数据库安全(crosspost) [英] Database security (crosspost)
问题描述
抱歉,之前的消息是多重发布的。
这是一个交叉发布的版本。请忽略另一个。
有没有办法创建和加密数据库文件?
当数据安全在文件级别很重要时,人们会做什么?用
换句话说,你不希望任何人能够获取数据库文件(或
文件)并从中提取数据。
理想情况下,我想要一个绝对在磁盘上加密的文件,并且为了数据访问而解密为
。显然,问题是这将是一个非常昂贵的(cpu时间)方法,因为你无法在
磁盘上创建解密图像(这会暴露出来)数据)。
那么所有的数据库系统都是不安全的吗?
谢谢,
-Martin
Sorry, the prior message was multi-posted.
Here''s a cross-posted version. Please disregard the other one.
Is there a way to create and encrypted database file?
What do people do when data security is important at the file level? In
other words, you don''t want anyone to be able to take the database file (or
files) and extract data from them.
Ideally, I want a file the is absolutely encrypted on disk and that is
decrypted for data access. The problem, obviously, is that this would be a
very costly (cpu time) approach as you couldn''t create a decrypted image on
disk (this would expose the data).
Are all database systems then, non-secure?
Thanks,
-Martin
推荐答案
Martin(0_******@pacbell.net)写道:
Martin (0_******@pacbell.net) writes:
是有没有办法创建和加密数据库文件?
当数据安全在文件级别很重要时,人们会怎么做?换句话说,你不希望任何人能够获取数据库文件(或文件)并从中提取数据。
理想情况下,我想要一个文件在磁盘上是绝对加密的,并且为了数据访问而被解密。显然,问题是这将是一个非常昂贵的(CPU时间)方法,因为你无法在磁盘上创建解密的图像(这会暴露数据)。
那么所有的数据库系统都是不安全的吗?
Is there a way to create and encrypted database file?
What do people do when data security is important at the file level? In
other words, you don''t want anyone to be able to take the database file
(or files) and extract data from them.
Ideally, I want a file the is absolutely encrypted on disk and that is
decrypted for data access. The problem, obviously, is that this would
be a very costly (cpu time) approach as you couldn''t create a decrypted
image on disk (this would expose the data).
Are all database systems then, non-secure?
一切都是相对的。对于小型数据库,< 50 MB,有可能
完全加密,只能在主要的
内存中保存解密版本。然后,可以转储内存。
对于1 TB数据库,加密必须是选择性的。基本上,
你要搜索的任何东西都不能被解密,除非你准备好花费很长的响应时间。
在SQL Server 2005中,有许多加密增强功能,因此您可以使用非对称和symmetric键加密各列。
-
Erland Sommarskog,SQL Server MVP, es****@sommarskog.se
SQL Server 2005联机丛书
http://www.microsoft.com/technet/pro...ads/books.mspx
SQL Server 2000联机丛书
http://www.microsoft.com/sql/ prodinf ... ons / books.mspx
Everything is relative. For a small database, < 50 MB, it may be possible
to encrypt it entirely and only hold the decrypted version in main
memory. Then again, memory can be dumped.
For a 1 TB databae, encryption will have to be selective. Basically,
anything you want to search on, cannot be decrypted unless you are
prepared to take very long response times.
In SQL Server 2005, there are a lot of encryption enhancements, so that
you can encrypt individual columns with asymmetric and symmettric keys.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
>一切都是相对的。对于小型数据库,< 50 MB,有可能
> Everything is relative. For a small database, < 50 MB, it may be possible
完全加密它并且只在主内存中保存解密版本。然后,内存可以被转储。
to encrypt it entirely and only hold the decrypted version in main
memory. Then again, memory can be dumped.
我已经尝试过一个小型数据库平面文件数据库(非SQL,非
访问)和内存表。这个过程非常可怕。在内存中
表,至少我能用VB6这样的东西,
并没有真正设置为完整的数据库,而是一个地方看起来像是持有临时数据的
。因此,似乎没有办法将一个
小型数据库(由多个表组成)加载到内存中并让它
充当数据库。
发生在我身上的是,也许,人们可以动态创建一个RAM磁盘,
告诉它加密并移动/在应用程序启动时将数据库复制到其中。
那么操作系统会处理此事吗?在应用程序终止时,
RAM磁盘将被销毁。
我的应用程序很可能是单个用户。这让我想知道如何处理高安全性数据库。在我看来,数据是最完全暴露的。
-Martin
I''ve experimented with a small database flat-file database (non SQL, non
Access) and in-memory tables. The process is horribly honerous. In memory
tables, at least what I''ve been able to get to using something like VB6, are
not really setup to be full blown databases but rather a place to hold
temporary data it seems. As such, there doesn''t seem to be a way to load a
small database (consisting of a number of tables) into memory and have it
act as a database.
What occured to me is that, perhaps, one can create a RAM-disk on the fly,
tell it to be encrypted and move/copy the DB into it on application start.
Then the OS would take care of the matter? On application termination the
RAM disk would be destroyed.
My application would more than likely be single user. It made me wonder how
high-security DB''s are handled. It seems to me that data is, for the most
part, fully exposed.
-Martin
Martin写道:
当数据安全在文件级别很重要时,人们会怎么做?换句话说,你不希望任何人能够获取数据库文件(或
文件)并从中提取数据。
What do people do when data security is important at the file level? In
other words, you don''t want anyone to be able to take the database file (or
files) and extract data from them.
恕我直言,以这种方式保护数据库的唯一方法是不给那些你不想拥有它的人。
例如,您可以将数据库放在您的
客户端只能使用指定方法访问的托管站点上。在您的站点上创建您自己的
经过身份验证的SOAP Web服务,只允许访问客户端授权的数据
。然后你可以使用像
防火墙和HTTPS协议这样的技术来保护数据库。换句话说,
除了RDBMS本身之外的功能。
加密数据库是破解者的一种障碍,但除非你
使用单向加密(排除了读取数据),你简单地说,如果你给
$ b $,
就无法保护数据免受暴力攻击b数据库给攻击者。如果他们有足够的动力进入
数据,他们可以使用无限的计算资源来破解你的
加密。
此致,
Bill K.
IMHO, the only way to protect a database in this way is not to give the
database to persons whom you don''t want to have it.
For example, you could put the database on a hosted site that your
clients can access using only prescribed methods. Create your own
authenticated SOAP web service on your site to give access only to data
to which the client is authorized. Then you can use technology like
firewalls and HTTPS protocol to protect the database. In other words,
features aside from the RDBMS itself.
Encrypting the database is a kind of barrier to crackers, but unless you
use one-way encryption (which precludes reading the data), you simply
can''t protect the data from a brute-force attack if you give the
database to the attacker. If they are motivated enough to get into that
data, they can use unlimited computational resources to crack your
encryption.
Regards,
Bill K.
这篇关于数据库安全(crosspost)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
