Query Column With Always Encryption

While recently implementing SQL Always Encrypted feature I encountered a problem.
The column that has been encrypted cannot be used with certain operators(RIGHT/LEFT/LIKE and etc).

What I did for this is created a SQL/CLR method and passed ID as parameter, this method then queries the table again and decrypts the value if there is valid certificate on the server where this method is being executed.

[SqlFunction(SystemDataAccess = SystemDataAccessKind.Read, DataAccess = DataAccessKind.Read)]
    public static string GetDecryptedValueByID(int? id)
    {
       if (id == null) return null;
       using (SqlConnection conn = new SqlConnection("context connection=true"))
        {

            conn.Open();
            SqlCommand cmd = new SqlCommand("SELECT Column from Table where ID =" + id.ToString() ", conn);
            SqlDataReader reader = cmd.ExecuteReader();
            while (reader.Read())
            {
                return reader["Column "].ToString();
            }
           
        }
        return null;

    }
Drawback:-
1) Certificate has to be provided on server which means someone with access to server will be able to see the data by this method exposing decrypted value.
2)It can be slow if not used properly because every time you need value table will be queried again.

Advantage:-
If you are implementing SQL encryption in an existing application, this allows you to adopt incremental delivery where you encrypt everything first use this method with bit of performance overhead and then correct your reports slowly to eliminate need of certificate on server and then this method becomes obsolete.

Comments

Post a Comment

Popular posts from this blog

RabbitMQ setup and cluster configuration on a windows network

Image
  Queuing has been integral part of application architecture for quite sometime and therefore there are number of frameworks available to let you manage Queue/Bus. Queue as you may know is used when you have one node to process your message and Bus (Service Bus/Topic) is used when there is more than one node that needs to process the message. RabbitMQ is one of available framework along with MSMQ, Kafka, Azure Service Bus and etc. RabbitMQ is one of the most popular framework as it can be used to create highly available and fault tolerant cluster of nodes that hold the queue's and message's for processing. In the writeup we will try to install RabbitMQ cluster on couple of windows machines which can be easily translated to containerised application using docker. 1) To install docker visit RabbitMQ official  and download required file, once downloaded execute the exe and follow the wizard. You may be asked to install Erlang in the process as that is one of the primary requireme...
Read more

Introduction to Blazor

Image
WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. Blazor is new addition to .Net arsenal which is based on WebAssembly and using that enables developers to create web apps using C# and HTML, hence removing dependency on JavaScript framework like Angular/React and etc. If we are to compare blazor with ASP.NET MVC above would be content in .cshtml file which in this case becomes .razor file, code for MVC controller is also embedded in .blazor page for blazor applications. There are 2 main flavors of Blazor:- 1) Blazor web application. In this case application is hosted in IIS and only html travels to the client application for every action on the page client communicates back to the server with information of action on client side. Server version will then send back response back to the client which ...
Read more

Component analysis for application security

Image
If you are into writing software you probably follow security practices to keep your application secure. Since most of the platforms are now open source we consume a lot of open source components in our projects. It happened sometime back when a vulnerability was found in one of the popular components(log4j) and companies were clueless about the existence of any such issue as a result many kept running their software on the vulnerable version of log4j. You may not have been impacted or attacked for that matter but never know when it's your turn, is best to have protection against scenarios where components/license used in thrid party component becomes vulnerable/outdated. I recently stumbled upon  Dependency-Track  , it works in two parts:- Identify the list of components in your project, which is also called the SBOM (Software bill of material). CycloneDX can be installed with just a few commands to generate SBOM. Upload BOM to Dependency-Track using UI/API which then scans i...
Read more

Gitflow using source tree

Image
In early 2010, Vincent Driessen wrote an article called   “A successful Git branching model”  which recommended an approach called  git-flow  to use git branches in your development cycle. The idea was to standardise branching and merging when developing features, handling releases and managing hot fixes, in order to be consistent and gain the advantages of git’s ‘branchy’ development model. Using many separate branches in Git gives you lots of flexibility, but it can get complex. Adopting a standardised approach has many advantages: ·         Keep your repository tidier ·         Keep your procedures clearer ·         Move between projects more easily with familiar branch structures ·         Get new developers up to speed more quickly SourceTree   now integrates with git-flow and presents it to you ...
Read more

