| Author |
Topic |
|
dolphin123
Yak Posting Veteran
84 Posts |
 Posted - 2012-08-29 : 09:45:16
|
Good morning everyone,My databases are encrypted using TDE with SHA1 (I think). My Manager wants all the database encryption to change to SHA2.I know the database is encrypted using AES_256. But I have no idea if the database is encrypted using SHA1 or SHA2.1. How do I find out if this is encrypted using SHA1 or SHA22. How do I change that to SHA2?3. I will be changing this in Production. Can I do this while I the database is online or should I be taking databases offline during this. If I should take it offline, can I do the followingALTER DATABASE database-name SET OFFLINE WITH ROLLBACK AFTER 120 SECONDS make the change to SHA1 to SHA2ALTER DATABASE database-name SET ONLINE |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-08-29 : 09:51:52
|
| SHA1 and SHA2 are hash algorithms, not encryption algorithms. Even if you "encrypted" your data with them, they are not reversible. Your manager needs to do some more research.Here's the basics of TDE: http://msdn.microsoft.com/en-us/library/bb934049.aspx |
 |
|
|
dolphin123
Yak Posting Veteran
84 Posts |
Posted - 2012-08-29 : 09:58:49
|
| Thanks robvolk. I understand SHA1/2 are hash algorithms and they are irreversible. Do you know how can I implement SHA2 on my database. Can I do this on a database/server level. Since it is irreversible, I don't think I can do that on my entire database. I can only do that on the password fields. Correct? |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
|
|
dolphin123
Yak Posting Veteran
84 Posts |
Posted - 2012-08-29 : 12:55:07
|
| Thanks Rob. I took a look at that function. So, that function should be used on the Application level for particular columns right?There is no way I can do it on the database level without effecting the Application - The way I did on the instance level with TDE.Please let me know. Thanks a lot for your time so far.- D |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-08-29 : 14:12:59
|
| TDE is a completely different animal. If you're already using it you really don't need to use SHA hashing, unless you have people querying the database directly and they're able to see data they shouldn't.HASHBYTES() is a SQL Server function. .Net languages also have hashing functions built-in, you can hash your values on either the app or the database side. Hashing in SQL Server would entail sending the raw data to the database, so it's less secure overall. |
|
|
|
dolphin123
Yak Posting Veteran
84 Posts |
Posted - 2012-08-31 : 11:35:28
|
| Hi Rob,I am talking about SHA1 on the certificate generated by my first step in creating TDE.Signature Hash Algorithm - You can see it has been hashed with SH1.I can recreated all the keys. but I should be able to force SHA2 for that.http://screencast.com/t/JfpLoljI7How can I do that?Thank you,D |
|
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2012-08-31 : 12:14:27
|
quote:
Originally posted by dolphin123
Hi Rob,I am talking about SHA1 on the certificate generated by my first step in creating TDE.Signature Hash Algorithm - You can see it has been hashed with SH1.I can recreated all the keys. but I should be able to force SHA2 for that.http://screencast.com/t/JfpLoljI7How can I do that?Thank you,D
You can't do that when you create the certificate in SQL Server. You would have to get a certificate from some external source.FYI, this all seems like a waste of time. Virtually every ecommerce web site I have looked at uses a certificate signed with a SHA1 hash. Although there are theoretical weaknesses in the SHA1 algorithm, I do not think there has ever been an demonstrated exploit. The only people that would have access to the certificate that SQL uses would be administrators who have access to the data anyway.CODO ERGO SUM |
|
|
|
|
Changing TDE from SHA1 to SHA1