SQL SERVER2005加密解密数据

2024-08-31 00:49:04

字体：大中小

来源：转载

供稿：网友

讲述sql server 2005的数据加密功能和配置以及如何通过它实现对敏感数据的保护。

演示用的脚本提供给大家作为参考：

--------------------------------------------------------------------------------

/*[课程]使用数据库加密保护敏感数据demo 1了解sql2005加密层次结构[过程]过程一共分为4个部分*/--==================(i)服务主密钥=====================--1.)备份服务主密钥到文件backup service master key to file = 'c:/dbfile/smk.bak'encryption by password = '[email protected]'--2.)生成新的服务主密钥alter service master key regenerate;go--3.)从备份文件还原服务主密钥restore service master key from file = 'c:/dbfile/smk.bak' decryption by password = '[email protected]'--==================(ii)数据库主密钥=====================--1.)为northwind数据库创建数据库主密钥use northwind gocreate master key encryption by password = '[email protected]'go--2.)查看数据库加密状态select [name], is_master_key_encrypted_by_server from sys.databases where name = 'northwind';go--3.)查看数据库主密钥的信息use northwindselect * from sys.symmetric_keysgo--4.)对数据库主密钥进行备份use northwindgobackup master key to file = 'c:/dbfile/dmk.bak' encryption by password = '[email protected][email protected]'go--5.)删除服务主密钥对数据库主密钥的保护-- 创建非对称密钥成功，自动使用服务主密钥解密并使用该数据库主密钥create asymmetric key asy_testkey1 with algorithm = rsa_1024 go-- 删除服务主密钥对数据库主密钥的保护alter master key drop encryption by service master keygo-- 查看数据库的加密状态select [name], is_master_key_encrypted_by_server from sys.databases where name = 'northwind';-- 创建非对称密钥失败，数据库主密钥未打开create asymmetric key asy_testkey2 with algorithm = rsa_1024 go-- 打开数据库主密钥未open master key decryption by password = '[email protected]'select * from sys.openkeys-- 创建非对称密钥成功create asymmetric key asy_testkey2 with algorithm = rsa_1024 go-- 恢复服务主密钥对数据库主密钥的保护alter master key add encryption by service master keyclose master key--==================(iii)证书=====================--1.)让sql2005创建自签名的证书use northwindgocreate certificate cert_testcert1 encryption by password = '[email protected]' with subject = 'testcert1', start_date = '1/31/2006', expiry_date = '1/31/2008'goselect * from sys.certificates--2.)从文件导入证书use northwindgocreate certificate cert_testcert2 from file = 'c:/dbfile/mscert.cer'goselect * from sys.certificates--3.)备份导出证书和私钥backup certificate cert_testcert1 to file = 'c:/dbfile/testcert1.cer' with private key (decryption by password = '[email protected]' , file = 'c:/dbfile/testcert1_pvt' , encryption by password = 'pa$w0rd')--4.)使用证书加密、解密数据declare @cleartext varbinary(200)declare @cipher varbinary(200)set @cleartext = convert(varbinary(200), 'test text string')set @cipher = encryptbycert(cert_id('cert_testcert1'), @cleartext)select @cipherselect convert(varchar(200), decryptbycert(cert_id('cert_testcert1'), @cipher, n'[email protected]')) as [cleartext]--5.)删除证书私钥alter certificate cert_testcert1 remove private keygo-- 加密成功，解密失败declare @cleartext varbinary(200)declare @cipher varbinary(200)set @cleartext = convert(varbinary(200), 'test text string')set @cipher = encryptbycert(cert_id('cert_testcert1'), @cleartext)select @cipherselect convert(varchar(200), decryptbycert(cert_id('cert_testcert1'), @cipher, n'[email protected]')) as [cleartext]--==================(iv)非对称密钥=====================--1.)使用sn.ext生成非对成密钥文件-- sn -k c:/dbfile/asy_test.key--2.)从文件创建非对称密钥use northwindgocreate asymmetric key asy_test from file = 'c:/dbfile/asy_test.key' encryption by password = '[email protected]'goselect * from sys.asymmetric_keys

/*
[课程]使用数据库加密保护敏感数据

demo 2
使用密钥对列数据进行加密

[过程]
过程一共分为4个部分

--==================(i)准备=====================
--1.)创建示例表
use northwind
if exist dbo.empsalary drop table dbo.empsalary;

create table dbo.empsalary(
    empid int,
    title nvarchar(50),
    salary varbinary(500)
)
go

--2.)创建数据库主密钥
create master key encryption by password = '[email protected]'
go

--3.)

