WebApp Sec mailing list archives
RE: Encrypted storage
From: "Singh, Yashpal" <ysingh () ipolicynet com>
Date: Thu, 9 Sep 2004 15:12:02 +0530
Hi, We are using a third party encryption-decryption dll for securing the credit card numbers. Circumstances 1. We need to secure only 2 columns in the table and that too with a third party dll. 2. No other special circumstances. Performance Hit 1. The DLL get loaded into SQL Server's memory. U need to take care of releasing it. (This is not a major issue) 2. The query execution time is bit slower which is obvious because now you will execute a function to encrypt/decrypt the data. (This is not a major issue because we never execute such a query in bulk. I mean we execute such a query for each user as and when required.) 3. So overall there is no performance hit unless the you are not releasing the dll (see step1). We got major memory leakage issue in production because of step1. gotchas 1. You just need to ensure that you have right version of DLL's installed. For e.g. you have Enc1.dll for encryption and Dec1.dll for decryption. Any data encryption done via Enc1.dll can be decrypted via Dec1.dll. Encrypted Communication SSL : You can use secure socket layer for all communication between a client machine and SQL Server machine. hope this helps, Yash -----Original Message----- From: Jeffrey Koniszewski [mailto:jkoniszewski () kronos com] Sent: Thursday, September 09, 2004 2:09 AM To: webappsec () securityfocus com Subject: Encrypted storage I was wondering (because customers have asked me) whether anyone is configuring their database to store all information encrypted. Databases have this capability but the overhead can be so heavy that vendors don't recommend using it generically. Also, if most of the data is not sensitive it is a lot of work to protect small amounts of data. Is anyone aware of someone using this capability? Under what circumstances? What's the performance hit? What other gotchas? How about encrypted communication to the DB from the app server?
Current thread:
- Encrypted storage Jeffrey Koniszewski (Sep 08)
- Re: Encrypted storage Ido Rosen (Sep 09)
- Re: Encrypted storage Erik Kangas (Sep 09)
- Re: Encrypted storage Martin Sarsale (Sep 09)
- Re: Encrypted storage Shirokov Roman (Sep 09)
- <Possible follow-ups>
- RE: Encrypted storage Glenn_Everhart (Sep 09)
- RE: Encrypted storage Browne, Derek (Sep 10)
- RE: Encrypted storage Singh, Yashpal (Sep 10)
- RE: Encrypted storage Matis (Sep 11)
- Re: Encrypted storage Ido Rosen (Sep 09)