Reporting Services 2005 for the DBA – Reporting Services Encryption 1 of 2

 Author:Steve Chowles 

http://sqlblogcasts.com/blogs/stevechowles/archive/2007/08/14/reporting-services-2005-for-the-dba-reporting-services-encryption-1-of-2.aspx

 

If you understand how Reporting Services uses encryption then you will understand how to manage the encryption keys, recover from any encryption failure and more importantly, not to get in an unrecoverable situation. Although Books Online has some information about encryption keys, I feel the information is not laid out in an intuitive way.

如果能够理解报表服务是怎样加密的 , 那么就能够理解维护密钥 , 修复密钥是多么重要 .  而不至于陷入无法修复的情况 . 虽然联机丛书上有关于加密密钥的信息 , 但是我觉得在那些不够清楚 .

 

This is the first of two articles where I will first be explaining encryption and how Reporting Services creates the keys. The second article will explain how to maintain the keys and various recovery scenarios.

  本文是我两篇关于加密和报表服务怎样创建密钥的文章中的第一篇 . 第二篇将讨论怎样保存密钥和各种恢复情况 .

 

Overview of Encryption 

The following paragraphs explain what encryption is in general.

加密概述

如下的部分将从总体上解释什么是加密.

 

What is Encryption?

Encryption is used to turn some human readable piece of data into something which is not human readable to ensure the information is not compromised. We refer to this process by saying we encrypt the data. A good example would be your password. In order to turn a non-human readable piece of data back in to something that is readable, we decrypt the data.

什么是加密?

加密是用于将一些明文转换成密文以保证信息的安全.我们将这个过程叫做加密.密码是一个很好的例子.为了将密文的数据转换成明文数据,这个过程叫解密.

 

The process that encrypts and decrypts the data uses mathematical algorithms. The algorithm will generate a random number which becomes the Key. This key will be used by the algorithm to generate the encrypted data.

  加密和解密数据使用数学算法 . 这个算法将产生一个随机的密钥 . 算法使用这个密钥产生相应的密文 .

 

While I will be explaining encryption I will only be giving you sufficient information to understand the role it plays in Reporting Services. If you would like a better understanding of Cryptography I recommend watching the following webcast at IT’S Showtime

  我仅仅阐述加密以给出足够的信息以了解加密在报表服务中所扮演的角色 . 如果希望获得更多的关于密码学的信息 , 我建议你看看在 IT’S Showtime 的网上广播 .

 

What types of Encryption Algorithms are there?

There are numerous encryption key algorithms used today so rather than explain all the different types, I will explain what Reporting Services uses.

有多少中加密算法?

相比于阐述当今使用的各种不同类型的加密算法,我仅仅解释报表服务使用到的算法.

 

Reporting Services uses two algorithms, a Symmetric Key algorithm and an Asymmetric Key algorithm.

·          A Symmetric Key algorithm uses the same key to encrypt and decrypt the data.

·          An Asymmetric Key algorithm uses one key to encrypt the data and another key to decrypt the data.

报表服务使用两种算法 .  对称密钥算法 和非对称密钥算法 .

对称密钥 是加密和解密都使用的一个密钥 .

非对称密钥 由私钥加密数据和对应的公钥 解密数据 .

With a Symmetric Key algorithm all parties who are involved with encrypting and decrypting data have a copy of the same key. The algorithm used by Reporting Services is the 3DES or Triple DES as it is pronounced.

用于加密和解密数据的对称密钥的所有部分都有一个密钥 . 用于报表服务的算法是 3DES.

 

With Asymmetric Key algorithms firstly; each key has a name. One key is called the Public Key and the other key is called the Private key. The Private key is never shared out whilst the Public key on the other hand is given out to anyone involved with exchanging the encrypted data. Asymmetric algorithms only allow data to be encrypted with the Public key and decrypted using the Private key. Reporting Services uses the RSA algorithm.

  对于非对称密钥 , 每个密钥都有一个名称 . 一个叫公钥 , 另一个叫私钥 . 私钥不会公开 , 而公钥可以提供给任何需要交互加密数据的人 . 非对称算法仅用公钥加密数据 , 用私钥解密数据 . 报表服务使用 RSA 算法 .

