA
![Page 17: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/17.jpg)
Uses standard Kerberos / NTLM protocolNo need to manage logins in SQL ServerWorks with SmartCards and other non-password based authentication devices
![Page 18: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/18.jpg)
Only possible for Windows LoginsLogin is not provisioned in SQL Server
CREATE LOGIN has not be called
Login is a member of Windows Group, provisioned in SQL Server
CREATE LOGIN [Bob\SQLUsers] FROM WINDOWS
![Page 19: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/19.jpg)
Have distinct owners for databasesNot all owned by “SA”Minimize owners for each database
Confer trust selectivelyLeave CDOC (cross-database ownership chaing) setting off
Migrate usage to selective trust instead
![Page 20: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/20.jpg)
User token outside the databaseToken authenticator vouches for the tokenIf authenticator trusted, token is honoredIf authenticator not trusted, token not honored
Default behaviour
Two alternatives for setting authenticatorsUse TRUSTWORTHY setting to have DBO as an authenticatorUse certificates as authenticators
Recommended
![Page 21: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/21.jpg)
Per database settingIndicates that a context set in this DB can have the DBO as an authenticatorOnly a sysadmin can change the TRUSTWORTHY state for a databaseALTER DATABASE database_nameSET TRUSTWORTHY {ON | OFF}
![Page 22: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/22.jpg)
Don’t turn TRUSTWORTHY ON unless the DB and all its administrators are truly trustworthyMonitor TRUSTWORTHY bit changesAvoid turning TRUSTWORTHY ON a database owned by sysadmin members
For Cross-DB scenarios assign a low privileged dbo
For cross database & server access impersonation consider using signatures
![Page 23: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/23.jpg)
TRUSTWORTHY ONdbo is a member of sysadmin roleResult: Privileged users in this DB can become sysadmin themselves.
![Page 24: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/24.jpg)
![Page 25: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/25.jpg)
Password basedCompletely contained in DB
No presence outside the DB
By default cannot revert SQL Server 2005 added sp_unset_approle
Application roles are DB scopedToken is not trusted in server scope
![Page 26: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/26.jpg)
Do not access:Cross database resources as “guest”No access to server scoped metadata
PasswordDo not hardcode itSubject to password policy check (complexity)
Use flag 1416 for backwards compatibility only“guest” access cross database
Limited “guest” access
![Page 27: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/27.jpg)
Permission basedScoped
User vs. LoginContext impersonation bound to module
Stack basedREVERT
NO REVERT & REVERT WITH COOKIE
![Page 28: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/28.jpg)
EXECUTE AS LOGIN = ‘login_name’Server level impersonationRequires IMPERSONATE ON LOGIN::<login_name>
EXECUTE AS USER = ‘user_name’Database level impersonationRequires IMPERSONATE ON USER::<user_name>
Stackable – can return to previousEXECUTE AS
push new execution context frame
REVERTpop top execution context frame
Active context is determined exclusively by top context frame
![Page 29: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/29.jpg)
Default behaviorUse the caller’s contextSame as SQL Server 2000No IMPERSONATE permission is required
![Page 30: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/30.jpg)
Will execute under the specified principal contextRequires IMPERSONATE on the principal
![Page 31: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/31.jpg)
Returns details of the non-impersonated contextVery useful for auditingAllows controlling behavior based on original login details when EXECUTE AS another principal
![Page 32: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/32.jpg)
What it is designed forControlled escalation of privileges via modulesEasy to use when all resources are in the same DB
What it is not designed forSandboxing against an attackCan be used as a defence in depth.
