Recently a friend and I were talking about securing stored procedure code in a SQL server database.
最近,我和一位朋友正在谈论在SQL服务器数据库中保护存储过程代码。
From distant memory, I'm pretty certain that "with encryption" is incredibly easily broken in all versions of SQL Server, however he said it has been greatly improved in SQL 2005. As a result I have not seriously considered it as a security option in any systems I have ever worked on.
从远处的内存中,我很确定在所有版本的SQL Server中“加密”都非常容易被破解,但是他说它在SQL 2005中得到了很大的改进。因此我没有认真考虑它作为安全选项在我曾经做过的任何系统中。
So in what scenarious could "with encryption" be used, and when should it be avoided at all costs?
那么,在使用“加密”的情况下,何时可以不惜一切代价避免使用?
3 个解决方案
#1
6
It can be used to hide your code from casual observers, but as you say: it's easily circumvented.
它可以用来隐藏你的代码,使其不受随意观察者的影响,但正如你所说:它很容易被规避。
It really can't be any other way, since the server needs to decrypt the code to execute it. It's DRM, basically, and fails for the same reason as all the other DRM does - you can't simultaneously hide the data, and allow it to be accessed.
它实际上不能是任何其他方式,因为服务器需要解密代码来执行它。它基本上是DRM,并且出于与所有其他DRM相同的原因而失败 - 您无法同时隐藏数据并允许其被访问。
#2
2
@Blorgbeard
Good response, the MSDN documentation on "WITH ENCRYPTION" seems to agree with your point, now calling it "obfuscated" rather then encrypted.
好的回复,关于“WITH ENCRYPTION”的MSDN文档似乎与你的观点一致,现在称它为“混淆”而不是加密。
I've met a few developers who were completely unaware of this point however. Hopefully this question/response will inform others too.
我遇到了一些完全没有意识到这一点的开发人员。希望这个问题/回复也能告知其他人。
#3
1
Yes, it's easily broken. I had a situation this past week where I had to decrypt several sprocs that a former developer had encrypted for a client of mine. After decrypting it, which took a moderate effort, I wouldn't rely on that for any means of protecting intellectual property, passwords, user ids. Anything really.
是的,它很容易被打破。上周我遇到了一个情况,我不得不解密前开发人员为我的客户加密的几个sprocs。在解密之后,我花了不少努力,我不会依赖它来保护知识产权,密码和用户ID。真的。
#1
6
It can be used to hide your code from casual observers, but as you say: it's easily circumvented.
它可以用来隐藏你的代码,使其不受随意观察者的影响,但正如你所说:它很容易被规避。
It really can't be any other way, since the server needs to decrypt the code to execute it. It's DRM, basically, and fails for the same reason as all the other DRM does - you can't simultaneously hide the data, and allow it to be accessed.
它实际上不能是任何其他方式,因为服务器需要解密代码来执行它。它基本上是DRM,并且出于与所有其他DRM相同的原因而失败 - 您无法同时隐藏数据并允许其被访问。
#2
2
@Blorgbeard
Good response, the MSDN documentation on "WITH ENCRYPTION" seems to agree with your point, now calling it "obfuscated" rather then encrypted.
好的回复,关于“WITH ENCRYPTION”的MSDN文档似乎与你的观点一致,现在称它为“混淆”而不是加密。
I've met a few developers who were completely unaware of this point however. Hopefully this question/response will inform others too.
我遇到了一些完全没有意识到这一点的开发人员。希望这个问题/回复也能告知其他人。
#3
1
Yes, it's easily broken. I had a situation this past week where I had to decrypt several sprocs that a former developer had encrypted for a client of mine. After decrypting it, which took a moderate effort, I wouldn't rely on that for any means of protecting intellectual property, passwords, user ids. Anything really.
是的,它很容易被打破。上周我遇到了一个情况,我不得不解密前开发人员为我的客户加密的几个sprocs。在解密之后,我花了不少努力,我不会依赖它来保护知识产权,密码和用户ID。真的。