Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

column encryption

17 posts in Product Futures Discussion Last posting was on 2002-03-09 06:29:45.0Z
George Saylor Posted on 2002-03-07 12:36:30.0Z
From: "George Saylor" <gmsayloriii@email.msn.com>
Subject: column encryption
Date: Thu, 7 Mar 2002 07:36:30 -0500
Lines: 15
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <hvgjtSdxBHA.132@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: tow9dhcp209.towson01.md.comcast.net 68.33.9.209
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:739
Article PK: 94267

Giving the decrypt a role/group/user grantable permission, perfect for a
password table or sensitive data.

ie:

CREATE TABLE secret
(
col1 INT,
col2 VARCHAR(30) ENCRYPTED
)
go
GRANT DECRYPT ON secret(col2) TO auditors
go


Stefan Karlsson Posted on 2002-03-07 21:10:40.0Z
From: "Stefan Karlsson" <Stefan.Karlsson@Sybase.com>
References: <hvgjtSdxBHA.132@forums.sybase.com>
Subject: Re: column encryption
Date: Thu, 7 Mar 2002 16:10:40 -0500
Lines: 30
Organization: Sybase, Inc.
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Message-ID: <2FuKoajxBHA.214@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: 10.22.90.199
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:734
Article PK: 94263

You may want to look at the partner Protegrity:
<http://ptnrweb.sybase.com/public/web.pbw/ePartner/product/display?prod_svc_
id=38303&tmp_table_search=N>

Their solution include the ability to encrypt columns and allow decryption
only authenticated and authorized principals.

Stefan Karlsson
DSE Swat Team
Sybase, Inc.

"George Saylor" <gmsayloriii@email.msn.com> wrote in message
news:hvgjtSdxBHA.132@forums.sybase.com...
> Giving the decrypt a role/group/user grantable permission, perfect for a
> password table or sensitive data.
>
> ie:
>
> CREATE TABLE secret
> (
> col1 INT,
> col2 VARCHAR(30) ENCRYPTED
> )
> go
> GRANT DECRYPT ON secret(col2) TO auditors
> go
>
>


George Saylor Posted on 2002-03-08 12:56:42.0Z
From: "George Saylor" <gmsayloriii@email.msn.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <2FuKoajxBHA.214@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 07:56:42 -0500
Lines: 41
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <bu0fqCqxBHA.214@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: tow9dhcp209.towson01.md.comcast.net 68.33.9.209
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:730
Article PK: 94256

=38303&tmp_table_search=N>

>
> Their solution include the ability to encrypt columns and allow decryption
> only authenticated and authorized principals.

Nice to know they are out there, we already have built an external mechanism
using RSA, but it stores as IMAGE to avoid occasional strings laden with
line and string terminators which were reportedly difficult to retrieve as
VARBINARY using VB.

protegrity appears to run on Unix which is one of the reasons I want this in
ASE, so I will pitch it to the suits.

Thanks

>
> Stefan Karlsson
> DSE Swat Team
> Sybase, Inc.
>
> "George Saylor" <gmsayloriii@email.msn.com> wrote in message
> news:hvgjtSdxBHA.132@forums.sybase.com...
> > Giving the decrypt a role/group/user grantable permission, perfect for a
> > password table or sensitive data.
> >
> > ie:
> >
> > CREATE TABLE secret
> > (
> > col1 INT,
> > col2 VARCHAR(30) ENCRYPTED
> > )
> > go
> > GRANT DECRYPT ON secret(col2) TO auditors
> > go
> >
> >
>
>


Roger Broadbent Posted on 2002-03-07 14:57:36.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com>
Subject: Re: column encryption
Date: Thu, 7 Mar 2002 14:57:36 -0000
Lines: 27
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <DEIGMlexBHA.332@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:737
Article PK: 94264

How is that better than simply denying access to the column?

