tags:

views:

58

answers:

2
Q: 

Querystring encryption in sql server

I need to create a token to appear on a querystring that can be passed to a web page and decoded in order to find a record in a database view.

The token should not be vulnerable to brute force incrementing value type attacks.

View records in the database are uniquely defined as a combination of two keys.

The generation of this token needs to happen in the database and on demand. The database is accessed directly by another system that generates emails utilising the data in the view.

I have tried generating a sha1 hash based on the two keys and then url safe base64 encoding the result, but since it is a one way operation the lookup at the web end is unacceptably slow.

I think symmetric key encryption would be suitable, as long as the encryption occurred in the database, and the decryption occurred in the website, before the lookup.

At this stage I'm leaning towards building a CLR function to populate a generated column in the view.

A: 

So you want the database to generate a "token", pass that value out to the application (web/internet), and later a user will return that token and the database will use it essentially as a lookup/primary key value? And you want the values generated to be such that a hacker [our friend Mallory] cannot (a) guess the token for a specific account and/or (b) guess any valid token for an account?

Why not just make it a random number? A 4 byte value gets you 4 billion values, 8 bytes gets you 4 petabytes of values (2^64), and it keeps going up. Admittedly you have the age-old issue of generating a truly random number (Maybe try these guys?), and you need to gauge the ratio of possible tokens to valid tokens against how long a brute force attack would require to guess them, but you'll get that with any kind of security.

My question is, why bother with hashes and encryption if the data you're passing out is just a lookup key?

Philip Kelley  2010-01-13 04:22:38
A random number is a good idea, as long as it's big enough to avoid collisions, but since the data is in a view rather than a table it doesn't actually exist as such. In order to use a random number I would need to have a real table based on the view data. Since the view contains a cross join this would lead to a bit of a data explosion.
aboy021  2010-01-13 21:18:58
+1  A: 

I've ended up writing a CLR function that uses triple DES to encrypt a salted concatenated string containing the keys I need. This function is used for a computed column on the view.

I used this page as a basis for the triple DES code: http://www.dotnetspark.com/kb/1279-triple-des-encryption-and-decryption-using.aspx

It's performant and secure, though a bit more work than I think is necessary in most situations.

aboy021  2010-01-15 01:46:27

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?