![Page 33: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/33.jpg)
CREATE USER Someuser WITHOUT LOGINNo access to outside databasesTo switch to user context useEXECUTE AS USER = ‘Someuser’
Requires IMPERSONATE permission on SomeuserBetter alternative to application roleOrphan users / mismatched SIDs are similar
Use sp_change_users_login to map them to loginsALTER USER … WITH LOGIN since 2005 SP2
![Page 34: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/34.jpg)
Stores authentication information needed to access resources outside SQL ServerMost contain a Windows username and passwordPermits access to Windows resources for SQL Server loginsOne credential can be mapped to multiple loginsOne login can only be mapped to a single credentialMapped using CREATE/ALTER LOGINsys.credentials
![Page 35: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/35.jpg)
Allow subsystems to make use of credentials for external accessSpecify proxy name, credential name and descriptionMust create the credential firstAssign created proxy to appropriate subsystems
![Page 36: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/36.jpg)
Deprecated –> do not useOnly for backwards compatibility
Limited to sysadmin & DBO onlyDBO access is restrictedRequires high privileges
No stack on impersonated contextRevert via SETUSER call
NO REVERT
![Page 37: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/37.jpg)
Consider IMPERSONATE a privileged permission
Impersonator >= Impersonated
AUTHENTICATE permission is highly privileged permission
Can escalate to DBO
Consider AUTHENTICATE SERVER as powerful as sysadmin!
![Page 38: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/38.jpg)
Module encapsulation can be done usingOwnership chainingEXECUTE ASCode signing
Always place a security check inside the module
Don’t rely on EXECUTE permission on the module
![Page 39: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/39.jpg)
Set context on modules (don’t let default)Use EXECUTE AS instead of SETUSERUse WITH NO REVERT/COOKIE instead of App Roles
![Page 40: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/40.jpg)
Cryptography is the science of keeping secrets Encryption is the process of obscuring information to make it unreadable without special knowledge
Plain text -> Cipher Text -> Plain Text
![Page 41: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/41.jpg)
2000 years ago…
![Page 42: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/42.jpg)
Famous electro-mechanical encryption device used to encrypt and decrypt messages
![Page 43: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/43.jpg)
Every encryption method has an encryption algorithm and decryption algorithm. When both algorithms depend on the same key, its known as symmetric key encryption.
SymmetricKey
Encryption
Decryption
0x0088840517080E4FA2…
4428-6823-7821-2358
![Page 44: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/44.jpg)
Biggest challenge has been management of keysHow do I send you the key that I will use to encrypt data that I send you?Chicken/Egg problem
![Page 45: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/45.jpg)
Keys are mathematically relatedContains public and private keyComputationally infeasible (today) to derive one from the other
AsymmetricKey
Encryption with Public Key
Decryption with Private Key
4428-6823-7821-2358
![Page 46: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/46.jpg)
One-way function onlyFingerprint of dataCannot derive the data from the hashProves the integrity of the dataRecipient recalculates hash and compare values
![Page 47: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/47.jpg)
Random number added to the encryption key or to a password to protect them from disclosureAlso known as “Initialization Vector”Without salt, a value encrypted twice will have same ciphertextCritical to also avoid known text in known location
![Page 48: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/48.jpg)
Magic recipe for scrambling data is the algorithmMost algorithms are mind-numbingly complex mathematical equationsMany algorithms usedNot all as useful as othersSQL Server uses Microsoft CSP limited to algorithmsavailable in operating system
![Page 49: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/49.jpg)
Digitally sign modulesTwo roles of the signing certificate:
Secondary IdentityExtend the execution context
AuthenticatorVouch for the EXECUTE AS context defined in the module definition
NOTE: Signature can act as secondary identity and authenticator simultaneously
![Page 50: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/50.jpg)
To send you encrypted data, I encrypt the data with your public keyYou use your private key to decryptI know that only you can read itSSL works like this
![Page 51: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/51.jpg)
Asymmetric keys with some metadataDigital signatures bind together a public key with an identity — i.e. the name of a person or an organization, their address, etc Signature can be from cert. authority Signature can be self-signed
Used to verify the identity of the person who has the public keyUse in real life: SSL connections to web servers Digital signatures in email
![Page 52: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/52.jpg)
Designed to authenticate the server not the clientUses public key crypt for the initial exchangesSession key then generated and exchangedSession key used for symmetric encryptionTraffic overhead typically about 30%Must also consider CPU overheadPrevents “man in the middle” attacks and TCP hijacking
![Page 53: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/53.jpg)
Execution ContextExecution Context
![Page 54: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/54.jpg)
Attaches a cryptographic signature to the moduleIf the module does implicit impersonation
Certificate as an authenticator
If a principal is mapped to the certificateCertificate as secondary identity
The signature affects the execution context only if it is valid
Changing a signed module requires re-signing it
The signature only affects execution context for the scope of the signed moduleCan still audit/identify executing user
![Page 55: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/55.jpg)
CONTROL permission on the certificate is requiredSyntax:
ADD SIGNATURE TO <module_name>BY CERTIFICATE <key_name>[{ WITH PASSWORD = ‘password’| WITH SIGNATURE=binary_signature}]
![Page 56: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/56.jpg)
Trust on the group of people who have CONTROL on the signing private keyTrust on the code.
