Download eBook (PDF) - Red Gate Software

CHAPTER 7: ONE-WAYENCRYPTIONAs a child, I often played the game of "guess what number I am thinking" withmy friends. In this game, I would think of a number and only disclose the rangeof numbers in which the number resides. My friends would fire off a series ofguesses until the secret number was guessed.At a basic level one-way encryption is very similar. A secret value is encryptedand stored in a data table. However, unlike cell-level encryption, a key is notgenerated and so the cipher text that is created and stored remains in thatprotected state. Decryption does not occur with one-way encryption; thus thename of this method. Instead, you must hash the unencrypted value for whichyou are seeking and then compare it to the cipher text that is stored in the table.A common use of one-way encryption is to protect passwords, messages, and itis sometimes used in digital signatures. However, it also can be used to protectsensitive data, such as credit card numbers, within the database. Some mightargue that the suggestion to use one-way encryption to protect credit carddetails is near heresy, due to the vulnerabilities of one-way encryption tovarious forms of attack, such as dictionary or rainbow table attacks, and thepotential for hash collisions.In this chapter, we will explore these vulnerabilities in more detail and discusshow "salting" plain text will increase the complexity of the rendered hashvalue, and reduce the vulnerability to such attacks, along with the likelihood ofhash collisions. We'll also investigate how use of other obfuscation methods,specifically truncation, can provide a solution to a real-world challenge that allencryption methods face.In my opinion, one-way encryption is not the paper tiger that some make it outto be. Where there are weaknesses there are also ways to mitigate andstrengthen, and one-way encryption should not be overlooked as a veryvaluable weapon in the battle to protect sensitive data.147