 

Why are Multiple Algorithms used?

In Cryptography it is standard practise to use one key to encrypt the data and then a second key to encrypt the first key which was used to encrypt the data. The reason for this is to prevent a malicious user from getting hold of the first key which will allow them to decrypt the data.

为什么使用多种算法 ?

在密码学中,一个准则是使用一个密钥加密数据,然后使用第二个密钥加密第一个用于加密数据的密钥.这样可以防止一些获取第一个密钥的非法用户解密数据.

 

When it comes to deciding which key to use, there is a simple rule you use. You always encrypt data using a Symmetric key and you always encrypt a key using an Asymmetric key. The reason for this is because encrypting data using a Symmetric key is 100’s of times faster than encrypting the same data using an Asymmetric key however; an Asymmetric key is harder to crack than a Symmetric key.

  在决定使用何种密钥时 , 有一个比较简单的规则 . 使用对称密钥加密数据 , 使用非对称密钥加密一个密钥 . 因为对称密钥加密数据的时间要比非对称加密密钥加密数据的时间快 100 倍 , 相对于对称密钥 , 非对称密钥更难倍被破解

 

By the way, if you were wondering about Certificates, these are Asymmetric keys so whilst you could encrypt data with them, the same rules apply. Certificates are not used in the context of this article however; I will be discussing Certificates in a future article on using Reporting Services over SSL.

  顺便提一下公钥证书 , 公钥证书同非对称密钥一起使用相同的规则加密数据 . 公钥证书不再本文讨论的范围 . 我将在后续的基于 SSL 的报表服务的文章中讨论这个问题 .

 

Encryption Summary

So to summarise; Reporting Services uses two algorithms for encryption, one is the 3DES Symmetric algorithm to encrypt data and the second is an RSA Asymmetric algorithm to encrypt the Symmetric key.

加密小节

总之,报表服务使用两种算法来加密,一种是3DES对称算法加密数据,第二种是RSA非对称算法来加密对称密钥.

 

A side note here. If you are considering using encrypted columns in SQL Server, follow my advice here. Use a Symmetric key to encrypt the data and use an Asymmetric key or Certificate to encrypt the Symmetric key. That’s a quick tip just for you.

  一个贴士 , 如果决定在 SQL Server 中使用加密的栏位 , 参考我的这里建议 . 使用对称算法加密数据 , 使用非对称算法和公钥证书加密对称密钥 .

 

Generating the Encryption Keys 

The following paragraphs go into detail on how the keys are created and where they are stored in Reporting Services.

产生密钥

以下部分将讨论在报表服务中怎样创建和保存密钥.

 

In order to fully understand how keys are created I need to explain about Scale-Out Deployment because there are additional steps involving encryption that need to be followed in order to complete the installation.

  为了完全理解密钥是怎么创建的 , 我将阐述向外扩展部署方式 , 这种方式在完成加密过程中需要完成几个额外的步骤 .

 

In a basic configuration there is one Reporting Services server and one SQL Server containing the ReportServer and ReportServerTempdb database.

  在基本的配置中 , 有一个报表服务服务器和一个包含 ReportServer 和 ReportServerTempdb 的 SQL Server 数据库 .

 

In a Scale-Out configuration there are two or more Reporting Services all pointing at the same SQL Server containing the ReportServer and ReportServerTempdb database. This enables multiple reports to be run simultaneously on different machines for performance reasons.

在向外扩展部署方式配置中 , 有两个或者多个报表服务指向同一个包含 ReportServer 和 ReportServerTempdb 的 SQL Server 数据库 . 这种方式在不同的机器上同时运行多张报表时效率更高 .

 

How are the Symmetric and Asymmetric Keys Created

It is important to realise that all keys are managed by the Reporting Services windows service. Any encrypting or decrypting is done by the windows service. If the Web Service requires some data decrypted, it sends an RPC request to the windows service to do it on its behalf.

怎样创建对称密钥和非对称密钥

必须清楚的是 , 所有的密钥都是由报表服务的 window 服务管理 . 所有的加密解密都是由 windows 服务完成的 . 如果 web 服务需要解密数据 , 它将发送一个 RPC 请求给 windows 服务来完成 .

 

So this means that the windows service has to be running at all times, something which was not required on Reporting Services 2000.

这就意味这 windows 服务必须启动 , 这在报表服务 2000 中是不需要的 .

 

The Asymmetric keys are generated by the Cryptographic Services service during Reporting Services configuration based on the account name running the windows service. This means that if you change the account name, the asymmetric keys become invalid. Also a very important point to bear in mind is the account password. If you change the password of the windows service account by specifying the old password followed by the new password, the keys remain the same and everything is fine. If you have a system administrator reset your password by not specifying the old password, the keys become invalid. I will explain some recovery situations below. Every Reporting Services installation has a different Public key

  非对称密钥是在报表服务配置过程中运行 window 服务的帐号通过密码学服务创建的 . 这就意味着如果修改了帐号 , 非对称密钥将失效 . 值得提醒的一点是帐号的密码 . 如果运行 windows 服务的帐号更改了旧密码并输入新密码 , 将不会影响密钥和其它 . 如果使用系统管理员重设了密码而不是通过输入旧密码和新密码方式修改 , 那么非对称密钥将失效 . 我将在下面阐述一些修复方法 . 每个报表服务的安装都有一个不同的公钥 .

 

The symmetric key is also generated by the Cryptographic Services service during Reporting Services configuration however; the key is not based on the account running the windows service and in fact no change of any sort will cause it to become invalid. The Symmetric key is generated by the first server configured in a Scale-Out deployment; the other servers simply get a copy. This ensures each server is able to decrypt the data.

  对称密钥也是在报表服务配置过程中由密码服务产生的 . 这个密钥不是基于运行 windows 服务的帐号产生的 . 所以任何改变都不会导致该密钥失效 . 对称密钥在向外扩展部署中配置第一个服务器时产生 , 而其他服务器只是一个副本 . 这保证了每个服务器能够解密数据 .

 

Configuring the first Reporting Services Instance.

The first instance is always created regardless of whether you are deploying a standard configuration or a Scale-Out deployment.

  配置第一个报表服务实例

无论部署标准配置或者是向外扩展部署都要创建第一个实例 .

Whether you install using a Default Configuration or you are doing a Files Only installation and configuring Reporting Services using the Reporting Services Configuration Manager, the result is the same.

不管是使用默认配置安装或者说是文件安装然后通过报表服务配置管理器配置报表服务 , 其结果都是一样的 .

 

During the Database Setup part of the configuration we enter what is known as the Activation Process that consists of two phases.

  在配置数据库创建部分 , 将调用一个由两个阶段的组成的过程 .

 

The first phase is called the Announce phase which connects to the ReportServer database and runs the stored procedure AnnounceOrGetKey. This checks a table called Keys for a row specific to this Reporting Services installation and if none is found the following information is added:

  第一个阶段是通知阶段 . 连接 ReportServer 数据库并运行存储过程 AnnounceOrGetKey , 这个存储过程检查一张叫做 Keys 的表 , 查看是否有这个报表服务安装的信息 , 如果没有 , 将加入如下信息 :

Column	Description
MachineName	This is the host name of the Reporting Services machine
InstanceName	This is the Instance name of the Reporting Services installation. You can have multiple instances of Reporting Services on the same physical machine
InstallationID	Every Reporting Services installation has a unique ID stored in its rsreportserver.config file which is created in the ReportServer virtual directory.
Client	This is always 1
PublicKey	This is the public key created by the Reporting Services windows service and is unique for each service.

 

栏位	描述
机器名称	这是报表服务器的名称
实例名称	这是安装的报表服务的名称 , 在一台物理服务器上可以有多个报表实例 .
安装 ID	每个报表服务的安装都有一个唯一的 ID 存储在 rsreportserver.config 文件中 , 该文件是由 ReportServer 虚拟目录创建的 .
客户端	总是 1
公钥	这个公钥是由 windows 服务的报表服务的创建并且对于每个服务都是唯一的 .