Azure

Image
What is Azure Cloud:- Microsoft has been building highly scalable applications in datacenters around the world—applications that have global reach and high availability, and offer great functionality to users. Azure allows you to take advantage of the same infrastructure to deploy your own applications, with the corresponding capabilities to reduce your maintenance requirements, maximize performance and minimize costs. Though we know that cloud adds lot of value but that only happens when it is done right and hence we need have thought of  below before taking a call:- 1. Always plan for the long-term . It’s easy to be tempted by solutions that promise immediate benefit and what looks like the quickest route to the cloud.  While the PaaS (platform as a service) approach may appear more complex, the long-term benefits such as built-in elasticity, service healing, patch management, and so forth, make it a worthwhile investment that will pay dividends both on the technology...
Read more

.NET MAUI and Blazor to create windows/web and mobile application (.NET 6.0)

Image
If you are a .NET developer you would know the following frameworks are generally used for development:- I can tell you from my personal experience that this is not an easy stack to master and something that I have struggled with time. While you can solve problems with the tech stack of windows and the web by using ElectronNET with ASP.NET Core or Blazor, the problem still persists for mobile applications. Now, what if told you that you can do all of the above by just using 1 framework along with Blazor, exciting isn't it. .NET MAUI does just that and saves you from a lot of trouble learning and managing various frameworks. What is .NET MAUI:- .NET Multi-platform App UI (.NET MAUI) is a cross-platform framework for creating native mobile and desktop apps with C# and XAML or Blazor. So if you know Blazor you can write a web app and SPA but when combined with .NET MAUI you can use your skillset to create and deploy the application on web/mobile/desktop. Framework stack now would look...
Read more

Estimation techniques

Image
Estimating how long it would take to get the job done is not easy, even travelling from point A to point B takes a lot of assumption and risks into consideration. Whether it is ballpark estimation or otherwise you need to use some formal technique, different projects need different kind of estimation and we are going to look into few of them. Lets do ballpark estimation for a website with static pages but requires login. WBS(Work breakdown structure):- In this approach work is broken down to lowest level possible. What remains at the bottom nodes is lost of task which when combined achieves the final goal. In above we have broken down end result into tasks and estimated tasks at various levels, with above in place we now know how many man days are required from various people and plan accordingly. Having an estimate ready helps in better resource and release planning. Its not always possible is recommended to do collaborative estimation(from different teams involve...
Read more

WCAG Accessibility

When designing a website or web application we consider other aspects of UI/UX whereas we always forget to consider people with disability. Lets have a look at statistics of users with disability in USA. 19.9 million (8.2%) have difficulty lifting or grasping. This could, for example impact their use of a mouse or keyboard. 15.2 million (6.3%) have a cognitive, mental, or emotional impairment. 8.1 million (3.3%) have a vision impairment. These people might rely on a screen magnifier or a screen reader, or might have a form of color blindness. 7.6 million (3.1%) have a hearing impairment.  They might rely on transcripts and / or captions for audio and video media. If we look at above number large user base is having some sort of disability hence if application is designed with accessibility in mind it can bring in more user which would translate to success of the product/website. Also it is being made mandatory  by law for software applications to be designed as per accessibili...
Read more

Analyse log using plug and play FileBeat

Image
ELK-B stack is one of the powerful frameworks for log analysis which helps to draw important business decisions and helps evolve ALM. There are few ways to inject data in Elasticsearch for analysis  Writing data using REST API    Using available frameworks(Serilog, NLog, etc) that have an abstraction layer and does all the REST calls behind the scene for you. While changing code is the most popular method but it may not be always possible/viable, also sometimes you do not have access to the environment and all you have is the log files in one format or another.  Filebeat is another powerful plugin in the ELK-B stack that can help you analyze logs without changing code, all you need to do is download FileBeat  and unzip the file. Once you have extracted the content open filebeat.yml and under  filebeat.inputs: of filebeat.yml   locate  paths:          paths maintains list of folders or docker path that will contain lo...
Read more

Block Chain

Image
Hashing is key to BlockChain as it generates a unique number for the content in question. One you have know hash of any text/file you can verify whether content has changed or not, because slightest of change will change the hash and hash generated for verification will not match with hash of original content.   After stipulated time all the transaction recorded will be converted into a block which will contain transaction and hash of the transaction . Hence if someone tries to change any transaction hashkey will not match. First created block is called Genesis block which will not have address to previous block, anyblock created after first block will point to block after/before block and all blocks backward lead to genesis block.  Centralised ledger is notion for centralised database/controlling authority, in this practice if controlling authority goes out of business everyone suffers, also issuing authority can do frauds as no one verifies what they are...
Read more