Asymmetric keys should be derived from DoD PKI certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15164	DM6184-SQLServer9	SV-23863r2_rule	IAKM-1 IAKM-2 IAKM-3	Medium

Description
Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DOD that require validation by DOD trusted certificate authorities.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13838r2_chk )
From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, SUSER_SNAME(sid) FROM sys.asymmetric_keys ORDER BY name, SUSER_SNAME(sid) If no keys are defined for any database, this check is Not a Finding. If keys are returned, verify the key is associated with a DOD PKI Certificate. Evidence may include review of the certificate of a signed file used to read the key into the database. If the key is not from a DOD PKI certificate or evidence cannot be determined or presented, this is a Finding.

Check Text ( C-13838r2_chk )

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [database name]
SELECT name, SUSER_SNAME(sid)
FROM sys.asymmetric_keys
ORDER BY name, SUSER_SNAME(sid)

If no keys are defined for any database, this check is Not a Finding.

If keys are returned, verify the key is associated with a DOD PKI Certificate.

Evidence may include review of the certificate of a signed file used to read the key into the database.

If the key is not from a DOD PKI certificate or evidence cannot be determined or presented, this is a Finding.

Fix Text (F-14859r1_fix)
Where asymmetric key use is required, the asymmetric should be generated using a code-signing certificate or using the database master key to encrypt the private key. Use of the asymmetric key is expected in DOD installations to be used to support symmetric keys that are in turn used to encrypt sensitive data. In a DOD environment, asymmetric keys generated and stored within the SQL Server database are not expected to be used for storage of DOD PKI certificates associated with DOD personnel and used to authenticate them for any database access. CREATE ASYMMETRIC KEY [key name] OR CREATE ASYMMETRIC KEY [key name] FROM [asymmetric key source] [asymmetric key source] may be FILE = [strong file name] or EXECUTABLE FILE = 'executable file' or ASSEMBLY [assembly name] Each of the asymmetric key sources is expected in a DOD environment to files signed with code-signing certificates issued by the DOD PKMO. Use of the database master key to encrypt is acceptable, especially where the key is generated using the service master key which in turn is generated from the server certificate. In cases where the DBAs are not trusted, use of external key sources is required.

Fix Text (F-14859r1_fix)

Where asymmetric key use is required, the asymmetric should be generated using a code-signing certificate or using the database master key to encrypt the private key. Use of the asymmetric key is expected in DOD installations to be used to support symmetric keys that are in turn used to encrypt sensitive data.

In a DOD environment, asymmetric keys generated and stored within the SQL Server database are not expected to be used for storage of DOD PKI certificates associated with DOD personnel and used to authenticate them for any database access.

CREATE ASYMMETRIC KEY [key name]

OR

CREATE ASYMMETRIC KEY [key name] FROM [asymmetric key source]

[asymmetric key source] may be FILE = [strong file name] or EXECUTABLE FILE = 'executable file' or ASSEMBLY [assembly name]

Each of the asymmetric key sources is expected in a DOD environment to files signed with code-signing certificates issued by the DOD PKMO. Use of the database master key to encrypt is acceptable, especially where the key is generated using the service master key which in turn is generated from the server certificate. In cases where the DBAs are not trusted, use of external key sources is required.