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

George Saylor <gmsayloriii@email.msn.com> wrote in message
news:hvgjtSdxBHA.132@forums.sybase.com...
> Giving the decrypt a role/group/user grantable permission, perfect for a
> password table or sensitive data.
>
> ie:
>
> CREATE TABLE secret
> (
> col1 INT,
> col2 VARCHAR(30) ENCRYPTED
> )
> go
> GRANT DECRYPT ON secret(col2) TO auditors
> go
>
>


George Saylor Posted on 2002-03-08 12:45:15.0Z
From: "George Saylor" <gmsayloriii@email.msn.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 07:45:15 -0500
Lines: 39
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <pPmsQ8pxBHA.332@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: tow9dhcp209.towson01.md.comcast.net 68.33.9.209
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:732
Article PK: 94258

Auditors want "encryption", revoke was discussed to no avail. Also we need
to let folks retrieve this data in its encrypted form and pass it to MTS/COM
components for authentication without the slightest possibility that someone
could trace or capture the plain value.

George

"Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
news:DEIGMlexBHA.332@forums.sybase.com...
> How is that better than simply denying access to the column?
>
> --
> Roger Broadbent
> Technical Consultant
> Wilco International Ltd
>
>
> George Saylor <gmsayloriii@email.msn.com> wrote in message
> news:hvgjtSdxBHA.132@forums.sybase.com...
> > Giving the decrypt a role/group/user grantable permission, perfect for a
> > password table or sensitive data.
> >
> > ie:
> >
> > CREATE TABLE secret
> > (
> > col1 INT,
> > col2 VARCHAR(30) ENCRYPTED
> > )
> > go
> > GRANT DECRYPT ON secret(col2) TO auditors
> > go
> >
> >
>
>


Roger Broadbent Posted on 2002-03-08 15:35:45.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <pPmsQ8pxBHA.332@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 15:35:45 -0000
Lines: 65
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <evgTOfrxBHA.204@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:727
Article PK: 94253

Did the auditors give a reason fopr rejecting revoking priveleges or was it
some touching belief in the power of encryption over other security
mechanisms?

If you want to pass on the encrypted form, store it as varbinary or image
and let the client do the decryption in all cases. This actually would
increase security as the ASE wouldn't have the info on how to decrypt at
all.

I suppose you could write the encryption/decryption algorithms in Java and
put them on the server, but you'd have to pass the key from the client each
time or it would be available to our hypothetical snooper.

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

George Saylor <gmsayloriii@email.msn.com> wrote in message
news:pPmsQ8pxBHA.332@forums.sybase.com...
> Auditors want "encryption", revoke was discussed to no avail. Also we
need
> to let folks retrieve this data in its encrypted form and pass it to
MTS/COM
> components for authentication without the slightest possibility that
someone
> could trace or capture the plain value.
>
> George
>
>
> "Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
> news:DEIGMlexBHA.332@forums.sybase.com...
> > How is that better than simply denying access to the column?
> >
> > --
> > Roger Broadbent
> > Technical Consultant
> > Wilco International Ltd
> >
> >
> > George Saylor <gmsayloriii@email.msn.com> wrote in message
> > news:hvgjtSdxBHA.132@forums.sybase.com...
> > > Giving the decrypt a role/group/user grantable permission, perfect for
a
> > > password table or sensitive data.
> > >
> > > ie:
> > >
> > > CREATE TABLE secret
> > > (
> > > col1 INT,
> > > col2 VARCHAR(30) ENCRYPTED
> > > )
> > > go
> > > GRANT DECRYPT ON secret(col2) TO auditors
> > > go
> > >
> > >
> >
> >
>
>


George Saylor Posted on 2002-03-08 16:32:10.0Z
From: "George Saylor" <gmsayloriii@email.msn.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <pPmsQ8pxBHA.332@forums.sybase.com> <evgTOfrxBHA.204@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 11:32:10 -0500
Lines: 75
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <RGUnE7rxBHA.304@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: tow9dhcp209.towson01.md.comcast.net 68.33.9.209
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:724
Article PK: 94254

