May 9, 2005 at 5:23 pm
Hi,
Aside from creating an encryption algorithm that will handle protection of password, is there anyway that I can do the protection in SQL?
Regards.
Ann
May 9, 2005 at 7:58 pm
Best method is to handle the encryption at the client end. That way you're not passing un-encrypted data which can be intercepted before it gets to the server.
If you wan't to encrypt at the server end you can use the undocumented pwdencrypt() function. Check the sp_password procedure for details, or you can do a google search to get more details. If you do perform a google search, take note of the search results outlining cracking the passwords, which highlights another reason not to venture down this path
--------------------
Colt 45 - the original point and click interface
May 11, 2005 at 2:20 am
Phil, that is a good point, what are your experiences/ suggestions for client side encryption for WEB applications (lets exclude use of SLL for intranet applications)?
What are your recommendations for a non microsoft/active directory solution. i.e. suitable for general anonymous internet/intranet users, that have nothign to do with microsoft / domain security?
I look forward to your thoughts. thanks.
David
May 11, 2005 at 7:19 pm
What sort of WEB applications are we talking about here? ASP.NET, ASP, PHP, etc...
I'm not the most authoritive person to speak on encryption methods. I don't know about other languages, but I know that ASP.NET has inbuilt encryption methods. I'm pretty sure there are many "plug-in" modules for encryption in the languages that don't have it inbuilt.
--------------------
Colt 45 - the original point and click interface
May 16, 2005 at 7:08 am
Our office does the same...we have a vb dll for older apps and a vb.net dll for the web and winforms to use, both of which have a variety of encryption methods in them....we call the dll to receive an encrypted password at the client side, or pass it the encrypted value from the database to be decrypted, again at client side.
There are a lot of encryption decryption examples out there at the .net sites; grab one and adapt it to your needs.
Phils comment is right on...if you use a udf function on the server, a simple profile and trace would give you the command when it gets encrypted....that's potentially a security breakdown, but you gotta balance that with how probable it would be to happen on your network.
Lowell
May 17, 2005 at 4:20 am
Hi there, yes when I say web apps I mean for asp.net (for phil). From my understanding these inbuilt encryption methods still needs to pass the password field along the network unencrypted before the encryption is run on the server (runat=server). Our previous code structure (DNA vb dll's does encryption once it hits the server, so i understand this). But I am interested in your point you raised at the beginning of this thread about encrypting at the client side (certainly this is the correct way to go). Can you give a specific example that does the encryption on the client side? The specific object or method would be great. Is there anything else apart from SSL? This would be linked to the capabilities of the browser & or operating system?
Your feedback is much appreciated.
Thanks guys.
May 17, 2005 at 6:32 am
For a .NET application, you can start with some of the built in encryption methods from the framework;
http://www.codeproject.com/dotnet/SimpleEncryption.asp
has a handful of examples using it, as well as comments as to the pros and cons of each method.
from there you can determine what gets saved to the database in encrypted format, and decrypted, compared, etc.
Hope that helps.
Lowell
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply