我有一张包含一些加密数据的表格:
select * from Test1;
产生一些带有我创建的垃圾数据的行......两行都带有名称和密文,由以下命令创建,发布两次,略有不同:
insert into Test1 values
('travis', ENCRYPTBYKEY(key_guid('aes128'), convert(varchar, 1234567)));
密钥是在EKM设备上创建的,并通过以下方式在SQL中别名出现:
create symmetric key aes128 from provider EKMProvider with provider_key_name = 'aes128', creation_disposition = open_existing;
我有两个用户:一个用户(administrator),我希望通过授予SQL Server的完全权限进行自由访问,另一个用户(restrictedsql)我想拒绝访问这个加密密钥。
现在,如果我尝试将此密钥用作restrictedsql,我可以DECRYPT但我不能ENCRYPT:
select ENCRYPTBYKEY(key_guid('aes128'), 'Hello World');
收益NULL。
然而,
select name, CONVERT(varchar, DECRYPTBYKEY(number)) from Test1;
产生所有明文数据。我认为加密功能在解密时不起作用的原因与ddladmin权限被授予有关,这很奇怪但有点勉强指出:我希望的结果是这个用户应该无权访问这个密钥,任何尝试解密或加密应该失败。用户应该保留对列和密文的访问权限,只是无法查看明文或插入正确加密的数据。
我发出了以下命令:
DENY View Definition ON SYMMETRIC KEY::aes128 TO restrictedsql;
DENY Control ON SYMMETRIC KEY::aes128 TO restrictedsql;
他们成功了,但没有产生任何不同的结果。
请注意,密钥是EKM提供的,因此无法通过将密钥包装在UAC的证书/密钥中来保护密钥。我需要直接UAC对称密钥别名。
更新:我有两个脚本,用于演示本机SQL Server AES密钥与EKM提供的SQL Server AES密钥之间的权限语句的行为差异。请注意,这假定已经创建了EKM提供程序,并且在EKM提供程序上创建了密钥。
第一个脚本由管理的完全访问用户执行:
create table Test2 (
name varchar(25),
ekm128_enc varbinary(256),
local128_enc varbinary(256),
);
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'sql$server123';
CREATE CERTIFICATE localcert
WITH SUBJECT = 'TestSqlServer';
CREATE SYMMETRIC KEY local128
WITH ALGORITHM = AES_128
ENCRYPTION BY CERTIFICATE localcert;
CREATE SYMMETRIC KEY ekm128
FROM PROVIDER EKMProvider
WITH provider_key_name = 'ekm128',
creation_disposition = open_existing;
OPEN SYMMETRIC KEY local128 DECRYPTION BY CERTIFICATE localcert;
insert into Test2 values ('travisthomas', ENCRYPTBYKEY(key_guid('ekm128'), 'travisthomas_ekm'), ENCRYPTBYKEY(key_guid('local128'), 'travisthomas_local'));
select name, ekm128_enc, convert(varchar, DECRYPTBYKEY(ekm128_enc)) as ekm128_dec, local128_enc, CONVERT(varchar, DECRYPTBYKEY(local128_enc)) as local128_dec from Test2;
/* execute through this point... the select statement should work flawlessly... the ciphertext and the plaintext should all be visible and not-null */
/* execute after this point next to set the permissions on both ekm128 and local128 */
DENY View Definition ON SYMMETRIC KEY::ekm128 TO restrictedsql;
DENY Control ON SYMMETRIC KEY::ekm128 TO restrictedsql;
DENY View Definition ON SYMMETRIC KEY::local128 TO restrictedsql;
DENY Control ON SYMMETRIC KEY::local128 TO restrictedsql;
select name, ekm128_enc, convert(varchar, DECRYPTBYKEY(ekm128_enc)) as ekm128_dec, local128_enc, CONVERT(varchar, DECRYPTBYKEY(local128_enc)) as local128_dec from Test2;
/* This select statement should provide identical output as the select statement above the "DENY"s */
第二个脚本应该由受限制的用户执行,在这种情况下是restrictedsql。
OPEN SYMMETRIC KEY local128 DECRYPTION BY CERTIFICATE localcert;
/* this statement fails due to lack of permissions */
select name, ENCRYPTBYKEY(key_guid('ekm128'), 'test') as ekm128_encrypt, CONVERT(varchar, decryptbykey(ekm128_enc)) as ekm128_dec, ENCRYPTBYKEY(key_guid('local128'), 'test') as local128_encrypt, CONVERT(varchar, decryptbykey(local128_enc)) as local128_dec from Test2;
/* null for all except EKM decryption! permissions don't apply! */
答案 0 :(得分:0)
我从微软收到的答案:这在这个架构中是不可能的。密钥标识符绑定在密文中,由EKM提供程序解释,而不是由SQL Server解释。 SQL Server甚至不知道正在使用哪个密钥。在EKM提供商处提供UAC。