 

The second phase is called the Activation phase. This phase gets the Symmetric key from the Reporting Services windows service which will be used to encrypt the data and encrypts the symmetric key with the Public key. A stored procedure called SetKeysForInstallation is run which updates the Keys table and adds the encrypted symmetric key into the SymmetricKey column. At no time during any of this process is the Symmetric key ever shown decrypted.

  第二个阶段是激活阶段 , 这个阶段是从 windows 服务的报表服务中取得对称密钥以加密数据 , 然后使用公钥加密对称密钥 . 运行一个叫 SetKeysForInstallation 的存储过程把加密后的对称密钥存储在 Keys 表里面的 SymmetricKey 栏位 . 在此过程中对称密钥显示为解密的 .

 

Configuring a Second Server in a Scale-Out Deployment

When you configure a second server as part of a Scale-Out deployment you will need to do a Files Only installation. This will require you to run the Reporting Services Configuration Manager to complete the installation. I am not going to explain the exact steps since I will be doing this in a future blog however; you complete the installation just like the first server until you get to the Database Setup part.

在向外扩展部署中配置第二个服务器

在向外扩展部署中配置第二台服务器市,需要做仅文件安装.这就需要使用报表服务配置管理器来完成安装.我将不再这里阐述详细的步骤因为我将在后续的文章中介绍,可以像完成第一个服务器安装时的配置除了创建数据库外的配置一样完成安装.

 

Normally at this stage you would be connecting to a SQL Server that does not have a previously created ReportServer or reportServerTempdb database created however; in a Scale-Out deployment you will be connecting to a SQL Server where the databases were created when you configured the first server instance.

  正常情况下 , 此时可以连接一个 SQL Server, 该数据库没有创建前一次创建的 ReportServer 和 reportServerTempd 数据库 . 在向外扩展部署下 , 可以连接到第一个服务器实例配置的数据库 .

 

Again during the Database Setup we enter the Activation process which contains the two phases. In phase one which is the Announce phase, the actions are completed in the same way as it was done when configuring the first server however; the difference comes when we enter the Activation phase.

  再次说明 , 在创建数据库过程中的激活过程包含两个阶段 . 一个阶段是通知 , 这个阶段是和第一个服务器完成一样的配置 , 当进入激活阶段就不同了 .

 

In order to complete the second phase we need the decrypted Symmetric key so we can encrypt it with the second instances public key and store it in the Keys table. The problem we face is that it can only be decrypted by the first instances private key so phase two has to be completed by the first server. You run the Reporting Services Configuration Manager and connect to the first server. When you run the initialization step in the Configuration Manager, the Symmetric key is decrypted using the first server’s private key and then encrypted using the second server’s public key then stored in the Keys table. This is why the Public key for each server is also stored in the Keys table.

为了完成第二个阶段,需要解密对称密钥以使用第二个实例的公钥来加密并存储于 Keys 表中.面临的问题是该对称密钥只能由第一个服务器的私钥解密,所以阶段二不得不在第一个服务器上完成.运行报表服务配置管理器并连接到第一个服务器,在配置管理器中运行 initialization 步骤,对称密钥由第一个服务器的私钥解密并由第二个服务器的公钥加密然后存储与 Keys 表中.这就是为什么每个服务器的公钥都要存储在 Keys 表中.

At this stage we have a Keys table with two rows. One row is for the first server and the other row is for the second server. Both rows contain the same symmetric key but each has been encrypted with a different public key.

此时,我们在 Keys 表中有两行 . 一行是第一个服务器的 , 而另一行是第二个服务器的 . 这两行都包含同一个对称密钥但是每个都被不同的公钥加密 .

 

So now you understand how the keys are created, the next article will explain how to maintain the keys and various recovery scenarios.

到此已经理解密钥怎样创建 , 在下一篇文章中将讨论密钥的维护和各种修复情况 .