Re: Secure data in SQL Server 2005 Mobile Edition

From: "Ginny Caughey [MVP]" <ginny.caughey.online@xxxxxxxxxxxxxx>
Date: Mon, 30 Jul 2007 13:01:49 -0400

It turns out that the algorithm used depends on the version of SQL Compact and also what platform it's running on as not all platforms capable of running SQLce support the same encryption. I should have a link for you in a few days.

--
Ginny

"AimlessZombie" <AimlessZombie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A3FDD5F1-5A27-4282-A607-D5D4D958AB5D@xxxxxxxxxxxxxxxx

Yes, we just copied the file over.

We tried again without checking the encrypt option and the error no longer
occurs. But we have a few burning questions:

1. Without checking the option, how can the database be encrypted with just
the password?

2. What is the difference between encryption with and without the encrypt
option?

3. As it is customer's requirement to have AES-128, it is important that we
know what the encryption algorithm is. We have tried looking up information
on this to no avail. Is there any way you could kindly help us on this (maybe
by providing us some references or contacts)? Would greatly appreciate it if
possible.

Thanks.

"Ginny Caughey [MVP]" wrote:

You just copied the sdf file from the desktop to the device, right? Does the
password have any accented characters in it or anything like that? One other
thing to try is not checking the encrypt option - the database still gets
encrypted if you provide a password.

I don't know which encryption algorithm is used for SQL Compact but I've
been told it's 128-bit.

--
Ginny

"AimlessZombie" <AimlessZombie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D9FE095C-A3F3-494C-B022-482C9254C29B@xxxxxxxxxxxxxxxx
> Hi,
>
> We have decided to go ahead with encrypted the entire database for now,
> thus
> I am trying to encrypt a database on SQL Server 2005 on a desktop and
> replicate this database on SQL Server Mobile Edition on a mobile > device.
>
> I followed the "How to: Secure a Database (SQL Server Management > Studio)"
> topic in the SQL Server 2005 Mobile Edition Books Online to set a > password
> for my database connection string and checked the encrypt option. But > when
> I
> tried to access the database on the mobile device by opening a
> sqlceconnection, I got the following error:
>
> The specified password does not match the database password.
>
> I have ensured that my connection string is correct with the correct > data
> source and correct password. I have even tried changing passwords but I
> still
> got the same error.
>
> 1. Is this the correct way of encrypting a database? Am I doing wrong > or
> missing anything?
>
> 2. What is the encryption algorithm used by SQL Server Management > Studio
> when the encrypt option is chosen?
>
> Thanks for the help.
>
> "Ginny Caughey [MVP]" wrote:
>
>> The size is the same whether it's encrypted or not. I used the >> Northwind
>> database for my tests but the larger AdventureWorks one might also >> make
>> an
>> interesting test.
>>
>> I think the best way to get answers for your specific case would be to
>> build
>> encrypted and non-encrypted databases with the schema you need and run >> a
>> few
>> simple tests for yourself. Frankly the reason I didn't spend more time
>> doing
>> thorough testing was that I think if you need encryption, then you >> neeed
>> it
>> and whatever the perf hit, well that's the price you pay. Still I was
>> pleased to find the hit was a small one in my tests.
>>
>> -- >> Ginny
>>
>>
>> "AimlessZombie" <AimlessZombie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message
>> news:2B849C1A-0785-4C8B-BD52-9DFDB4359A80@xxxxxxxxxxxxxxxx
>> > What about the database size?
>> >
>> > "Ginny Caughey [MVP]" wrote:
>> >
>> >> I didn't test it with different schemas. The hit on the device was
>> >> between
>> >> 8-10% for most operations. On the desktop it was barely measurable.
>> >>
>> >> -- >> >> Ginny
>> >>
>> >>
>> >> "AimlessZombie" <AimlessZombie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> message
>> >> news:428B5E6D-B41C-428A-BC94-9BF040568FDE@xxxxxxxxxxxxxxxx
>> >> > Thanks for your reply.
>> >> >
>> >> > Not exactly that I wanted a more complicated encryption, but i >> >> > was
>> >> > worried
>> >> > about the performance hit for encrypting the whole database.
>> >> >
>> >> > Can I ask what is the size of the database you tested with? Also,
>> >> > would
>> >> > the
>> >> > performance hit be affected by the database schema?
>> >> >
>> >> > "Ginny Caughey [MVP]" wrote:
>> >> >
>> >> >> Encryption in SQL Mobile is at the database level only. In my
>> >> >> testing
>> >> >> the
>> >> >> performance hit for using encryption is quite low, and using an
>> >> >> encrypted
>> >> >> database is as easy as providing a password in the connection
>> >> >> string,
>> >> >> so
>> >> >> I'm
>> >> >> not sure why you'd want something more complicated than that.
>> >> >>
>> >> >> -- >> >> >> Ginny
>> >> >>
>> >> >>
>> >> >> "AimlessZombie" <AimlessZombie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote >> >> >> in
>> >> >> message
>> >> >> news:721B8943-84FA-41DF-8AFB-633C0A85F1DA@xxxxxxxxxxxxxxxx
>> >> >> >I understand that it is possible to encrypt a database in SQL
>> >> >> >Server
>> >> >> >2005
>> >> >> > Mobile Edition. But I do not want to encrypt the entire >> >> >> > database.
>> >> >> > Instead
>> >> >> > I
>> >> >> > just want to encrypt only selected data in the database.
>> >> >> >
>> >> >> > Can this be done in Mobile Edition? If yes, how to do it and >> >> >> > is
>> >> >> > there
>> >> >> > any
>> >> >> > reference sites?
>> >> >> >
>> >> >> > Many thanks.
>> >> >>
>> >>
>>

References:
- Re: Secure data in SQL Server 2005 Mobile Edition
  - From: Ginny Caughey [MVP]
- Re: Secure data in SQL Server 2005 Mobile Edition
  - From: Ginny Caughey [MVP]
- Re: Secure data in SQL Server 2005 Mobile Edition
  - From: AimlessZombie
- Re: Secure data in SQL Server 2005 Mobile Edition
  - From: Ginny Caughey [MVP]
- Re: Secure data in SQL Server 2005 Mobile Edition
  - From: AimlessZombie

Prev by Date: Re: Sql Server Compact Edtion 3.5 beta download
Next by Date: Re: Sql Server Compact Edtion 3.5 beta download
Previous by thread: Re: Secure data in SQL Server 2005 Mobile Edition
Next by thread: Both SQL Server CE 2.0 and SQL Server Mobile clients to SQL Server 2000 SP3a - Initial snapshot problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Connection to SQL Server CE Windows Service via C# - Error 250
... This is probably 3rd time I am hereing to a case the encryption related ... In SQL CE v3.1 case, can you try using Crypto API under the same credentials ... specific to your database or if it's really the password itself. ... connect to it via the windows service under the Local Service ...
(microsoft.public.sqlserver.ce)
Re: An Encryption Strategy - Comments Please
... If that is a concern then use a secure connection to SQL. ... >>> I posted in this forum not long ago regarding encryption. ... >>> list in this same database. ... >>> DPAPI encryption is account dependent. ...
(microsoft.public.dotnet.security)
Re: RDA and encryption
... You can password protect your SQL CE database and/or encrypt the contents ... > on the PocketPC supports any type of encryption? ...
(microsoft.public.sqlserver.ce)
Re: Ecrypting a database
... Windows comes with a native file/folder encryption, ... account would need access to the database to unencrypt the ... >> I have a SQL database which will only be accessed only ...
(microsoft.public.sqlserver.security)
Re: Newbie - Is this Reasonable?
... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
(sci.crypt)