非对称密钥可用于加密对称密钥
Certificates
A public key certificate, usually just called a certificate, is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. Certificates are issued and signed by a certification authority (CA). The entity that receives a certificate from a CA is the subject of that certificate. Typically, certificates contain the following information.
-
The public key of the subject.
-
The identifier information of the subject, such as the name and e-mail address.
-
The validity period. This is the length of time that the certificate is considered valid.
A certificate is valid only for the period of time specified within it; every certificate contains Valid From and Valid To dates. These dates set the boundaries of the validity period. When the validity period for a certificate has passed, a new certificate must be requested by the subject of the now-expired certificate.
-
Issuer identifier information.
-
The digital signature of the issuer.
This signature attests to the validity of the binding between the public key and the identifier information of the subject. (The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature.)
A primary benefit of certificates is that they relieve hosts of the need to maintain a set of passwords for individual subjects. Instead, the host merely establishes trust in a certificate issuer, which may then sign an unlimited number of certificates.
When a host, such as a secure Web server, designates an issuer as a trusted root authority, the host implicitly trusts the policies that the issuer has used to establish the bindings of certificates it issues. In effect, the host trusts that the issuer has verified the identity of the certificate subject. A host designates an issuer as a trusted root authority by putting the self-signed certificate of the issuer, which contains the public key of the issuer, into the trusted root certification authority certificate store of the host computer. Intermediate or subordinate certification authorities are trusted only if they have a valid certification path from a trusted root certification authority.
The issuer can revoke a certificate before it expires. Revocation cancels the binding of a public key to an identity that is asserted in the certificate. Each issuer maintains a certificate revocation list that can be used by programs when they are checking the validity of any given certificate.
The self-signed certificates created by SQL Server follow the X.509 standard and support the X.509 v1 fields.
Asymmetric Keys
An asymmetric key is made up of a private key and the corresponding public key. Each key can decrypt data encrypted by the other. Asymmetric encryption and decryption are relatively resource-intensive, but they provide a higher level of security than symmetric encryption. An asymmetric key can be used to encrypt a symmetric key for storage in a database.
Symmetric Keys
A symmetric key is one key that is used for both encryption and decryption. Encryption and decryption by using a symmetric key is fast, and suitable for routine use with sensitive data in the database.
Transparent Data Encryption
Transparent Data Encryption (TDE) is a special case of encryption using a symmetric key. TDE encrypts an entire database using that symmetric key called the database encryption key. The database encryption key is protected by other keys or certificates which are protected either by the database master key or by an asymmetric key stored in an EKM module. For more information, see Transparent Data Encryption (TDE).
SQL Server encrypts data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. Asymmetric keys and symmetric keys can be stored outside of SQL Server in an Extensible Key Management (EKM) module.
The following illustration shows that each layer of the encryption hierarchy encrypts the layer beneath it, and displays the most common encryption configurations. The access to the start of the hierarchy is usually protected by a password.
Keep in mind the following concepts:
-
For best performance, encrypt data using symmetric keys instead of certificates or asymmetric keys.
-
Database master keys are protected by the Service Master Key. The Service Master Key is created by SQL Server setup and is encrypted with the Windows Data Protection API (DPAPI).
-
Other encryption hierarchies stacking additional layers are possible.
-
An Extensible Key Management (EKM) module holds symmetric or asymmetric keys outside of SQL Server.
-
Transparent Data Encryption (TDE) must use a symmetric key called the database encryption key which is protected by either a certificate protected by the database master key of the master database, or by an asymmetric key stored in an EKM.
-
The Service Master Key and all Database Master Keys are symmetric keys.
- The following illustration shows the same information in an alternative manner.
Encryption Hierarchy | Microsoft Docs https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/encryption-hierarchy
加密层次结构 https://msdn.microsoft.com/zh-cn/library/ms189586.aspx
证书
公钥证书(通常只称为证书)是一个数字签名语句,它将公钥的值绑定到拥有对应私钥的人员、设备或服务的标识上。 证书是由证书颁发机构 (CA) 颁发和签名的。 从 CA 接收证书的实体是该证书的主体。 证书中通常包含下列信息。
-
主体的公钥。
-
主体的标识符信息,如姓名和电子邮件地址。
-
有效期。 这是指证书被认为有效的时间长度。
证书只有在指定的有效期内有效,每个证书都包含一个“有效期始于” 和“有效期至” 日期。 这两个日期设置了有效期的界限。 证书超过有效期后,必须由已过期证书的主体请求一个新证书。
-
颁发者标识符信息。
-
颁发者的数字签名。
此签名用于证明主体的公钥和标识符信息之间的绑定的有效性。 (在对信息进行数字签名的过程中,信息以及发件人拥有的一些秘密信息将被转换成一个称为“签名”的标记。)
证书的主要好处是使主机不再需要为每个主体维护一组密码。 相反,主机只需要与证书颁发者建立信任关系,然后证书颁发者就可以签名无限数量的证书。
当主机(如安全 Web 服务器)将某个颁发者指定为受信任的根颁发机构时,主机将隐式信任该颁发者用来建立它所发出的证书绑定的策略。 也就是说,主机将相信该颁发者已经验证了证书主体的标识。 主机可以通过将颁发者自签名的证书(其中包含颁发者的公钥)放入主机的受信任根证书颁发机构证书存储区,将此颁发者指定为受信任的根颁发机构。 对于中间证书颁发机构或从属证书颁发机构,只有当它们具有受信任根证书颁发机构的合法路径时才会受到信任。
颁发者可以在证书到期之前便撤消该证书。 撤消后,将解除公钥与证书中声明的标识之间的绑定。 每个颁发者都维护一个证书撤消列表,此列表可由程序在检查任何给定证书的有效性时使用。
由 SQL Server 创建的自签名证书遵循 X.509 标准并支持 X.509 v1 字段。
非对称密钥
非对称密钥由私钥和对应的公钥组成。 每个密钥都可以解密另一个密钥加密的数据。 非对称加密和解密相对来说会消耗大量资源,但它们比对称加密提供了更高的安全级别。 非对称密钥可用于加密对称密钥,以便存储在数据库中。
对称密钥
对称密钥是加密和解密都使用的一个密钥。 使用对称密钥进行加密和解密非常快,适用于对数据库中敏感数据的日常使用。
透明数据加密
透明数据加密 (TDE) 是使用对称密钥进行加密的一种特殊情况。 TDE 使用称为数据库加密密钥的对称密钥加密整个数据库。 数据库加密密钥受由数据库主密钥或存储在 EKM 模块中的非对称密钥保护的其他密钥或证书保护。 有关详细信息,请参阅透明数据加密 (TDE)。