Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

simple encryption question

Former Member

on ‎2011 Sep 13 9:55 AM

7,748

Can anyone provide me with a better explanation of what simple encryption means in SQL Anywhere? The manual states that simple encryption is equivalent to "obfuscation", which leaves me just as unknowing as before. In practice, how easy would it be to deobfuscate a SQL Anywhere 10 db. If its easily done, we may need to move our databases to a strong encryption.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
graeme_perrow
Advisor
Advisor
‎2011 Sep 13 10:30 AM

I can't give you any details on the algorithm other than to say that there is no external key necessary - everything that is required to decrypt the data is already there in the database, which means that it's not strong encryption. There's no way to quantify how easy it would be to deobfuscate such a database. All we generally say is that a determined hacker that has some knowledge of cryptography could probably break it if they tried. I can't tell you whether this would take them five minutes or six weeks.

If you have any security concerns at all, then you may as well switch to strong encryption. Modern computers have enough RAM and processor power that the overhead of encrypting and decrypting pages is negligible, so the only drawback to using strong encryption is key management.

Show replies
Show replies
VolkerBarth
Contributor
‎2011 Sep 13 10:42 AM
0 Likes

"Key management" - that's the point IMHO: Who's gonna enter/supply the DBKEY when the strong encrypted database is started?

Is there a part-time DBA to enter the DBKEY? Or are users to supply both a DBKEY and their credentials? (And how good will a DBKEY they are able to enter?)

Or will the DBKEY be supplied by the application (and how is it stored then)?

Some questions whose answers are sometimes hard to decipher, as well:(

graeme_perrow
Advisor
Advisor
‎2011 Sep 13 10:49 AM
0 Likes

Sorry, I didn't mean to imply that key management is a simple problem. It is certainly non-trivial and there are a number of implications - if you get it wrong, it can be the equivalent to writing your safe combination on a post-it note and sticking it to the safe. I was just trying to say that if you're worried about all your queries being 20% slower because of encryption, that's likely not going to be an issue.

VolkerBarth
Contributor
‎2011 Sep 13 11:06 AM
0 Likes

@Graeme: No need to be sorry, I did not misunderstand you. And I fully agree with your reasoning, both w.r.t. performance and key management.

The one advantage of simple "encryption" is that it's so simple to use:)

Former Member
‎2011 Sep 22 5:55 AM
0 Likes

Thanks for the answer. Basically, i need to know if a sybase db with simple encryption satisfies the requirements of the Health Insurance Portability and Accountability Act wrt health data protection, in case the db file is stolen or lost. Specifically, there is this document: NIST SP 800-66, An Introductory Resource Guide for Implementing the (HIPAA) Security Rule (http://csrc.nist.gov/publications/nistpubs/).

justin_willey
Participant
‎2011 Sep 22 6:36 AM

I don't think the document you mention specifies particular requirements -it seems about how to go about assessing whether a particular process meets the test of having taken necessary precautions - so it's a matter of opinion, which will include an assessment of the level and nature of the threat etc. However, if you look at some of the draft proposals now under consideration, they discuss very high levels of cryptographic security (which I would have thought) are very unlikely to be met by the simple encryption method.

If I was setting out to apply security to such a project, I would certainly take the strongest approach I reasonably could at this stage, if only to avoid having to change it later.

Ask a Question