the "some touching belief" option, and we use IMAGE already

"Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
news:evgTOfrxBHA.204@forums.sybase.com...
> Did the auditors give a reason fopr rejecting revoking priveleges or was
it
> some touching belief in the power of encryption over other security
> mechanisms?
>
> If you want to pass on the encrypted form, store it as varbinary or image
> and let the client do the decryption in all cases. This actually would
> increase security as the ASE wouldn't have the info on how to decrypt at
> all.
>
> I suppose you could write the encryption/decryption algorithms in Java and
> put them on the server, but you'd have to pass the key from the client
each
> time or it would be available to our hypothetical snooper.
>
> --
> Roger Broadbent
> Technical Consultant
> Wilco International Ltd
>
> George Saylor <gmsayloriii@email.msn.com> wrote in message
> news:pPmsQ8pxBHA.332@forums.sybase.com...
> > Auditors want "encryption", revoke was discussed to no avail. Also we
> need
> > to let folks retrieve this data in its encrypted form and pass it to
> MTS/COM
> > components for authentication without the slightest possibility that
> someone
> > could trace or capture the plain value.
> >
> > George
> >
> >
> > "Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
> > news:DEIGMlexBHA.332@forums.sybase.com...
> > > How is that better than simply denying access to the column?
> > >
> > > --
> > > Roger Broadbent
> > > Technical Consultant
> > > Wilco International Ltd
> > >
> > >
> > > George Saylor <gmsayloriii@email.msn.com> wrote in message
> > > news:hvgjtSdxBHA.132@forums.sybase.com...
> > > > Giving the decrypt a role/group/user grantable permission, perfect
for
> a
> > > > password table or sensitive data.
> > > >
> > > > ie:
> > > >
> > > > CREATE TABLE secret
> > > > (
> > > > col1 INT,
> > > > col2 VARCHAR(30) ENCRYPTED
> > > > )
> > > > go
> > > > GRANT DECRYPT ON secret(col2) TO auditors
> > > > go
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Roger Broadbent Posted on 2002-03-08 17:01:45.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <pPmsQ8pxBHA.332@forums.sybase.com> <evgTOfrxBHA.204@forums.sybase.com> <RGUnE7rxBHA.304@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 17:01:45 -0000
Lines: 100
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <zYJyRPsxBHA.318@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:722
Article PK: 94249

If it's a touching belief, I'm afraid I can't help. I'm used to logical
argument :-)

It sounds to me that in your case the encryption should be handled at the
client level, and Sybase need only handle the encrypted values as passed to
it.

Back to the original suggestion, it still seems to me that if the ASE can
decrypt it, anyone with access to the raw devices, and thus the Sybase
account can decrypt it. If they don't have access to the raw devices,
denying access within the ASE is enough. Ergo, the proposed "security
feature" is snake oil with no advantage over the current mechanisms, only
associated costs.

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

George Saylor <gmsayloriii@email.msn.com> wrote in message
news:RGUnE7rxBHA.304@forums.sybase.com...
> the "some touching belief" option, and we use IMAGE already
>
>
> "Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
> news:evgTOfrxBHA.204@forums.sybase.com...
> > Did the auditors give a reason fopr rejecting revoking priveleges or was
> it
> > some touching belief in the power of encryption over other security
> > mechanisms?
> >
> > If you want to pass on the encrypted form, store it as varbinary or
image
> > and let the client do the decryption in all cases. This actually would
> > increase security as the ASE wouldn't have the info on how to decrypt at
> > all.
> >
> > I suppose you could write the encryption/decryption algorithms in Java
and
> > put them on the server, but you'd have to pass the key from the client
> each
> > time or it would be available to our hypothetical snooper.
> >
> > --
> > Roger Broadbent
> > Technical Consultant
> > Wilco International Ltd
> >
> > George Saylor <gmsayloriii@email.msn.com> wrote in message
> > news:pPmsQ8pxBHA.332@forums.sybase.com...
> > > Auditors want "encryption", revoke was discussed to no avail. Also we
> > need
> > > to let folks retrieve this data in its encrypted form and pass it to
> > MTS/COM
> > > components for authentication without the slightest possibility that
> > someone
> > > could trace or capture the plain value.
> > >
> > > George
> > >
> > >
> > > "Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
> > > news:DEIGMlexBHA.332@forums.sybase.com...
> > > > How is that better than simply denying access to the column?
> > > >
> > > > --
> > > > Roger Broadbent
> > > > Technical Consultant
> > > > Wilco International Ltd
> > > >
> > > >
> > > > George Saylor <gmsayloriii@email.msn.com> wrote in message
> > > > news:hvgjtSdxBHA.132@forums.sybase.com...
> > > > > Giving the decrypt a role/group/user grantable permission, perfect
> for
> > a
> > > > > password table or sensitive data.
> > > > >
> > > > > ie:
> > > > >
> > > > > CREATE TABLE secret
> > > > > (
> > > > > col1 INT,
> > > > > col2 VARCHAR(30) ENCRYPTED
> > > > > )
> > > > > go
> > > > > GRANT DECRYPT ON secret(col2) TO auditors
> > > > > go
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Mike Harrold Posted on 2002-03-08 21:00:08.0Z
Subject: Re: column encryption
References: <hvgjtSdxBHA.132@forums.sybase.com> <evgTOfrxBHA.204@forums.sybase.com> <RGUnE7rxBHA.304@forums.sybase.com> <zYJyRPsxBHA.318@forums.sybase.com>
X-Newsreader: trn 4.0-test75 (Feb 13, 2001)
From: ao@shell.core.com (Mike Harrold)
Originator: ao@shell.core.com (Mike Harrold)
Message-ID: <mNPr6QuxBHA.204@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
Date: Fri, 08 Mar 2002 16:00:08 -0500
Lines: 39
NNTP-Posting-Host: shell.core.com 169.207.1.89
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com!not-for-mail
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:719
Article PK: 94246

