Hi All,
I think I've found a fundamental weakness in the way that the encryption/decryption procedures have been created. Unfortunately I can't make a simple suggestion of how to address the issue.
The following TSQL demonstrates my point:
CREATE PROCEDURE spPM_WaitAWhile (@CanYouReadThis varchar(20))
AS WAITFOR DELAY '00:00:30'
GO
Find your SPID & run the new proc:
SELECT @@SPID
EXEC spPM_WaitAWhile 'This is a secret'
Open another query window and run this (replacing XX with your spid from above):
DBCC INPUTBUFFER(XX)
I believe that this method reduces the effective security of our encryption regime to the strength of the sa / admin users password since the decryption key can actually be viewed while the process is running by any user with sufficient DB privileges. If the period of time where decryption occurs is too small for the above method to be practical, logging could be enabled. Either way the key's there for the taking.
I'm trying to protect data within the database from users on the local network while considering the username / password authentication offered by MS SQL server weak. The only suggestion I can make to try and mitigate the above considerations is that the xp which performs the decryption could source it's key from somewhere other than a parameter (ala ssh-agent / pageant utilities used for key caching for use with ssh clients).
Any thoughts?
-Karl.