Authenticators

New: 14 April 2006

An authenticator helps you deter whole-value substitution of encrypted fields. For example, consider the following table of payroll data.

Employee_ID Standard_Title Base_Pay

345

Copy Room Assistant

Fskj%7^edhn00

697

Chief Financial Officer

M0x8900f56543

694

Data Entry Supervisor

Cvc97824%^34f

Without breaking the encryption, a hacker can infer significant information from the context in which the ciphertext is stored. Because a Chief Financial Officer is paid more than a Copy Room Assistant, it follows that the value encrypted as M0x8900f56543 must be greater than the value encrypted as Fskj%7^edhn00. If so, any user with ALTER permission on the table can give the Copy Room Assistant a raise by replacing the data in his Base_Pay field with a copy of the data stored in the Base_Pay field of the Chief Financial Officer. This whole-value substitution attack bypasses encryption altogether. Whole-value substitution attacks can be thwarted by adding contextual information to the plaintext before encrypting it. This contextual information is used to verify that the plaintext data has not been moved.

If an authenticator parameter is specified when data is encrypted, the same authenticator is required to decrypt the data. At encryption time, a hash of the authenticator is encrypted together with the plaintext. At decryption time, the same authenticator must be passed to the decryption function. If the two do not match, the decryption will fail, indicating that the value has been moved since it was encrypted. We recommend using the primary key of the table in which the result will be stored as an authenticator.

See Also

Concepts

Choosing an Encryption Algorithm

Other Resources

EncryptByKey (Transact-SQL)
DecryptByKey (Transact-SQL)
Encryption Hierarchy
Encryption How-to Topics

Help and Information

Getting SQL Server 2005 Assistance