If you don’t trust the code or you are not comfortable with its quality do not sign it.
Signed code can move from one DB or server to another
![Page 57: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/57.jpg)
Certificate, Asymmetric key principalsBoth logins and usersA way to grant permissions to signers
Can not be used for loginCan not be directly impersonated using EXECUTE AS
CREATE USER Cert_User FROM CERTIFICATE Cert1
![Page 58: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/58.jpg)
Module SigningModule Signing
![Page 59: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/59.jpg)
59
![Page 60: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/60.jpg)
PasswordPassword KeyKeyCertificateCertificate
Public KeyPublic Key Private KeyPrivate Key
Master KeyMaster Key PasswordPassword
Service KeyService KeyDP APIDP API
WrapsWraps AssociatedAssociatedwithwith
Secured BySecured By
Secured BySecured By
SecuredSecured ByBy
KeyKey
Secured BySecured By
![Page 61: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/61.jpg)
• Typically requires varbinary datatype• Maximum encrypted size is 8000 bytes• Encrypted data is salted
Prevents copy/paste attacks Can’t reference encrypted columns
• Can’t index/full-text search encrypted columns Might index a hash instead Might index part of the column instead
![Page 62: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/62.jpg)
• Encryption EncryptByKey, DecryptByKey, DecryptByKeyAutoCert,
DecryptByKeyAutoAsymKey EncryptByCert, DecryptByCert EncryptByAsymKey, DecryptByAsymKey
• Encrypted data is prefixed with key GUID identifier (required for symmetric keys)
• Password protected keys vs Database Master key protected keys/certificates
• Decryption automatically determines key• Hashing
HashBytes: SHA1, MD5
![Page 63: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/63.jpg)
Symmetric Keys No DDL support These keys can be (re)generated from a passphrase
(KEY_SOURCE + IDENTITY_VALUE + algorithm)
For Asymmetric keys Can import keys from .SNK strong named files and
strong named assemblies No option to export
Certificates Can import/export DER encoded (.cer files) X.509
certificates Private keys only in PVK format. (.pvk files)
![Page 64: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/64.jpg)
Keys are stored with the databaseRestore the Service Masker Key
OPEN MASTER KEY DECRYPTION BY PASSWORD = <password>
ALTER MASTER KEY ADD ENCRYPTION BY SERVICE MASTER KEY
![Page 65: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/65.jpg)
For keys that protect other keys: ALTER SERVICE MASTER KEY REGENERATE ALTER MASTER KEY REGENERATE Add new key encryption, remove old key encryption
For keys that protect data, data needs to be decrypted and re-encrypted using the new key: Inconvenient, but unavoidable
For backups, need to keep track of passwords that protect old keys
![Page 66: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/66.jpg)
SQL EKM Provider DLL
SQL EKM Key(HSM key proxy)
Data
SQL Server
HSM
• Key storage, management and encryption done by HSM module
• SQL EKM key is a proxy to HSM key
• SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module
![Page 67: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/67.jpg)
SecurityData and keys are physically separated (keys are stored in HSM modules)Centralized key management and storage for enterpriseAdditional authentication layerSeparation of duties between db_owner and data owner
PerformancePluggable hardware encryption boards
![Page 68: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/68.jpg)
EKM providers are server objectsCREATE CRYPTOGRAPHIC PROVIDER DataSafeProvider FROM FILE = ‘DataSafeProvider .dll’
EKM keys are very similar to native keysManaged using the same TSQL
CREATE SYMMETRIC KEY SymmKeyEkm FROM Provider DataSafeProvider WITH ALGORITHM AES_256 …
Visible in the same catalogsData encryption with standard built-insUsed to encrypt SQL native keys
![Page 69: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/69.jpg)
HSM
DatDataa
DatDataa
Native Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL Server
Symmetric key Asymmetric key
![Page 70: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/70.jpg)
Builtin\AdministratorsCan debug server process
Server administrator (sysadmin)Can look at server tracesLuring attacksExtended procs to dump memory
Best lock down encryptionDrop the service master key from the DB master key encryption
![Page 71: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/71.jpg)
Goal : Encrypting/Decrypting Columns without changing Application ,is this possible ?
