--==================(I)服务主密钥=====================
--1.)备份服务主密钥到文件
BACKUP SERVICE MASTER KEY TO FILE = 'C:\DBFile\SMK.bak'ENCRYPTION BY PASSWORD = 'P@ssw0rd'
--2.)生成新的服务主密钥
ALTER SERVICE MASTER KEY REGENERATE;
GO
--3.)从备份文件还原服务主密钥
RESTORE SERVICE MASTER KEY FROM FILE = 'C:\DBFile\SMK.bak' DECRYPTION BY PASSWORD = 'P@ssw0rd'
--==================(II)数据库主密钥=====================
--1.)为Northwind数据库创建数据库主密钥
USE Northwind
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssw0rd'
GO
--2.)查看数据库加密状态
SELECT [name], is_master_key_encrypted_by_server
GO
--3.)查看数据库主密钥的信息
USE Northwind
SELECT * FROM sys.symmetric_keys
GO
--4.)对数据库主密钥进行备份
USE Northwind
GO
BACKUP MASTER KEY
GO
--5.)删除服务主密钥对数据库主密钥的保护
--
CREATE ASYMMETRIC KEY asy_TestKey1 WITH ALGORITHM = RSA_1024
--
ALTER MASTER KEY
GO
--
SELECT [name], is_master_key_encrypted_by_server
--
CREATE ASYMMETRIC KEY asy_TestKey2 WITH ALGORITHM = RSA_1024
--
OPEN MASTER KEY DECRYPTION BY PASSWORD = 'P@ssw0rd'
SELECT * FROM sys.openkeys
--
CREATE ASYMMETRIC KEY asy_TestKey2 WITH ALGORITHM = RSA_1024
--
ALTER MASTER KEY
--==================(III)证书=====================
--1.)让SQL2005创建自签名的证书
USE Northwind
GO
CREATE CERTIFICATE cert_TestCert1
GO
SELECT * FROM sys.certificates
--2.)从文件导入证书
USE Northwind
GO
CREATE CERTIFICATE cert_TestCert2
GO
SELECT * FROM sys.certificates
--3.)备份导出证书和私钥
BACKUP CERTIFICATE cert_TestCert1
--4.)使用证书加密、解密数据
DECLARE @cleartext varbinary(200)
DECLARE @cipher varbinary(200)
SET @cleartext = CONVERT(varbinary(200), 'Test text string')
SET @cipher = EncryptByCert(Cert_ID('cert_TestCert1'), @cleartext)
SELECT @cipher
SELECT CONVERT(varchar(200), DecryptByCert(Cert_ID('cert_TestCert1'), @cipher, N'P@ssw0rd')) AS [ClearText]
--5.)删除证书私钥
ALTER CERTIFICATE cert_TestCert1
Go
--
DECLARE @cleartext varbinary(200)
DECLARE @cipher varbinary(200)
SET @cleartext = CONVERT(varbinary(200), 'Test text string')
SET @cipher = EncryptByCert(Cert_ID('cert_TestCert1'), @cleartext)SELECT @cipherSELECT CONVERT(varchar(200), DecryptByCert(Cert_ID('cert_TestCert1'), @cipher, N'P@ssw0rd')) AS [ClearText]
--==================(IV)非对称密钥=====================
--1.)使用sn.ext生成非对成密钥文件
--
--2.)从文件创建非对称密钥
USE Northwind
GO
CREATE ASYMMETRIC KEY asy_Test
GO
SELECT * FROM sys.asymmetric_keys
--==================(I)准备=====================
--1.)创建示例表
USE Northwind
IF EXIST dbo.EmpSalary DROP TABLE dbo.EmpSalary;
CREATE TABLE dbo.EmpSalary(
)
GO
--2.)创建数据库主密钥
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssw0rd'
GO
--3.)
--4.)创建用于加密的对称密钥
CREATE SYMMETRIC KEY sym_Salary
SELECT * FROM sys.symmetric_keys WHERE [name] = 'sym_Salary'
--==================(II)加密列数据=====================
--1.)打开对称密钥
OPEN SYMMETRIC KEY sym_Salary
SELECT * FROM sys.openkeys
--2.)向表中插入数据,并对Salary列的数据进行加密
INSERT INTO EmpSalary VALUES (1, 'CEO', EncryptByKey(KEY_GUID('sym_Salary'), '20000'))
INSERT INTO EmpSalary VALUES (2, 'Manager', EncryptByKey(KEY_GUID('sym_Salary'), '10000'))
INSERT INTO EmpSalary VALUES (3, 'DB Admin', EncryptByKey(KEY_GUID('sym_Salary'), '5000'))
--3.)关闭打开的对称密钥
CLOSE SYMMETRIC KEY sym_Salary
SELECT * FROM sys.openkeys
--4.)查看表中存放的数据
SELECT * FROM EmpSalary
--==================(III)解密并访问被加密了的数据列=====================
--1.)打开对称密钥
OPEN SYMMETRIC KEY sym_Salary DECRYPTION BY PASSWORD = 'P@ssw0rd'
--2.)使用对称密钥解密并访问被加密了的数据列
SELECT EmpID, Title, CAST(DecryptBykey(Salary) AS VARCHAR(20)) AS Salary FROM EmpSalary
--3.)关闭对称密钥
CLOSE SYMMETRIC KEY sym_Salary
--==================(III)绕过加密数据的攻击=====================
--1.)攻击者使用其它数据行的加密数据替换某一行的数据
SELECT * FROM EmpSalary
UPDATE EmpSalary SET Salary =
--2.)查看被攻击后解密的数据
OPEN SYMMETRIC KEY sym_Salary DECRYPTION BY PASSWORD = 'P@ssw0rd'
SELECT EmpID, Title, CAST(DecryptBykey(Salary) AS VARCHAR(20)) AS Salary FROM EmpSalary
CLOSE SYMMETRIC KEY sym_Salary
--==================(IV)使用验证器防止绕过加密数据的攻击=====================
--1.)删除前面添加的数据行
DELETE FROM EmpSalary
--2.)向表中插入数据,并对Salary列的数据使用验证器进行加密,第四个参数是加密因子
OPEN SYMMETRIC KEY sym_Salary DECRYPTION BY PASSWORD = 'P@ssw0rd'
INSERT INTO EmpSalary VALUES (1, 'CEO', EncryptByKey(KEY_GUID('sym_Salary'), '20000', 1, '1'))
INSERT INTO EmpSalary VALUES (2, 'Manager', EncryptByKey(KEY_GUID('sym_Salary'), '10000', 1, '2'))
INSERT INTO EmpSalary VALUES (3, 'DB Admin', EncryptByKey(KEY_GUID('sym_Salary'), '5000', 1, '3'))
CLOSE SYMMETRIC KEY sym_Salary
--3.)解密并访问被加密了的数据列
OPEN SYMMETRIC KEY sym_Salary DECRYPTION BY PASSWORD = 'P@ssw0rd'
SELECT EmpID, Title, CAST(DecryptBykey(Salary, 1, CAST(EmpID AS VARCHAR(3))) AS VARCHAR(20)) AS Salary FROM EmpSalary
CLOSE SYMMETRIC KEY sym_Salary
--4.)攻击者使用相同的方法篡改数据
SELECT * FROM EmpSalary
UPDATE EmpSalary SET Salary =
--5.)被篡改后的加密了的数据列变成无效
OPEN SYMMETRIC KEY sym_Salary DECRYPTION BY PASSWORD = 'P@ssw0rd'
SELECT EmpID, Title, CAST(DecryptBykey(Salary, 1, CAST(EmpID AS VARCHAR(3))) AS VARCHAR(20)) AS Salary FROM EmpSalary
CLOSE SYMMETRIC KEY sym_Salary
--==================(I)示例准备=====================
--1.)创建数据库主密钥
USE Northwind
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@ssw0rd'
--2.)创建签署存储过程所需要的证书
CREATE CERTIFICATE cert_Products
--3.)创建SPDeveloper登录帐户和用户,该用户创建访问Products表的存储过程
CREATE LOGIN [SPDeveloper] WITH PASSWORD=N'P@ssw0rd', DEFAULT_DATABASE=[Northwind]
GO
CREATE USER [SPDeveloper] FOR LOGIN SPDeveloper WITH DEFAULT_SCHEMA=[SPDeveloper]
GO
CREATE SCHEMA products AUTHORIZATION SPDeveloper
GO
EXEC sp_addrolemember @rolename = 'db_owner', @membername = 'SPDeveloper'
--4.)以SPDeveloper的身份创建存储过程products.usp_Products
EXECUTE AS USER = 'SPDeveloper'
GO
CREATE PROCEDURE products.usp_Products
AS
GO
REVERT
SELECT USER
--4.)创建普通用户Jerry
CREATE LOGIN jerry WITH PASSWORD=N'P@ssw0rd', DEFAULT_DATABASE=[Northwind]
CREATE USER jerry FOR LOGIN jerry
--==================(II)使用证书签署存储过程=====================
--1.)授予用户Jerry执行存储过程的权限
GRANT EXECUTE ON products.usp_Products TO jerry
--2.)以Jerry的身份执行存储过程失败,因为拥有全链是断裂的
EXECUTE AS USER = 'jerry'
SELECT USER
GO
EXECUTE products.usp_Products
GO
REVERT
--3.)使用证书在当前数据库创建用户ProductsReader,
--
CREATE USER ProductsReader FOR CERTIFICATE cert_Products
GO
GRANT SELECT ON Products TO ProductsReader
--4.)使用证书签署当前存储过程
ADD SIGNATURE TO products.usp_Products BY CERTIFICATE cert_Products
--4.)以Jerry的身份重新执行存储过程,成功,
--
EXECUTE AS USER = 'jerry'
SELECT
GO
EXECUTE products.usp_Products
课后问题及答案
1.
A.
B.
C.
D.
2.
A.
B.
C.
D.
3.
A.
B.
C.
D.