Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL stored procedures encryption strength

From: "Dante Mercurio" <Dante () webcti com>
Date: Fri, 12 Nov 2004 17:15:50 -0500
I couldn't find the actual algorithm, but I do know it is not strong. A google for "sql script encryption algorithm" 
finds numerous recovery scripts and third party tools for enhanced security. If security is your concern, I'd recommend 
not using the built in functionality.

From:
http://www.databasejournal.com/features/mssql/article.php/3424921

"Be aware that SQL Server built-in encryption used for securing content of stored procedures (in the syscomments table) 
can be relatively easily broken. There are a number of tools on the Internet (such as sql2k_spcrypto script at 
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26 and dSQLSVRD from www.geocities.com/d0mn4r/dSQLSRVD.html) that 
provide this functionality."

M. Dante Mercurio, CISSP, CWNA, Security+
Consulting Group Manager

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] 
Sent: Thursday, November 11, 2004 2:04 PM
To: security-basics () securityfocus com
Subject: SQL stored procedures encryption strength


Hi list !

I was wondering how secure is the encryption used for stored procedures in SQL Server 2000. I mean, when I create a 
procedure like this:

        create procedure dbo.aed_hd_ok_check
                @input char(64)
                ...
        with encryption
        as
        Begin
                ...
        end

the procedure becomes then encrypted, and even the sa account cannot see the source after that.

But no way to find in SQL docs which algorithm is used, and if there are ways to breack it down ...

Anybody knows about this ?

Thanks !
Previous By Date Next
Previous By Thread Next

Current thread: