UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Asymmetric keys should be derived from DoD PKI certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-15164 DM6184-SQLServer9 SV-23863r1_rule IAKM-1 IAKM-2 IAKM-3 Medium
Description
Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DOD that require validation by DOD trusted certificate authorities.
STIG Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide 2015-04-03

Details

Check Text ( None )
None
Fix Text (F-14859r1_fix)
Where asymmetric key use is required, the asymmetric should be generated using a code-signing certificate or using the database master key to encrypt the private key. Use of the asymmetric key is expected in DOD installations to be used to support symmetric keys that are in turn used to encrypt sensitive data.

In a DOD environment, asymmetric keys generated and stored within the SQL Server database are not expected to be used for storage of DOD PKI certificates associated with DOD personnel and used to authenticate them for any database access.

CREATE ASYMMETRIC KEY [key name]

OR

CREATE ASYMMETRIC KEY [key name] FROM [asymmetric key source]

[asymmetric key source] may be FILE = [strong file name] or EXECUTABLE FILE = 'executable file' or ASSEMBLY [assembly name]

Each of the asymmetric key sources is expected in a DOD environment to files signed with code-signing certificates issued by the DOD PKMO. Use of the database master key to encrypt is acceptable, especially where the key is generated using the service master key which in turn is generated from the server certificate. In cases where the DBAs are not trusted, use of external key sources is required.