开发者

Hiding Certificate name from developers

I managed to create a certificate. And this is how I, as an sa, using it.


    create certificate CertLogin
--      authorization app_usr
        from file = 'C:\Project\Login.cer'
        with private key 
        (
            file = 'C:\Project\Login.pvk', 
            decryption by password = 'PVK_File_Password'
        )

You notice that I commented out the "authorization app_usr". app_usr is the userid for running the application.

If I uncomment it, app_usr will be able to see the sys.certificates table, and do EncryptByCert() & DecryptByCert() manually by themselves using MSSQL.

I am actually wrapping the EncryptByCert() & DecryptByCert() with encrypted stored procedures, in the hope that I can prevent developers to see the password column value in plain text.

If I comment it, the application will not be able to work with the encrypted password column.

My goal is, developers must not be able to hack the values of the password column in the user table by hiding the certificate name. Can you please help me 开发者_开发知识库to find out how I can accoplish tis please?

Thanks so much.


OK, my workaround is found in this blog, EXECUTE AS someone else – impersonation in stored procedures.

With this, I am able to put EncryptByCert() & DecryptByCert() in wrappers, and avoid the 'app_usr' to be able to see the certificate name in the sys.certificates table. Thus render the developers unable to decrypt the encrypted password column into plain text manually.

Hope my experience can be useful to others too. Thank you for spending time on this.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