Adam Shostack wrote:
No. If I get your database with SQL injection, all conditions are met, and I have your plaintext. But, the data is in an encrypted form, and you're saved.
I'm not familiar with SQL injection vulnerabilities. Perhaps the issue is misrepresentation by the SQL provider that the database is encrypted using proper algorithms and key management. I guess that if a database access application using SQL injections has cleartext access to the data, this data is either not appropriately encrypted or the control of the encryption key escaped the legitimate user when the SQL injections were leaked to the adversary.
One issue with rulemaking/lawmaking is that consequences of a rule are sometimes unexpected because words (e.g. "properly encrypted") are smetimes corrupted by diverted usage e.g. public relations aspects of e-commerce security. So, even if your statement was technically wrong, if *you* are convinced that a database vulnerable to SQL injection tampering threat is nonetheless "encrypted", then a judge might be so convinced. Consequently, the lawmaking exercise must be more specific than above, e.g. using reference to by-laws which define acceptable encryption technology and key management techniques ... which is no longer a simple solution.
Thanks for highlighting the limits of the original post, either on a technical basis or on issues of lawmaking strategy.
-- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
