Sdílet prostřednictvím


.Net 4.6.2. Framework client driver for Always Encrypted resulting in intermittent failures to decrypt individual rows

The SQL Product team has identified an issue with .Net 4.6.2 framework client driver for Always Encrypted enabled database on SQL Server 2016 and Azure SQL Database. The issue can lead to intermittent failure while trying to decrypt the records from the Always Encrypted enabled database with following error message

Decryption failed. The last 10 bytes of the encrypted column encryption key are: '7E-0B-E6-D3-39-CE-35-86-2F-AA'.The first 10 bytes of ciphertext are: '01-C3-D7-39-33-2F-E6-44-C3-B1'.Specified ciphertext has an invalid authentication tag. 

The above failure to decrypt may potentially lead to incorrect query results which in turn may trigger incorrect behavior in the app, for example, attempts to insert missing values or to perform any other updates that will either produce further errors or produce inconsistent data in the database.

To fix this issue, install the security update from Microsoft Security Bulletin MS16-155.

For more details on the issue and workaround for the issue. Please refer to our KB article below
https://support.microsoft.com/en-us/help/3204545/the-.net-framework-4.6.2-client-driver-for-always-encrypted-intermittently-fails-during-row-decryption

Customers who encounter the above error during the validation scan and are unable to resolve the issue, should contact sqlalwaysencrypted@microsoft.com.  The team will be able to help access and recover all previously encrypted rows that were affected by this bug. There will be no permanent data loss caused as a result of this defect.

To determine which versions of the .NET Framework are installed on a system, see How to: Determine Which .NET Framework Versions Are Installed.

Parikshit Savjani
Senior Program Manager (@talktosavjani)

Comments

  • Anonymous
    November 05, 2016
    Thanks for sharing :-)
  • Anonymous
    November 07, 2016
    Is there an advisory or subscription where you can be notified of the fix?
    • Anonymous
      November 07, 2016
      Hi Rob,We are working on official KB documentation which should be live by end of today. We recommend you subscribe to this blog as we will update this blog once the fix is released. If you have follow up questions, feel free to email sqlalwaysencrypted@microsoft.com
      • Anonymous
        November 08, 2016
        Thank you I've subscribed via the twitter feed to SQL server as per the subscribe links on the RHS above.
  • Anonymous
    November 07, 2016
    Thanks for this info. That was very good for us to learn before we deliver our 4.6.2 based software to our clients. The specific C# code to disable this appears to be:System.Data.SqlClient.SqlConnection.ColumnEncryptionKeyCacheTtl = TimeSpan.Zero;
    • Anonymous
      November 07, 2016
      Hi Rob,Yes, that is correct.