对使用单元级加密加密的列实施唯一约束
Enforcing a unique constraint on a column encrypted with cell level encryption
我想对必须在 MSSQL 2005 中使用单元级加密 (CLE) 加密的列实施唯一约束。
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'itsaSECRET!!!3£3£3£!!!'
CREATE CERTIFICATE ERCERT WITH SUBJECT = 'A cert for use by procs'
CREATE SYMMETRIC KEY ERKEY
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE ERCERT
-- This illustrates the point.
-- The results differ
DECLARE @TempTable TABLE
(
[Email] [varbinary](254) UNIQUE NOT NULL
)
OPEN SYMMETRIC KEY ERKEY DECRYPTION BY CERTIFICATE ERCERT
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
CLOSE SYMMETRIC KEY ERKEY
select * from @TempTable
输出结果清楚地表明了约束 'not' 被强制执行的原因。 (请原谅我的 ascii-art 太棒了。)
Email
-------
1 | 0x00703529AF46D24BA863A3534260374E01000000328909B51BA44A49510F24DF31C46F2E30977626D96617E2BD13D9115EB578852EEBAE326B8F3E2D422230478A29767C
2 | 0x00703529AF46D24BA863A3534260374E01000000773E06E1B53F2C57F97C54370FECBB45BC8A154FEA5CEEB9B6BB1133305282328AAFAD65B9BDC595F0006474190F6482
3 | 0x00703529AF46D24BA863A3534260374E01000000C9EDB1C83B52E60598038D832D34D75867AB0ABB23F9044B7EBC76832F22C432A867078D10974DC3717D6086D3031BDB
但是,我该如何解决这个问题?
通常,您可以使用 "deterministic encryption",例如 AES ECB 模式或 AES-SIV。但是由于您处于 SQL 服务器加密的限制范围内,您将不得不寻找其他方法。这是讨论该问题的旧 post:http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx. Here is a newer post that mentions that SQL Server 2016 will support deterministic encryption: http://www.brentozar.com/archive/2015/05/sql-server-2016-security-roadmap-session-notes-msignite/,这正是您要查找的内容。
我想对必须在 MSSQL 2005 中使用单元级加密 (CLE) 加密的列实施唯一约束。
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'itsaSECRET!!!3£3£3£!!!'
CREATE CERTIFICATE ERCERT WITH SUBJECT = 'A cert for use by procs'
CREATE SYMMETRIC KEY ERKEY
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE ERCERT
-- This illustrates the point.
-- The results differ
DECLARE @TempTable TABLE
(
[Email] [varbinary](254) UNIQUE NOT NULL
)
OPEN SYMMETRIC KEY ERKEY DECRYPTION BY CERTIFICATE ERCERT
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
insert into @TempTable(Email) VALUES(EncryptByKey(Key_GUID('ERKEY'), N'duplicate'))
CLOSE SYMMETRIC KEY ERKEY
select * from @TempTable
输出结果清楚地表明了约束 'not' 被强制执行的原因。 (请原谅我的 ascii-art 太棒了。)
Email
-------
1 | 0x00703529AF46D24BA863A3534260374E01000000328909B51BA44A49510F24DF31C46F2E30977626D96617E2BD13D9115EB578852EEBAE326B8F3E2D422230478A29767C
2 | 0x00703529AF46D24BA863A3534260374E01000000773E06E1B53F2C57F97C54370FECBB45BC8A154FEA5CEEB9B6BB1133305282328AAFAD65B9BDC595F0006474190F6482
3 | 0x00703529AF46D24BA863A3534260374E01000000C9EDB1C83B52E60598038D832D34D75867AB0ABB23F9044B7EBC76832F22C432A867078D10974DC3717D6086D3031BDB
但是,我该如何解决这个问题?
通常,您可以使用 "deterministic encryption",例如 AES ECB 模式或 AES-SIV。但是由于您处于 SQL 服务器加密的限制范围内,您将不得不寻找其他方法。这是讨论该问题的旧 post:http://blogs.msdn.com/b/raulga/archive/2006/03/11/549754.aspx. Here is a newer post that mentions that SQL Server 2016 will support deterministic encryption: http://www.brentozar.com/archive/2015/05/sql-server-2016-security-roadmap-session-notes-msignite/,这正是您要查找的内容。