In article <zYJyRPsxBHA.318@forums.sybase.com>,

Roger Broadbent <RBroadbent@wilco-int.com> wrote:
>
>If it's a touching belief, I'm afraid I can't help. I'm used to logical
>argument :-)
>
>It sounds to me that in your case the encryption should be handled at the
>client level, and Sybase need only handle the encrypted values as passed to
>it.
>
>Back to the original suggestion, it still seems to me that if the ASE can
>decrypt it, anyone with access to the raw devices, and thus the Sybase
>account can decrypt it. If they don't have access to the raw devices,
>denying access within the ASE is enough. Ergo, the proposed "security
>feature" is snake oil with no advantage over the current mechanisms, only
>associated costs.

Assume there is a table with customer credit card info. For some reason,
the datafile containing that table has been left open as world readable.
No, it shouldn't happen, but in reality it *does* happen. There can be a
number of reasons why it happens.

If the data is unencrypted, anyone can grab that data from looking at
the datafile (Unix "strings" command, perhaps). At least if it were
encrypted that couldn't happen.

Now, can the same be done at the client level? Sure.

Would it be easier if it were available (no one is forcing you to use
it) in the database? Of course.

Is it necessary? No.

Would it be nice to have? Yes.

But isn't that the point of this newsgroup? So *customers* can tell
Sybase what they want?

:-)

/Mike


Bret Halford Posted on 2002-03-07 15:13:33.0Z
Message-ID: <3C87839D.FDDE559E@sybase.com>
Date: Thu, 07 Mar 2002 08:13:33 -0700
From: Bret Halford <bret@sybase.com>
Organization: Sybase, Inc.
X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
Subject: Re: column encryption
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Newsgroups: sybase.public.ase.product_futures_discussion
Lines: 18
NNTP-Posting-Host: 10.22.120.72
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:736
Article PK: 94266

A user on the OS can, with appropriate permissions, look at the raw data on
disk if it isn't encrypted.

-bret

Roger Broadbent wrote:

> How is that better than simply denying access to the column?
>
> --
> Roger Broadbent
> Technical Consultant
> Wilco International Ltd
>
> George Saylor <gmsayloriii@email.msn.com> wrote in message
> news:hvgjtSdxBHA.132@forums.sybase.com...
> > Giving the decrypt a role/group/user grantable permission, perfect for a
> > password table or sensitive data.
> >
> > ie:
> >
> > CREATE TABLE secret
> > (
> > col1 INT,
> > col2 VARCHAR(30) ENCRYPTED
> > )
> > go
> > GRANT DECRYPT ON secret(col2) TO auditors
> > go
> >
> >


Roger Broadbent Posted on 2002-03-08 15:25:16.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 15:25:16 -0000
Lines: 57
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <Nq7tXZrxBHA.304@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:728
Article PK: 94257

The same user could gain sa access to the ASE and read the column that way
too. Or he could use software containing the decryption algorithm extracted
from the ASE to read the encrypted data; if you assume access to the Sybase
devices, the ASE has nowhere to "hide" the key. You can't use a user's
password as a key, as it's extremely likely that more than one user, with
unrelated passwords, will require access. And even if you did, if the
hypothetical user has UNIX access to the sybase account, he could read the
ASE memory and extract the password.

Maybe I'm missing something, but this seems like more security "snake oil"
to me...

