Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-15164 | DM6184-SQLServer9 | SV-23863r1_rule | IAKM-1 IAKM-2 IAKM-3 | Medium |
Description |
---|
Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DOD that require validation by DOD trusted certificate authorities. |
STIG | Date |
---|---|
Microsoft SQL Server 2005 Database Security Technical Implementation Guide | 2015-04-03 |
Check Text ( None ) |
---|
None |
Fix Text (F-14859r1_fix) |
---|
Where asymmetric key use is required, the asymmetric should be generated using a code-signing certificate or using the database master key to encrypt the private key. Use of the asymmetric key is expected in DOD installations to be used to support symmetric keys that are in turn used to encrypt sensitive data. In a DOD environment, asymmetric keys generated and stored within the SQL Server database are not expected to be used for storage of DOD PKI certificates associated with DOD personnel and used to authenticate them for any database access. CREATE ASYMMETRIC KEY [key name] OR CREATE ASYMMETRIC KEY [key name] FROM [asymmetric key source] [asymmetric key source] may be FILE = [strong file name] or EXECUTABLE FILE = 'executable file' or ASSEMBLY [assembly name] Each of the asymmetric key sources is expected in a DOD environment to files signed with code-signing certificates issued by the DOD PKMO. Use of the database master key to encrypt is acceptable, especially where the key is generated using the service master key which in turn is generated from the server certificate. In cases where the DBAs are not trusted, use of external key sources is required. |