WHERE子句中的SQL加密列
[英]SQL Encrypted Columns in WHERE Clause
问题描述
I am looking to apply SQL column level encryption using symmetric keys. 
我希望使用对称密钥应用SQL列级加密。 The initial steps needed to create the Database Master Key, Certificates and Symmetric Keys seems straight forward and I have tested encrypting/decrypting data using Symmetric Keys successfully. 创建数据库主密钥,证书和对称密钥所需的初始步骤似乎很简单,我已成功使用对称密钥测试加密/解密数据。
However, once the data is encrypted I don't know how best to query it. 但是,一旦数据被加密,我不知道如何最好地查询它。 Eg 例如
SELECT PlainTextA, PlainTextB, PlainTextC
WHERE CONVERT(varchar, DECRYPTBYKEY(EncyptedColumn)) = @SearchTerm
would surely result in a full table scan? 肯定会导致全表扫描?
Another option I thought might work is encrypting the search criteria first eg 我认为可能有用的另一种选择是首先加密搜索条件,例如
SELECT PlainTextA, PlainTextB, PlainTextC
WHERE EncyptedColumn = ENCRYPTBYKEY(KEY_GUID('KeyName'), @SearchTerm)
but this doesn't work as the encrypted value generated is always different. 但这不起作用,因为生成的加密值总是不同的。
Any suggestions would be greatly appreciated. 任何建议将不胜感激。
3 个解决方案
解决方案1
14 已采纳 2010-08-24 21:10:59
The typical way is to store both the encrypted value and a one-way hash of the value. 典型的方法是存储加密值和值的单向散列。 When you seek a specific value, you would seek the hash. 当您寻找特定值时,您将寻求哈希值。 This way you can query efficiently, w/o having to decrypt every row in order to find the value you're interested: 通过这种方式,您可以高效查询,无需解密每一行,以便找到您感兴趣的值:
create table Table (
EncryptedColumn varbinary(max),
HashValue binary(20),
PlainA int,
PlainB varchar(256),
PlainC Datetime);
create index ndxTableHash on Table(HashValue);
select PlainA, plainB, PlainC
from table
where HashValue = HashBytes('SHA1', @searchTerm);
In theory, you can have a hash conflict once in a blue moon, to be paranoid-safe you add a double check on the decrypted column: 从理论上讲,你可以在一个蓝色的月亮中发生一次哈希冲突,在偏心安全的情况下你可以在解密的列上添加一个双重检查:
select PlainA, plainB, PlainC
from table
where HashValue = HashBytes('SHA1', @searchTerm)
and DecryptByKey(..., EncryptedColumn) = @searchTerm;
Also see Indexing encrypted data and SQL Server 2005: searching encrypted data . 另请参阅索引加密数据和SQL Server 2005:搜索加密数据 。
解决方案2
2 2010-08-24 20:38:54
One option you have is add a new column to the table (or have a WITH SCHEMABINDING view with a calculated column in it, and index that) with a one-way HASH of the search value. 您有一个选项是向表中添加一个新列(或者具有WITH SCHEMABINDING计算列的WITH SCHEMABINDING视图,并将其索引),并使用搜索值的单向HASH。 It doens't have to be a strong hash - something as simple as CHECKSUM will work . 它不必是一个强大的哈希 - 就像CHECKSUM一样简单 。 Then you hash the search value in your lookup and filter it by the hash, which is indexed. 然后,在查找中对搜索值进行哈希处理,并通过索引对其进行过滤。 That way, you can expose something searchable and indexable, without actually exposing the value itself. 这样,您可以暴露可搜索和可索引的内容,而不会实际暴露值本身。
However, if there's another way to do this directly, I'd love to know what it is :) 但是,如果有另一种方法直接这样做,我很想知道它是什么:)
解决方案3
-2 2015-07-13 11:24:37
Another option is to use a View which contains a column of decrypted value and find records according to it. 另一种选择是使用包含一列解密值的View,并根据它查找记录。
SELECT PlainTextA, PlainTextB, PlainTextC from TheView
WHERE DecryptedColumn = @SearchTerm
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.