2016-03-02 167 views
0

我剛剛運行以下測試,我深感困惑:對稱加密密鑰通過行爲

我創建了一個表,如下所示:

CREATE TABLE [dbo].[enxtest](
    [id] [int] NOT NULL, 
    [cleara] [varchar](50) NULL, 
    [encrypta] [varbinary](2000) NULL, 
    [clearb] [varchar](50) NULL, 
CONSTRAINT [PK_enxtest] PRIMARY KEY CLUSTERED 
(
    [id] ASC 
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY] 
) ON [PRIMARY] 

GO 

我用數據填充它像這樣:

id | cleara  | encrypta | clearb 
1 | teststring!1 | NULL  | NULL 
2 | teststring!1 | NULL  | NULL 
3 | teststring!2 | NULL  | NULL 
4 | teststring!2 | NULL  | NULL 

我使用SQL Server對稱密鑰和證書對像這樣(唯一相關的代碼,SPROC內部)並插入加密值成e運行腳本以每次cleara,一個的內容進行加密ncrypta場:

OPEN SYMMETRIC KEY THIS_IS_THE_KEY 
    DECRYPTION BY CERTIFICATE THIS_IS_THE_CERT 
CONVERT(varbinary(2000), EncryptByKey(Key_GUID('THIS_IS_THE_KEY'), cleara), 1) 

然後,我們刪除了數據庫主密鑰,對稱密鑰和證書以及重建他們,給予他們收到了相同的名稱。我運行了一個腳本來解密varbinary,類似於上面的加密代碼,並將其插入到clearb中。

該查詢給我下面的結果:

SELECT id, cleara, clearb 
FROM enxtest; 

id | cleara  | encrypta | clearb 
1 | teststring!1 | NULL  | teststring!1 
2 | teststring!1 | NULL  | teststring!1 
3 | teststring!2 | NULL  | teststring!2 
4 | teststring!2 | NULL  | teststring!2 

問題:

  1. 這怎麼可能?我期待得到clearb == clearb,但是 clearb!= cleara。我希望切換出來的鍵會產生 始終不正確的varchar值。
  2. 有沒有辦法將備份恢復到另一臺服務器,同時保持表中的二進制數據不變,創建新的密鑰可以可靠地解密該數據,使其一致但不正確(與原始的明文值)值?

編輯:這是我們分批運行的完整腳本。

--Batch 1 
declare @e1 varbinary(2000); 
declare @c1 varchar(50); 
select @c1 = cleara from enxtest where id = 1; 
exec dbo.spEncryptString @cleartextString = @c1, @encryptedString = @e1 OUTPUT; 

declare @e2 varbinary(2000); 
declare @c2 varchar(50); 
select @c2 = cleara from enxtest where id = 2; 
exec dbo.spEncryptString @cleartextString = @c2, @encryptedString = @e2 OUTPUT; 

declare @e3 varbinary(2000); 
declare @c3 varchar(50); 
select @c3 = cleara from enxtest where id = 3; 
exec dbo.spEncryptString @cleartextString = @c3, @encryptedString = @e3 OUTPUT; 

declare @e4 varbinary(2000); 
declare @c4 varchar(50); 
select @c4 = cleara from enxtest where id = 4; 
exec dbo.spEncryptString @cleartextString = @c4, @encryptedString = @e4 OUTPUT; 

update enxtest 
set encrypta = @e1 
where id = 1; 

update enxtest 
set encrypta = @e2 
where id = 2; 

update enxtest 
set encrypta = @e3 
where id = 3; 

update enxtest 
set encrypta = @e4 
where id = 4; 


/* 
--Batch 2 
drop symmetric key THIS_IS_THE_KEY; 
drop certificate THIS_IS_THE_CERT; 
drop master key; 

create master key encryption by password = 'somepassword'; 
create certificate THIS_IS_THE_CERT with subject = 'subject' expiry_date = '20161231'; 
create symmetric key THIS_IS_THE_KEY with algorithm = AES_256 
    key_source = 'source' identity_value = 'identity' encryption by certificate THIS_IS_THE_CERT; 
*/ 

--Batch 3 
declare @e1 varbinary(2000); 
declare @c1 varchar(50); 
select @e1 = encrypta from enxtest where id = 1; 
exec dbo.spDecryptString @encryptedString = @e1, @cleartextString = @c1 OUTPUT; 

declare @e2 varbinary(2000); 
declare @c2 varchar(50); 
select @e2 = encrypta from enxtest where id = 2; 
exec dbo.spDecryptString @encryptedString = @e2, @cleartextString = @c2 OUTPUT; 

declare @e3 varbinary(2000); 
declare @c3 varchar(50); 
select @e3 = encrypta from enxtest where id = 3; 
exec dbo.spDecryptString @encryptedString = @e3, @cleartextString = @c3 OUTPUT; 

declare @e4 varbinary(2000); 
declare @c4 varchar(50); 
select @e4 = encrypta from enxtest where id = 4; 
exec dbo.spDecryptString @encryptedString = @e4, @cleartextString = @c4 OUTPUT; 

update enxtest 
set clearb = @c1 
where id = 1; 

update enxtest 
set clearb = @c2 
where id = 2; 

update enxtest 
set clearb = @c3 
where id = 3; 

update enxtest 
set clearb = @c4 
where id = 4; 

--Check 
select * from enxtest; 
+0

這似乎很奇怪。你有一個完整的repro腳本? –

+0

我知道了,我會在早上發佈一個修改。 – saarrrr

+0

@BenThul我已經添加了完整的腳本,我們跑分了分批。 – saarrrr

回答

1

您沒有完全生成repro腳本(例如,我沒有存儲過程的主體),但是我看到了問題。當您使用相同的KEY_SOURCE參數創建對稱密鑰時,基本上就是創建完全相同的密鑰。一旦你知道了,修復很容易 - 每次創建密鑰時爲KEY_SOURCE提供一個不同的值。