SQL Server 2005 Encryption, asp.net and stored procedures -

-

i need write web application using sql server 2005, asp.net, , ado.net. of user data stored in application must encrypted (read hipaa).

in past projects required encryption, encrypted/decrypted in application code. however, encrypting passwords or credit card information, handful of columns in couple tables. application, far more columns in several tables need encrypted, suspect pushing encryption responsibilities data layer better performing, given sql server 2005's native support several encryption types. (i convinced otherwise if has real, empirical evidence.)

i've consulted bol, , i'm adept @ using google. don't want links online articles or msdn documentation (its i've read it).

one approach i've wrapped head around far use symmetric key opened using certificate.

so 1 time setup steps (performed dba in theory):

  1. create master key
  2. backup master key file, burn cd , store off site.
  3. open master key , create certificate.
  4. backup certificate file, burn cd , store off site.
  5. create symmetric key encryption algorithm of choice using certificate.

then anytime stored procedure (or human user via management studio) needs access encrypted data have first open symmetric key, execute tsql statements or batches, , close symmetric key.

then far asp.net application concerned, , in case application code's data access layer, data encryption entirely transparent.

so questions are:

  1. do want open, execute tsql statements/batches, , close symmetric key within sproc? danger see is, if goes wrong tsql execution, , code sproc execution never reaches statement closes key. assume means key remain open until sql kills spid sproc executed on.

  2. should instead consider making 3 database calls given procedure need execute (only when encryption necessary)? 1 database call open key, second call execute sproc, , third call close key. (each call wrapped in own try catch loop in order maximize odds open key closed.)

  3. any considerations should need use client side transactions (meaning code client, , initiates transaction, executes several sprocs, , commits transaction assuming success)?

1) using try..catch in sql 2005. unfortunately there no finally, you'll have handle both success , error cases individually.

2) not necessary if (1) handles cleanup.

3) there isn't difference between client , server transactions sql server. connection.begintransaction() more or less executes "begin transaction" on server (and system.transactions/transactionscope same, until it's promoted distributed transaction). concerns open/closing key multiple times inside transaction, don't know of issues aware of.


Comments

Post a Comment

Popular posts from this blog

windows - Why does Vista not allow creation of shortcuts to "Programs" on a NonAdmin account? Not supposed to install apps from NonAdmin account? -

-
i'm working on installer (using wise installer, older version 1999). i'm creating shortcut in programs group exe. i'm creating shortcut on desktop. if install run admin account, create shortcut on common desktop , common program group (i.e., read hkey_local_machine\explorer\shellfor users). if it's installed nonadmin account, install hkey_current_user's desktop , program group. behavior install on: xp nonadmin - desktop , program shortcuts install ok. vista admin - desktop & program shortcuts install ok. vista non-admin, uac off - desktop shortcut installs, program shortcut not . however, program group folder they're supposed installed does created. at end of install, launch program group has shorcut. launches in of above. can manually drag shortcut folder , works fine. i'm bloody baffled. i've tried installing other commercial apps (opera, foxit, firefox) firefox install under nonadmin (and if select other program files,...
Read more

c++ - How do I get a multi line tooltip in MFC -

-
right now, have tool tip pops when hover on edit box. problem tool tip contains multiple error messages , in 1 long line. need have each error message on own line. error messages contained in cstring new line seperating them. my existing code below. bool ontooltiptext(uint, nmhdr* pnmhdr, lresult* presult) { assert(pnmhdr->code == ttn_needtexta || pnmhdr->code == ttn_needtextw); // need handle both ansi , unicode versions of message tooltiptexta* pttta = (tooltiptexta*)pnmhdr; tooltiptextw* ptttw = (tooltiptextw*)pnmhdr; // tchar szfulltext[256]; cstring strtiptext=_t(""); uint nid = pnmhdr->idfrom; if (pnmhdr->code == ttn_needtexta && (pttta->uflags & ttf_idishwnd) || pnmhdr->code == ttn_needtextw && (ptttw->uflags & ttf_idishwnd)) { // idfrom hwnd of tool nid = ::getdlgctrlid((hwnd)nid); } //m_errprojaccel[ch] contains 1 or more error messages each...
Read more

unit testing - How to mock PreferenceManager in Android? -

-
i've written class using context , third party library , sharedpreferences preferencemanager . it's possible mock context , third party library can mocked using mocking framework, preferencemanager ? i have 2 methods: public void savestring(thirdpartyobject obj) { sharedpreferences apppreferences = preferencemanager.getdefaultsharedpreferences(mcontext); sharedpreferences.editor editor = apppreferences.edit(); editor.putstring(mcontext.getstring( r.string.preferences_string_name), obj.getstring()); editor.commit(); } and corresponding, loads preferences. it doesn't want mock instance of preferencemanager (which used in preferencefragment or preferenceactivity ). you want either: a mock sharedpreferences , in case can mock context#getsharedpreferences (which called preferencemanager#getdefaultsharedpreferences anyhow). you'll have make mock sharedpreferences.editor if preferences edited, above. know how moc...
Read more