http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspxFor those that read my previous posts, the question in the title may be startling. I want to reassure you from the start: this post is not about encryption being a useless technique; it is just about it not being a solution for certain problems and definitelyen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspx#1205778Mon, 04 Dec 2006 17:46:08 GMT91d46819-8472-40ad-a661-2c78acb4018c:1205778jcarlossaez<P>Hi Laurentiu,</P> <P>I find your blog (and also this post) very useful clarifying both simple and complex cryptography concepts.</P> <P>I would like to ask you about the effectiveness of double encryption for high sensitive data in multi-layer applications. Application server will encrypt sensitive data using its own key prior to send data to the database server. Database server will also encrypt the received data using its own key. Nothing new, but in this case, to get all the information decrypted, a hacker will need two keys which in general should mean double effort to obtain them (provided each key is under the responsibility of a different person/team).</P> <P>Of course, this model is far away from offering complete security: you still are exposed to a decrypted data leak in the application server, but applying “Social Engineering” to database team or application team separately would not be enough.</P> <P>Regards</P> <P>Juan Carlos</P>http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspx#1207465Mon, 04 Dec 2006 23:11:11 GMT91d46819-8472-40ad-a661-2c78acb4018c:1207465lcris<p>Hello Juan,</p> <p>In your scenario, I expect that the data is encrypted with two keys only on the database server. When it is sent to the application server, I assume that the server encryption is removed first (otherwise the app server would need to have the db server key). I am not sure how this would work otherwise, but if I understood it right, then I don't see much point in the second encryption done by the db server. This is because, on the app server side, it has no impact, and on the db server side, it also doesn't help much - if the attack happens on this side, the app server encryption is sufficient, as its key was never sent to the db server.</p> <p>So, this leaves us with encryption being done on the app server and the encrypted data being stored on the db server. This is useful if you want to protect against an attack on the db server side - it would help protect against a db server administrator too - he could only see the data access patterns, but his machine would never have access to the clear data.</p> <p>So, to summarize, I don't see much use for multiple encryptions and encryption outside the server can be useful in some scenarios.</p> http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspx#1258385Mon, 11 Dec 2006 12:50:07 GMT91d46819-8472-40ad-a661-2c78acb4018c:1258385jcarlossaez<p>Hi Laurentiu,</p> <p>I agree with you. I was thinking in this architecture to protect against the database data files being stolen (either the data files or the backup files). A thief with those files would need “to cheat” not only the DBA but also the application server administrator to get the data decrypted. Two people to be “socially engineered” seems to be more difficult that only one.</p> <p>Regards</p> <p>Juan Carlos</p>http://blogs.msdn.com/lcris/archive/2006/11/30/who-needs-encryption.aspx#1260660Mon, 11 Dec 2006 22:41:11 GMT91d46819-8472-40ad-a661-2c78acb4018c:1260660lcris<p>If someone can mount a social engineering attack against the DBA of the app server, then he'll just get the data through the app server - he's not going to go to the db server at all. A chain is only as strong as its weakest link.</p> <p>It might be possible to derive a benefit from using two encryption keys, but most likely, the solution won't be very practical and there would probably be better alternatives available.</p>