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

Bret Halford <bret@sybase.com> wrote in message
news:3C87839D.FDDE559E@sybase.com...
> A user on the OS can, with appropriate permissions, look at the raw data
on
> disk if it isn't encrypted.
>
> -bret
>
>
> Roger Broadbent wrote:
>
> > How is that better than simply denying access to the column?
> >
> > --
> > Roger Broadbent
> > Technical Consultant
> > Wilco International Ltd
> >
> > George Saylor <gmsayloriii@email.msn.com> wrote in message
> > news:hvgjtSdxBHA.132@forums.sybase.com...
> > > Giving the decrypt a role/group/user grantable permission, perfect for
a
> > > password table or sensitive data.
> > >
> > > ie:
> > >
> > > CREATE TABLE secret
> > > (
> > > col1 INT,
> > > col2 VARCHAR(30) ENCRYPTED
> > > )
> > > go
> > > GRANT DECRYPT ON secret(col2) TO auditors
> > > go
> > >
> > >
>


George Saylor Posted on 2002-03-08 12:46:58.0Z
From: "George Saylor" <gmsayloriii@email.msn.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 07:46:58 -0500
Lines: 23
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <K4P2N9pxBHA.204@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: tow9dhcp209.towson01.md.comcast.net 68.33.9.209
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:731
Article PK: 94259


"Bret Halford" <bret@sybase.com> wrote in message
news:3C87839D.FDDE559E@sybase.com...
> A user on the OS can, with appropriate permissions, look at the raw data
on
> disk if it isn't encrypted.
>
> -bret
>

Another nice idea would be encryption of the database files, for the above
reason


Roger Broadbent Posted on 2002-03-08 15:38:13.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com> <K4P2N9pxBHA.204@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 15:38:13 -0000
Lines: 38
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <fJXVmgrxBHA.204@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:726
Article PK: 94252

Definitely snake oil. The ASE has to be able to read the data and have
access to the raw disks. Anyone who gains this user's privileges has to have
access to all the information required to read those partitions, otherwise
the ASE couldn't do it!

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

George Saylor <gmsayloriii@email.msn.com> wrote in message
news:K4P2N9pxBHA.204@forums.sybase.com...
>
> "Bret Halford" <bret@sybase.com> wrote in message
> news:3C87839D.FDDE559E@sybase.com...
> > A user on the OS can, with appropriate permissions, look at the raw data
> on
> > disk if it isn't encrypted.
> >
> > -bret
> >
>
> Another nice idea would be encryption of the database files, for the above
> reason
>
>
>
>
>
>
>
>
>
>
>


Pablo Sanchez Posted on 2002-03-08 15:44:46.0Z
From: "Pablo Sanchez" <pablo@dev.null>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com> <K4P2N9pxBHA.204@forums.sybase.com> <fJXVmgrxBHA.204@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 08:44:46 -0700
Lines: 20
Organization: High-Performance Database Engineering
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <QCKKmkrxBHA.332@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: 207.225.105.222
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:725
Article PK: 94250


"Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
news:fJXVmgrxBHA.204@forums.sybase.com...
> Definitely snake oil. The ASE has to be able to read the data and
have
> access to the raw disks. Anyone who gains this user's privileges has
to have
> access to all the information required to read those partitions,
otherwise
> the ASE couldn't do it!

If you're encrypting within a column, ASE isn't going to need to peak
in that column. If that column is indexed, it'd be indexed on the
encrypted values.
--
Pablo Sanchez, High-Performance Database Engineering
www.hpdbe.com
Available for short-term and long-term contracts


Roger Broadbent Posted on 2002-03-08 16:50:03.0Z
From: "Roger Broadbent" <RBroadbent@wilco-int.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com> <K4P2N9pxBHA.204@forums.sybase.com> <fJXVmgrxBHA.204@forums.sybase.com> <QCKKmkrxBHA.332@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 16:50:03 -0000
Lines: 39
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.2314.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID: <yNzPvIsxBHA.214@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: wilcohost-180.wilco-int.com 212.36.174.180
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:723
Article PK: 94251

What you say is true Pablo, but the suggestion was "Another nice idea would
be encryption of the database files, for the above reason".

