Systems Engineering and RDBMS

Encrypted Stored Procedures in SQL Server – How Secure?

Posted by decipherinfosys on February 17, 2007

Yesterday, a good friend of mine asked me whether just using the “WITH ENCRYPTION” option is good enough to secure the source code in SQL Server. Oracle has the WRAP utility to do the same thing and it is much more robust. Anyways, in SQL Server, just because you have encrypted your source code using the “WITH ENCRYPTION” option does not mean that you are safe. One can use the dSQLSRVD utility to decrypt that code:

http://www.geocities.com/d0mn4r/dSQLSRVD.html

or even this stored procedure code (Decrypt2k) that is publicly available:

http://www.1perlscriptstreet.com/vb/scripts/ShowCode.asp?txtCodeId=505&lngWId=5

The difference between the two is that domNar’s tool requires you to be a member of the sysadmin fixed server role. The stored procedure version above does not yield the decrypted code correctly for procedures with lengths more than 4K. And here is another link that talks about a couple of other options that exist for decrypting the encrypted code in SQL Server:

http://www.sql-shield.com/decrypt-stored-procedure.html

So, does that mean that there is really nothing that can be done to protect your source code in SQL Server? There are third party utilies like the one from SQL Shield mentioned above that can be used for doing this. You can also control this by using a very tight access control using roles and permissions but that can be done if you are the one who hosts the instance and have all the higher privileged accounts locked up.

In one of the future posts, we will look at encrytion of the data and what options does SQL 2005 provide for those.  It can be done using symmetric keys and is a very good feature.

About these ads

Sorry, the comment form is closed at this time.

 
Follow

Get every new post delivered to your Inbox.

Join 74 other followers

%d bloggers like this: