Database Encryption

Dinesh Asanka
Introduction
• Encryption is the process of obfuscating data by the use of a key or
password.
• Data useless without the corresponding decryption key or password.
• Encryption does not solve access control problems.
• Enhances security by limiting data loss even if access controls are by
passed.
Issues in Encryption
• Need additional resources
• CPU – Encryption & decryption need more cpu
• Storage – Not a major concern.
• Memory – As databases read from the memory.
• Key Management – Maintenance
• Performance
• There are other alternatives in databases such as Authentication &
Authorization.
Standard Symmetric Algorithms

Algorithm Type Key Strength DBMS

DES Block 56 Weak Oracle, MS SQL
3DES Block 128 Acceptable Oracle, MS SQL
AES-192 Block 192 Strong Oracle DBMS
Crypto, MS SQL
AES-256 Block 256 Strong Oracle DBMS
Crypto, MS SQL
RC4 Stream 1- Strong Oracle DBMS
256 Crypto, MS SQL
RC2 Block 128 Acceptable MS SQL
Full Database Encryption

Clear Text
Application OS & File System

Database

– Lack of Granular Access Control

– Performance Impact
– SQL Server – Transparent Data Encryption
– Limited Key Management
• Not Recommended
OS or File System Encryption

Application Clear Text OS & File System

Database

Same problems as Full DB Encryption

– Lack of Granular Access Control
– Performance Impact
– Limited Key Management
• Not Recommended
Field Level by DB or
Middleware

Application Clear Text

Database
Table
ID SSN
1
2
3
4

• Recommended
+ Granular Access Control
+ Limited Performance Impact
- Clear text communications should be encrypted
Field Level by the Application

Application Cipher Text

Database
Table
ID SSN
1
2
3
4
• Recommended
+ Granular Access Control
+ Resistant to DB attacks and DBA Insider threats
+ Less impact from other weak applications
± Each application implements key management
Keys?
Symmetric Encryption
• Symmetric encryption is the oldest and best-known technique.
• A secret key, which can be a number, a word, or just a string of
random letters, is applied to the text of a message to change the
content in a particular way.
• This might be as simple as shifting each letter by a number of places
in the alphabet.
• As long as both sender and recipient know the secret key, they can
encrypt and decrypt all messages that use this key.
Asymmetric Encryption
• The problem with secret keys is exchanging them over the Internet or a large network
while preventing them from falling into the wrong hands. Anyone who knows the
secret key can decrypt the message.
• One answer is asymmetric encryption, in which there are two related keys--a key pair.
• A public key is made freely available to anyone who might want to send you a message.
• A second, private key is kept secret, so that only you know it.
• Any message (text, binary files, or documents) that are encrypted by using the public
key can only be decrypted by applying the same algorithm, but by using the matching
private key.
• Any message that is encrypted by using the private key can only be decrypted by using
the matching public key.
Certificate
• A certificate is a package of information that identifies a user or a
server, and contains information such as the organization name, the
organization that issued the certificate, the user's e-mail address and
country, and the user's public key.
• When a server and client require a secure encrypted communication,
they send a query over the network to the other party, which sends
back a copy of the certificate. The other party's public key can be
extracted from the certificate.
• A certificate can also be used to uniquely identify the holder.
Encryption Hierarchy
Different Keys and Certificate
• Extensible Key Management (EKM)
• Key is stored outside Database
• Service Master Key (SMK)
• Root of the Encryption in Database
• Database Master Key (DMK)
• Symmetric Key to encryption AK, SK, and Certificate.
• Asymmetric Keys
• Private and Public Keys
• Symmetric Keys
• Faster and Less Expensive
• Certificate
• Digital Sign Keys
Cell Level Encryption
• Encrypted data cannot be compressed, but compressed data can be
encrypted.
• Stronger encryption algorithms consume more processor resources.
• SQL Server 2016 supports AES_128, AES_192, AES_256. Support for
DES are depreciated.
• If you are encrypting a lot of data it is recommended that you encrypt
the data using a symmetric key, and then encrypt the symmetric key
with an asymmetric key.
Encryption Outside Databases
• Data Files – TDE
• Always Encryption
• Database Backups
• Log Shipping
• Backups are available in two places
• Mirroring
• By default, Mirroring is Encrypted.
Always Encryption
• Designed to protect sensitive data at column level.
• Use to protect data from high-priviledged users like DBA’s, System
Admins.
• Master Key & Column Key
• Column key protect data & Master key protect the Column Key
• Two Encryption Types
• Deterministic encryption
• Randomized encryption
Encryption Types
• Deterministic Encryption
• Always generate same value for any given plain text
• Allows encryption for searching, lookups, joins, grouping, constraints,
indexing columns.
• Randomized Encryption
• It generates a different encrypted value for the same plaintext each time.
• It is more secure encryption.
• Not possible to use this type of encryption for searching, lookups, joins,
grouping, constraints, indexing columns.
Encryption Key Type
• Column Encryption Keys
• It is used to encryption sensitive data stored in database columns.
• Should store column encryption keys in a secure / trusted location for backup.

• Column Master Keys

• Column Master Keys are protecting keys used to encrypt column encryption
keys.
• Column master keys must be stored in a trusted key store.
Transparent Data Encryption
• Encryption of the database file is performed at the page level.
• TDE encrypts Data and Log files.
• Enables Software developers to encrypt data by using AES and 3 DES
encryption algorithms without effecting applications.
• TDE works with backup compression.
Disadvantages of TDE
• TDE consume more CPU and storage
• Tempdb will be encrypted
• TDE feature is costly
Encrypted Backups
Dynamic Data Masking
Types of Masking
• Default Masking
• Partial Masking
• Random Masking
• Email Masking
Default Masking
• Masking according to data type
• String -> XXXXXX
• Numeric -> 9999999
• Date Time -> 01.01.1900
• Partial Masking
• Exposes First and Last characters and adds customs padding string in middle.
• Dinesh -> DXXXXh
• Random Masking
• Replaces the numeric value with a random value with a specified range.
• 20 -> 100
• Email Masking
• Exposes first letter of an email address and the constant suffix “.com”