I took this to mean encryption of the data held on the Sybase devices. The
dataserver has to be able to read these to get information such as
allocation maps and the contents of system tables. Thus it must be available
to anyone else gaining access to the Sybase account, which would be required
to read the devices if unencrypted. Thus it is snake oil.

--
Roger Broadbent
Technical Consultant
Wilco International Ltd

Pablo Sanchez <pablo@dev.null> wrote in message
news:QCKKmkrxBHA.332@forums.sybase.com...
>
> "Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
> news:fJXVmgrxBHA.204@forums.sybase.com...
> > Definitely snake oil. The ASE has to be able to read the data and
> have
> > access to the raw disks. Anyone who gains this user's privileges has
> to have
> > access to all the information required to read those partitions,
> otherwise
> > the ASE couldn't do it!
>
> If you're encrypting within a column, ASE isn't going to need to peak
> in that column. If that column is indexed, it'd be indexed on the
> encrypted values.
> --
> Pablo Sanchez, High-Performance Database Engineering
> www.hpdbe.com
> Available for short-term and long-term contracts
>
>


Jim Egan Posted on 2002-03-09 06:29:45.0Z
From: Jim Egan <dontspam.dbaguru@eganomics.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 23:29:45 -0700
Message-ID: <MPG.16f359c4e4607a4298bba6@forums.sybase.com>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com> <K4P2N9pxBHA.204@forums.sybase.com> <fJXVmgrxBHA.204@forums.sybase.com> <QCKKmkrxBHA.332@forums.sybase.com> <yNzPvIsxBHA.214@forums.sybase.com>
Reply-To: eganjp@compuserve.com
X-Newsreader: MicroPlanet Gravity v2.50
Newsgroups: sybase.public.ase.product_futures_discussion
Lines: 20
NNTP-Posting-Host: 12-252-108-115.client.attbi.com 12.252.108.115
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:711
Article PK: 94239


RBroadbent@wilco-int.com wrote...
> What you say is true Pablo, but the suggestion was "Another nice idea would
> be encryption of the database files, for the above reason".
>
> I took this to mean encryption of the data held on the Sybase devices. The
> dataserver has to be able to read these to get information such as
> allocation maps and the contents of system tables. Thus it must be available
> to anyone else gaining access to the Sybase account, which would be required
> to read the devices if unencrypted. Thus it is snake oil.

FWIW, ASA does file level encryption. The way it works is that pages are encrypted. As a
page is required in memory it is decrypted as a whole.
--
Jim Egan [TeamSybase]
Senior Consultant
Sybase Professional Services


Pablo Sanchez Posted on 2002-03-08 21:29:09.0Z
From: "Pablo Sanchez" <pablo@dev.null>
References: <hvgjtSdxBHA.132@forums.sybase.com> <DEIGMlexBHA.332@forums.sybase.com> <3C87839D.FDDE559E@sybase.com> <K4P2N9pxBHA.204@forums.sybase.com> <fJXVmgrxBHA.204@forums.sybase.com> <QCKKmkrxBHA.332@forums.sybase.com> <yNzPvIsxBHA.214@forums.sybase.com>
Subject: Re: column encryption
Date: Fri, 8 Mar 2002 14:29:09 -0700
Lines: 23
Organization: High-Performance Database Engineering
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <nveIDluxBHA.318@forums.sybase.com>
Newsgroups: sybase.public.ase.product_futures_discussion
NNTP-Posting-Host: 207.225.105.222
Path: forums-1-dub!forums-master.sybase.com!forums.sybase.com
Xref: forums-1-dub sybase.public.ase.product_futures_discussion:718
Article PK: 94245


"Roger Broadbent" <RBroadbent@wilco-int.com> wrote in message
news:yNzPvIsxBHA.214@forums.sybase.com...
> What you say is true Pablo, but the suggestion was "Another nice
idea would
> be encryption of the database files, for the above reason".

Ah right, mea cupla. :) And your points below are 100% valid.

> I took this to mean encryption of the data held on the Sybase
devices. The
> dataserver has to be able to read these to get information such as
> allocation maps and the contents of system tables. Thus it must be
available
> to anyone else gaining access to the Sybase account, which would be
required
> to read the devices if unencrypted. Thus it is snake oil.
--
Pablo Sanchez, High-Performance Database Engineering
www.hpdbe.com
Available for short-term and long-term contracts