Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
ValterBorges
Master Smack Fu Yak Hacker
1429 Posts |
 Posted - 2002-12-03 : 20:01:05
|
| Does microsoft have a fix for better encryption?Edited by - ValterBorges on 12/03/2002 21:12:06 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-12-03 : 20:24:31
|
Valter-If you're posting a link that provides means to decrypt procedures, I'd appreciate it if you'd remove it. It would be better if SQL Team did not become a resource for people to hack or break SQL Server encryption/security, even if they are weak.If you could also edit your post so that there are no details or even generalizations on breaking encryption. We've already had people do this before, it really doesn't help to point out exactly how to go about breaking it.Soooooo, anyone else think that encryption is a good idea???  Edited by - robvolk on 12/03/2002 20:27:08 |
 |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-12-03 : 20:28:37
|
| I think also it should be stated, that this Encryption is not designed as a bullet proof encryption system. It is more to stop accidental editing of your stored procedures and casual prying eyes.If someone can get close enough to your data to be able to run that sort of code, you have bigger problems than your source code being seen.Damian |
|
|
|
ValterBorges
Master Smack Fu Yak Hacker
1429 Posts |
Posted - 2002-12-03 : 21:17:42
|
| What if you're trying to create a distributable msde database or creating a db for a client and you don't want to share your code.I just wanted to know if anyone has a seen a fix.I have removed the link and I agree that we should not be going around breaking security. However, it was very easy to find and why not educate people to the fact that there is a problem with the encryption so that users don't try it believing they're code is safe.Edited by - ValterBorges on 12/03/2002 21:18:12Edited by - ValterBorges on 12/03/2002 21:19:50 |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-12-03 : 21:41:29
|
quote:
What if you're trying to create a distributable msde database or creating a db for a client and you don't want to share your code.
I think that is just a risk you have to assume when you distribute any application. Pretty much any code can be reverse engineered given enough time. Besides, just running profiler or analyzing your transaction logs will give you a pretty good idea of what is going on.Also, SQL2000 doesn't allow anyone to see even the encrypted source via usual means, which makes you better off than with SQL 7.Damian |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-12-03 : 21:47:40
|
quote:
why not educate people to the fact that there is a problem with the encryption so that users don't try it believing they're code is safe.
I totally agree with that. By the same token, the fullest details and code examples aren't necessary to prove that it's vulnerable. My only objection is providing a link to that code directly. Linking it or publishing it on SQL Team will only attract the wrong crowd. Saying it's easy to find on the internet is fine; let the script kiddies find it on their own.As far as stronger encryption, there are 3rd party products out there that work with SQL Server (for encrypting data, I don't think they work with procedure code) But if you need to keep your existing code secure, use encryption and hope your clients are too stupid to know how to search the internet.  (hmmmmm, now what if they were SQL Teamers and found the link here that decrypts the code?)I'm pretty sure the next version of SQL Server will have better encryption capabilities since it will be tightly integrated with .Net, which has at least one very comprehensive Cryptography library available. |
|
|
|
ValterBorges
Master Smack Fu Yak Hacker
1429 Posts |
Posted - 2002-12-03 : 22:32:32
|
quote:
I'm pretty sure the next version of SQL Server will have better encryption capabilities since it will be tightly integrated with .Net, which has at least one very comprehensive Cryptography library available.
I hope so.While were on the subject does anyone know if dts passwords are also easily cracked.Edited by - ValterBorges on 12/03/2002 22:32:46 |
|
|
|
|
|
|
|
|
BETTER ENCRYPTION?