 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / August 2006EncryptByCert Problem
I posted this message to the wrong group (sqlserver.programming), so I'm reposting here. Sorry for the repost... it's late... so here goes: OK, so I'm testing EncryptByCert with some code like the following: DECLARE @v varchar(8000); SELECT @v = REPLICATE('A', 117); SELECT @v; DECLARE @e varbinary(8000); SELECT @e = EncryptByCert(Cert_ID(N'TestCertificate'), @v); SELECT @e; The function encrypts fine and I'm able to use DecryptByCert to get the result. Problem is if I change the line SELECT @v = REPLICATE('A', 117) to: SELECT @v = REPLICATE('A', 118); The EncryptByCert function returns NULL every time with 118 or higher. BOL states that the result is returned as a varbinary with a max length of 8,000. I keep getting a varbinary with a max length of 128. Can anyone else reproduce this, or am I doing something wrong? Thanks Yes, this is a restriction of asymmetric key encryption - the actual data that you can encrypt with one call will depend on the size of the private key that is used. For example: 512 bit RSA key can encrypt up to 53 bytes, 1024 bit up to 117 bytes, and 2048 bit up to 245 bytes. See http://blogs.msdn.com/yukondoit/archive/2005/11/24/496521.aspx for a workaround, if you really want to encrypt more. Certificates should only be used to protect other keys, not to encrypt data directly, so this limit does not impact the intended use of certificates. Thanks  SignatureLaurentiu Cristofor [MSFT] Software Design Engineer SQL Server Engine http://blogs.msdn.com/lcris/ This posting is provided "AS IS" with no warranties, and confers no rights. >I posted this message to the wrong group (sqlserver.programming), so I'm >reposting here. Sorry for the repost... it's late... so here goes: [quoted text clipped - 20 lines] > > Thanks Someone needs to tell the BOL writers to update the page on this then. It currently indicates that EncryptByCert can return a varbinary up to 8,000 bytes in length, which is ludicrous if the input is really limited to 421 bytes and the output is limited to 432 bytes. I'm not advocating using certificates and asymmetric keys to encrypt all data. I am advocating accurate documentation of system limitations. > Yes, this is a restriction of asymmetric key encryption - the actual data > that you can encrypt with one call will depend on the size of the private [quoted text clipped - 37 lines] >> >> Thanks I'll ask for an update of these BOL topics to mention the restrictions related to the key lenghts. If you access BOL online, you can also rate the articles and submit feedback directly. Here are the links for the topics we discussed: http://msdn2.microsoft.com/en-us/library/ms188061.aspx http://msdn2.microsoft.com/en-us/library/ms186950.aspx Thanks SignatureLaurentiu Cristofor [MSFT] Software Design Engineer SQL Server Engine http://blogs.msdn.com/lcris/ This posting is provided "AS IS" with no warranties, and confers no rights. > Someone needs to tell the BOL writers to update the page on this then. It > currently indicates that EncryptByCert can return a varbinary up to 8,000 [quoted text clipped - 44 lines] >>> >>> Thanks Thanks. I wanted to get verification and make sure it wasn't a problem with my installation or how I was using the functions before I claimed errors in either the application or the documentation. > I'll ask for an update of these BOL topics to mention the restrictions > related to the key lenghts. If you access BOL online, you can also rate [quoted text clipped - 54 lines] >>>> >>>> Thanks Also, in the meantime, you may want to use the following reference: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/secur ity/cryptencrypt.asp The relevant paragraph extracted from above is: The Microsoft Enhanced Cryptographic Provider supports direct encryption with RSA public keys and decryption with RSA private keys. The encryption uses PKCS #1 padding. On decryption, this padding is verified. The length of plaintext data that can be encrypted with a call to CryptEncrypt with an RSA key is the length of the key modulus minus eleven bytes. The eleven bytes is the chosen minimum for PKCS #1 padding. The ciphertext is returned in little-endian format. Thanks SignatureLaurentiu Cristofor [MSFT] Software Design Engineer SQL Server Engine http://blogs.msdn.com/lcris/ This posting is provided "AS IS" with no warranties, and confers no rights. > I'll ask for an update of these BOL topics to mention the restrictions > related to the key lenghts. If you access BOL online, you can also rate [quoted text clipped - 54 lines] >>>> >>>> Thanks |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.