In Chapter 5, you learned about the SQL Server encryption hierarchy and how data can be encrypted as part of a defense-in-depth strategy. In some situations, however, encrypted cells can become vulnerable to attack. In this chapter, you will learn about whole value substitution attacks and how to prevent them.
During a whole value substitution attack, instead of attempting to decrypt or stealing encrypted value, the attacker replaces the encrypted value with a different encrypted value, which benefits him.
Understanding Whole Value Substitution Attacks
Create the Application.Salary Table
Tip
The algorithm used is not relevant. All algorithms, even the most complex, are susceptible to whole value substitution.
Salary Manipulation Example
In order to understand a whole value substitution attack, imagine that WideWorldImporters had unknowingly employed a dishonest worker. Grant Culberston is an HR administrator and therefore has the SELECT and UPDATE permissions granted against the Application.Salary table. Consider the data in the new Application.Salary table. The plain text salary column has been left in for reference, but in a production scenario, this column would of course be dropped, so that only the encrypted salary value remains.
Viewing the Application.Salary Table
Perform a Whole Value Substitution Attack
Assessing the Impact of the Attack
Credit Card Fraud Example
Whole value substitution attacks can also be carried out by external attackers as well as internal attackers. Imagine that a WideWorldImporters customer, Valter Viiding, has gained access to the WideWorldImporters database by using an SQL injection attack.
With some exploration, Valter has managed to compile the query in Listing 14-5 in an attempt to steal the credit card details of other customers. The unencrypted credit card number has been left in for reference, but it would not exist in a production scenario.
Tip
The script to create the Application.CreditCards table can be found in Chapter 4. The script to add the encrypted card number column can be found in Chapter 5.
Returning Credit Card Details
Credit Card Whole Value Substitution Attack
Assessing the Results of the Attack
The results of this attack are bad enough when you consider the obvious option of Valter now using Agrita’s card details to buy goods on his account. The situation becomes much worse, however, when you consider the bigger picture.
Assuming that the WideWorldImporters web app has the ability to view and edit your own credit card details, Valter now has a mechanism by which he can systematically reveal each customer’s credit card details in turn. These details can then be collated and sold on the dark web.
Protecting Against Whole Value Substitution Attacks
ENCRYPTBYPASSPHRASE() Parameters
Parameter | Description |
---|---|
Passphrase | The passphrase that will be used to encrypt the data |
cleartext | The value to be encrypted |
add_authenticator | Specifies if an authenticator should be used |
authenticator | The value to be used to derive an authenticator |
The key parameters to note are the add_authenticator and the authenticator parameters. These parameters provide you with the option to add contextual information, usually the primary key of the table, to the value being encrypted. This primary key value is encrypted, along with the sensitive value. Therefore, when decrypting the value, the same authenticator value must also be passed, ensuring that the sensitive value has not been moved between rows.
Tip
The authenticator should be both unique and static.
Re-encrypt Credit Card Details Using an Authenticator
DECRYPTBYPASSPHRASE() Parameters
Parameter | Description |
---|---|
Passphrase | The passphrase that will be used to decrypt the data |
cipher text | The value to be decrypted |
add_authenticator | Specifies if an authenticator will be required to decrypt the data |
authenticator | The authenticator data |
The important parameters to note are the add_authenticator and authenticator parameters. If data has been encrypted using an authenticator, then the same authenticator must be passed when decrypting the data.
Now let’s see what happens if we try to repeat the whole value substitution attack against the credit card column by re-running the script in Listing 14-6. The attack will appear to succeed, but let’s now assess the impact of the attack by using the script in Listing 14-9.
Assess Results of Attack With Authenticator
As you can see, even though Valter has replaced his credit card number with Agrita’s, he can no longer decrypt the value, and his credit card number is replaced with a NULL value. This is because the authenticator, which in this instance was the CardID column, did not match.
Tip
Authenticators can also be used when encrypting data with a passphrase using the ENCRYPTBYKEY( ), ENCRYPTBYASYMKEY( ) and ENCRYPTBYCERT( ) functions.
Performance Considerations
Benchmarking Performance
The time statistics for the second benchmark are shown in Figure 14-7.
Caution
The performance difference shown here is meant for illustrative purposes only and should not be considered a representative benchmark against other queries or environments. The performance difference will depend on many factors, including the specification of your server and the amount of concurrent activity.
As you can see, the second benchmark took 33% longer to execute. While we are still talking about ms, if you imagine this percentage being scaled up to a table with millions of rows, or if the action is performed millions of times a day, you can see the impact that may occur. As expected, there is a trade-off between security and performance.
Of course, the performance will depend on many factors, such as the specification of the server that the query is being run on and the amount of concurrent activity on the server.
If you must encrypt data with an authenticator, you should pay specific attention to processor utilization during your capacity planning, as additional CPU time will be required to compare the authenticator.
It is important to also note, however, that the bloat (amount of space used to store the data) will increase, due to the encryption of the authenticator. Therefore, for large datasets, more data pages will need to be read in order to fulfill the query. This will, in turn, put additional pressure on memory, forcing pages out of the buffer cache quicker, meaning that more data will need to be retrieved from disc.
Summary
Whole value substitution attacks can be used by attackers to manipulate data without needing to decrypt it first, by replacing an encrypted value, with a different encrypted value, that they know to be preferential.
Whole value substitution attacks can be deferred by using an authenticator. An authenticator is contextual information from a unique, static key, which ensures that the encrypted value has not been moved at the point when it is decrypted. If it has been, then the decryption will fail, and a NULL value will be returned.
An authenticator will not stop the encrypted data being moved, but it will prevent an attacker from revealing or utilizing that data. This comes at the expense of performance degradation, however.