Possible through implementing a methodology : Views ,Functions, Triggers.
71
![Page 72: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/72.jpg)
Sql Sql ServerServer
Encrypt/Decrypt Abstraction layer Encrypt/Decrypt Abstraction layer Encrypt/Decrypt Abstraction layer Encrypt/Decrypt Abstraction layer
ApplicationApplication
I Name CCno Address
1 George 0Xjhsl.. …
2 Mike 0Xkas… …
3 Dan 0Xoee.. …
TextTextDataData
Key Key ManagementManagement
Encrypted Encrypted DataData
Decrypted Decrypted DataData
Encrypted Encrypted DataData KeysKeys
![Page 73: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/73.jpg)
DMLDML
INSTEAD OF INSTEAD OF Trigger/sTrigger/s
(Encryption)(Encryption)
INSTEAD OF INSTEAD OF Trigger/sTrigger/s
(Encryption)(Encryption)
Encrypted
Encrypted DataData
View/sView/s(Decryption)(Decryption)
View/sView/s(Decryption)(Decryption)
Encrypted
Encrypted
DataData
Encrypt/Decrypt Abstraction layer Encrypt/Decrypt Abstraction layer
KeysKeys KeysKeys
selectselect
![Page 74: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/74.jpg)
74
![Page 75: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/75.jpg)
Tracking and logging eventsSQL Trace/Profiler commonly used in earlier versionsAutomated system introduced in 2008Need to check government requirements or organizational standardsOutput of audit activity is often referred to as an “audit”Audit is at the instance levelMultiple audits per instance possibleImplemented via Extended Events infrastructure
![Page 76: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/76.jpg)
Triggers have been widely used for auditingNo SELECT triggersIssues with nesting triggersIssues with trigger firing orderIssues with performance
![Page 77: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/77.jpg)
General event handling for serversIntention is to provide end-to-end eventing with Event Tracing for WindowsEngine is event agnosticConsumers of events are called “targets”Actions are distinct from the events raisedPredicates can be used for filtering
![Page 78: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/78.jpg)
Server Audit SpecificationOne server audit specification per auditCollects server-level actions
Database Audit SpecificationOne database audit specification per auditCollects database-level actions
Audit Action GroupsPredefined groups of actions
![Page 79: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/79.jpg)
Results of an audit sent to a targetFileWindows Security Event LogWindows Application Event Log
Must be reviewed and archived periodicallyBe cautious with application log as any authenticated user can read itWriting to security event log
SQL Server Service must be added to “Generate Security Audits” policy
![Page 80: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/80.jpg)
sys.server_auditssys.server_file_auditssys.server_audit_specificationssys.server_audit_specifications_detailssys.database_audit_specificationssys.database_audit_specifications_detailssys.dm_server_audit_statussys.dm_audit_actionssys.dm_audit_class_type_map
![Page 81: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/81.jpg)
AuditingAuditing
![Page 82: 2 Core Concepts Execution Contexts Module Signing CryptographyAuditing.](https://reader035.fdocuments.in/reader035/viewer/2022062409/56649ee05503460f94bf04cd/html5/thumbnails/82.jpg)
82