ansaurus

Question

Answer 1

+1 A:

My guess is that by encrypting the column, you are forcing a full table scan each time you query it (although check the plan to be sure). Creating an index over SSN would make the encryption pointless.

geofftnz 2010-03-22 23:10:47

SSN is in varbinary format thus cannot be indexed.

Sung Meister 2010-03-22 23:18:42

Answer 2

+3 A:

One problem that is going to be hard to overcome is using wildcard searching requires an index or table scan of some sort which requires unencrypting every row.

Optimize instead by pre-encrypting the search values(s) to allow indexing of the encrypted values.

If you were to require explicit matching you could do something like this, note the encryption is done on the input value, not the column:

select  Client_ID 
from    tblClient (nolock) 
where   SSN = convert(nvarchar(11), ENCRYPTBYKEY(@SSN))

However... for a search, you may want to look into an optimization that sort of achieves this by placing the segments of the SSN into separate indexed fields, then parsing the input string, and doing

select  Client_ID 
from    tblClient (nolock) 
where   SSNFIRST3 = convert(nvarchar(3), ENCRYPTBYKEY( <parsed prefix here> )) 
and SSNSECOND2 = convert(nvarchar(2), ENCRYPTBYKEY( <parsed middle section here> ))

You are only doing the encryption/decryption on the input values, not the rows.

The assumption is you write a bit of simple regex code to parse out the search string into separate pieces to feed the above query. The affect of the above is at least you can utilize index searches which should be drastically faster than what you have now because of the limited rows visited.

EDIT: I meant ENCRYPTBYKEY, changed above.

mrjoltcola 2010-03-22 23:16:44

Let me try this approach.

Sung Meister 2010-03-23 13:06:36

Comparisong using encrypted key did not work. For some reason, Encrypted column values and encrypted input value did not match. (As i read oleksiy.t's answer (http://stackoverflow.com/questions/2496398/optimizing-encrypted-column-search/2496490#2496490), it turns out that `DecryptByKey` is a non-deterministic (returns different value every time) therefore encrypting input SSN would not work and did not work.

Sung Meister 2010-03-23 14:42:02

Answer 3

+3 A:

The simple solution is to add an unencrypted column for first characters of SSN. And this is the hard one.

2010-03-22 23:27:03

I read the article and added a new column containing hash of orignal value and the search is done through the hash column. Thanks oleksy.t

Sung Meister 2010-03-23 14:46:34

+1 I don't like the simple solution. But the linked article is a really nice writeup of the pros and cons of different solutions. E.g. adding a hash for indexing throws away some of the advantage of using a non-deterministic encryption.

Accipitridae 2010-03-25 08:24:14

ansaurus

tags:

views:

answers:

Optimizing encrypted column search

related questions