ansaurus

Question

How would I encrypt string data in SQL server 2008 while keeping the ability to query over it?

Answer 1

A:

You could generate a hash (such as Md5 ) and store the hash value in the db. When you query you can select * from [my table] where value = {md5 hash}

Mikos 2010-01-20 13:15:26

remember though if you md5 hash it you'll not be able to read the data back out of the database, good for passwords, less good for customer details etc...http://stackoverflow.com/questions/330207/how-come-md5-hash-values-are-not-reversible

runrunraygun 2010-01-20 13:22:12

md5 is not an encryption algorithm it is a message digest. Also md5 should NEVER be used for security, it is very broken.

Rook 2010-01-20 17:15:38

yup, you can reverse an md5hash far enough to return a portion of the original string.

runrunraygun 2010-01-20 19:23:54

Answer 2

+1 A:

if you use the same encryption key you could encrypt your search query string and match against that. Say my password is runrun i encrypt it to ZAXCXCATXCATXCA then when i want to search for a user with password runrun encrypt it first and it will match the table entry.

runrunraygun 2010-01-20 13:17:30

You will not be able to search for *parts of* your data, though, only for complete string matches.

Tomalak 2010-01-20 13:31:56

You are correct. I didn't realise this was an explicit requirement of the OP?

runrunraygun 2010-01-20 13:41:30

The thread may be helpful for this answer: http://itknowledgeexchange.techtarget.com/itanswers/sql-joins-on-encrypted-data/

doug_w 2010-01-20 14:52:54

Answer 3

+1 A:

I like using SQL Server's key management: http://technet.microsoft.com/en-us/library/bb895340.aspx . After you have a key setup then its really easy to use:

To insert records you do this:

insert into PatientTable values ('Pamela','Doc1',
encryptByKey(Key_GUID('secret'),'111-11-1111'),
encryptByKey(Key_GUID('secret'),'Migraine'))

To select the record back out its really simple:

select Id, name, Docname
from PatientTable where SSN=encryptByKey(Key_GUID('secret'),SSN)

The cipher text will always be the same so it is much more efficient to compare the cipher text's instead of going though and decrypting each one.

Rook 2010-01-20 17:32:12

Answer 4

A:

AFAIK, Most RDBMS do not support this, what I usually see is either:

A) The DB query API encrypts the data with a key that only the local server knows before it is sent to the remote db and decrypts when it's received.

or

B) The remote database stores everything encrypted with a key that it knows (probably at run time, given physically by an admin, or it's given the key with the query).

A will let you use the database without letting the owners know what's being stored, but you wont be able to do queries on the actual encrypted data other than maybe equality. B only protects against physical server theft (server has to be off though or they can get the key from memory...).

What I assume you want is called Private Information Retrieval. It's a fairly young field, I don't think you're going to find a decent implementation at the moment.

Longpoke 2010-01-20 18:07:44

ansaurus

tags:

views:

answers:

How would I encrypt string data in SQL server 2008 while keeping the ability to query over it?

related questions