--4.)创建用于加密的对称密钥
create symmetric key sym_salary
with algorithm = aes_192
encryption by password = '[email protected]';

select * from sys.symmetric_keys where [name] = 'sym_salary'

--==================(ii)加密列数据=====================

--1.)打开对称密钥
open symmetric key sym_salary
decryption by password = '[email protected]'

select * from sys.openkeys --查看打开的对称密钥

--2.)向表中插入数据，并对salary列的数据进行加密
insert into empsalary values (1, 'ceo', encryptbykey(key_guid('sym_salary'), '20000'))
insert into empsalary values (2, 'manager', encryptbykey(key_guid('sym_salary'), '10000'))
insert into empsalary values (3, 'db admin', encryptbykey(key_guid('sym_salary'), '5000'))

--3.)关闭打开的对称密钥
close symmetric key sym_salary

select * from sys.openkeys --查看打开的对称密钥

--4.)查看表中存放的数据
select * from empsalary

--==================(iii)解密并访问被加密了的数据列=====================
--1.)打开对称密钥
open symmetric key sym_salary decryption by password = '[email protected]'

--2.)使用对称密钥解密并访问被加密了的数据列
select empid, title, cast(decryptbykey(salary) as varchar(20)) as salary from empsalary

--3.)关闭对称密钥
close symmetric key sym_salary

--==================(iii)绕过加密数据的攻击=====================
--1.)攻击者使用其它数据行的加密数据替换某一行的数据
select * from empsalary
update empsalary set salary =
(select salary from empsalary where empid = 1)
where empid = 3

--2.)查看被攻击后解密的数据
open symmetric key sym_salary decryption by password = '[email protected]'
select empid, title, cast(decryptbykey(salary) as varchar(20)) as salary from empsalary
close symmetric key sym_salary

--==================(iv)使用验证器防止绕过加密数据的攻击=====================
--1.)删除前面添加的数据行
delete from empsalary

--2.)向表中插入数据，并对salary列的数据使用验证器进行加密，第四个参数是加密因子
open symmetric key sym_salary decryption by password = '[email protected]'
insert into empsalary values (1, 'ceo', encryptbykey(key_guid('sym_salary'), '20000', 1, '1'))
insert into empsalary values (2, 'manager', encryptbykey(key_guid('sym_salary'), '10000', 1, '2'))
insert into empsalary values (3, 'db admin', encryptbykey(key_guid('sym_salary'), '5000', 1, '3'))
close symmetric key sym_salary

--3.)解密并访问被加密了的数据列
open symmetric key sym_salary decryption by password = '[email protected]'
select empid, title, cast(decryptbykey(salary, 1, cast(empid as varchar(3))) as varchar(20)) as salary from empsalary
close symmetric key sym_salary

--4.)攻击者使用相同的方法篡改数据
select * from empsalary
update empsalary set salary =
(select salary from empsalary where empid = 1)
where empid = 3

--5.)被篡改后的加密了的数据列变成无效
open symmetric key sym_salary decryption by password = '[email protected]'
select empid, title, cast(decryptbykey(salary, 1, cast(empid as varchar(3))) as varchar(20)) as salary from empsalary
close symmetric key sym_salary

/*
[课程]使用数据库加密保护敏感数据

demo 3
使用证书签署存储过程

[过程]
过程一共分为2个部分

--==================(i)示例准备=====================
--1.)创建数据库主密钥
use northwind
go
create master key encryption by password = '[email protected]'

--2.)创建签署存储过程所需要的证书
create certificate cert_products
    with subject = 'products sign',
    start_date = '2006/1/1',
    expiry_date = '2008/1/1'

--3.)创建spdeveloper登录帐户和用户，该用户创建访问products表的存储过程
create login [spdeveloper] with password=n'[email protected]', default_database=[northwind]
go
create user [spdeveloper] for login spdeveloper with default_schema=[spdeveloper]
go
create schema products authorization spdeveloper
go
exec sp_addrolemember @rolename = 'db_owner', @membername = 'spdeveloper'

--4.)以spdeveloper的身份创建存储过程products.usp_products
execute as user = 'spdeveloper'
go
create procedure products.usp_products
as
select top 5 * from dbo.products
go

revert
select user

--4.)创建普通用户jerry
create login jerry with password=n'[email protected]', default_database=[northwind]
create user jerry for login jerry

--==================(ii)使用证书签署存储过程=====================
--1.)授予用户jerry执行存储过程的权限
grant execute on products.usp_products to jerry

--2.)以jerry的身份执行存储过程失败，因为拥有全链是断裂的
execute as user = 'jerry'
select user
go

execute products.usp_products
go

revert

--3.)使用证书在当前数据库创建用户productsreader，
-- 并为该用户赋予读取products表的权限
create user productsreader for certificate cert_products
go
grant select on products to productsreader

--4.)使用证书签署当前存储过程
add signature to products.usp_products by certificate cert_products

--4.)以jerry的身份重新执行存储过程，成功，
-- 因为存储过程将以productsreader的权限上下文执行
execute as user = 'jerry'
select user
go
execute products.usp_products

讲师: 牛可

          时间: 2006年8月9日 10:00--11:30
          产品: sql server
          技术等级: 200

欢迎大家积极参与讨论

课后问题及答案

1. 在sql server 2005中，数据库的主密钥可以直接用来加密保护：（ab）

a. 证书的私钥

b. 非对称密钥的私钥

c. 非对称密钥的公钥

d. 服务主密钥

2. 当采用加密技术来保护数据库中的大量敏感数据时，为了兼顾性能和数据的安全性，最佳的做法是：（c）