.Net 4.6.2. Framework client driver for Always Encrypted resulting in intermittent failures to decrypt individual rows
The SQL Product team has identified an issue with .Net 4.6.2 framework client driver for Always Encrypted enabled database on SQL Server 2016 and Azure SQL Database. The issue can lead to intermittent failure while trying to decrypt the records from the Always Encrypted enabled database with following error message
Decryption failed. The last 10 bytes of the encrypted column encryption key are: '7E-0B-E6-D3-39-CE-35-86-2F-AA'.The first 10 bytes of ciphertext are: '01-C3-D7-39-33-2F-E6-44-C3-B1'.Specified ciphertext has an invalid authentication tag.
The above failure to decrypt may potentially lead to incorrect query results which in turn may trigger incorrect behavior in the app, for example, attempts to insert missing values or to perform any other updates that will either produce further errors or produce inconsistent data in the database.
To fix this issue, install the security update from Microsoft Security Bulletin MS16-155.
For more details on the issue and workaround for the issue. Please refer to our KB article below
https://support.microsoft.com/en-us/help/3204545/the-.net-framework-4.6.2-client-driver-for-always-encrypted-intermittently-fails-during-row-decryption
Customers who encounter the above error during the validation scan and are unable to resolve the issue, should contact sqlalwaysencrypted@microsoft.com. The team will be able to help access and recover all previously encrypted rows that were affected by this bug. There will be no permanent data loss caused as a result of this defect.
To determine which versions of the .NET Framework are installed on a system, see How to: Determine Which .NET Framework Versions Are Installed.
Parikshit Savjani
Senior Program Manager (@talktosavjani)
Comments
- Anonymous
November 05, 2016
Thanks for sharing :-) - Anonymous
November 07, 2016
Is there an advisory or subscription where you can be notified of the fix?- Anonymous
November 07, 2016
Hi Rob,We are working on official KB documentation which should be live by end of today. We recommend you subscribe to this blog as we will update this blog once the fix is released. If you have follow up questions, feel free to email sqlalwaysencrypted@microsoft.com- Anonymous
November 08, 2016
Thank you I've subscribed via the twitter feed to SQL server as per the subscribe links on the RHS above.
- Anonymous
- Anonymous
- Anonymous
November 07, 2016
Thanks for this info. That was very good for us to learn before we deliver our 4.6.2 based software to our clients. The specific C# code to disable this appears to be:System.Data.SqlClient.SqlConnection.ColumnEncryptionKeyCacheTtl = TimeSpan.Zero;- Anonymous
November 07, 2016
Hi Rob,Yes, that is correct.
- Anonymous