DBMS should use NIST FIPS 140-2 validated cryptography.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15610	DG0025-SQLServer9	SV-24074r2_rule	DCNR-1	Medium

Description
Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22714r2_chk )
Review the DBMS documentation to determine where cryptography may be used and/or configured. If DBMS data/network encryption is not required, this check is Not a Finding. The following product versions and editions are FIPS 140-2 certified: SQL Server 2005 SP1, SP2 & SP3 Standard, Enterprise & Developer Editions (KB 920995) SQL Server 2008 RTM & SP1 Standard, Enterprise & Developer Editions (KB 955720) Review DBMS network communication encryption options, data object encryption (both tables and application code objects), and encryption key management. Where cryptography is employed and configured by the database, review the configuration settings to see if they use: 1. Compliant algorithms (AES (128, 192 or 256), Triple DES or TDEA (3 distinct 56-bit keys), Skipjack) 2. Compliant hash functions (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-5122) 3) validated cryptographic modules (whether native to the database or not) 3. Validated cryptographic modules (whether native to the DBMS or not) Detailed information on the FIPS 140-2 standard is available at the following website: http://csrc.nist.gov/groups/STM/index.html From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, algorithm_desc FROM sys.symmetric_keys WHERE key_algorithm NOT IN ('D3','A1','A2','A3') ORDER BY name, algorithm_desc If any records are returned, this is a Finding.

Check Text ( C-22714r2_chk )

Review the DBMS documentation to determine where cryptography may be used and/or configured. If DBMS data/network encryption is not required, this check is Not a Finding.

The following product versions and editions are FIPS 140-2 certified:

SQL Server 2005 SP1, SP2 & SP3 Standard, Enterprise & Developer Editions (KB 920995)
SQL Server 2008 RTM & SP1 Standard, Enterprise & Developer Editions (KB 955720)

Review DBMS network communication encryption options, data object encryption (both tables and application code objects), and encryption key management.

Where cryptography is employed and configured by the database, review the configuration settings to see if they use:

1. Compliant algorithms (AES (128, 192 or 256), Triple DES or TDEA (3 distinct 56-bit keys), Skipjack)
2. Compliant hash functions (SHA-1, SHA-224, SHA-256, SHA-384 and SHA-5122) 3) validated cryptographic modules (whether native to the database or not)
3. Validated cryptographic modules (whether native to the DBMS or not)

Detailed information on the FIPS 140-2 standard is available at the following website:

http://csrc.nist.gov/groups/STM/index.html

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [database name]
SELECT name, algorithm_desc FROM sys.symmetric_keys
WHERE key_algorithm NOT IN ('D3','A1','A2','A3')
ORDER BY name, algorithm_desc

If any records are returned, this is a Finding.

Fix Text (F-19678r1_fix)
Upgrade to a FIPS 140-2 certified SQL Server version if encryption is required by the Information Owner. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions. If the DBMS does not employ validated cryptographic modules, consider obtaining and using a third-party FIPS 140-2 validated solution. Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG/Checklist. FIPS 140-2 non-compliance at the host/network level does not negate this requirement. Configure symmetric keys to use approved encryption algorithms. Existing keys are not re-configurable to use different algorithms. This may only be specified at key creation time: CREATE SYMMETRIC KEY [key name] WITH ALGORITHM = AES_256 ENCRYPTION BY [certificate or asymmetric key] Other approved algorithms that may be specified are TRIPLE_DES, AES_128 and AES_192. The symmetric key must specify a certificate or asymmetric for encryption. The certificate may be the code-signing certificate used by the application.

Fix Text (F-19678r1_fix)

Upgrade to a FIPS 140-2 certified SQL Server version if encryption is required by the Information Owner.

Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions. If the DBMS does not employ validated cryptographic modules, consider obtaining and using a third-party FIPS 140-2 validated solution.

Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG/Checklist. FIPS 140-2 non-compliance at the host/network level does not negate this requirement.

Configure symmetric keys to use approved encryption algorithms. Existing keys are not re-configurable to use different algorithms.

This may only be specified at key creation time:

CREATE SYMMETRIC KEY [key name] WITH ALGORITHM = AES_256 ENCRYPTION BY [certificate or asymmetric key]

Other approved algorithms that may be specified are TRIPLE_DES, AES_128 and AES_192.

The symmetric key must specify a certificate or asymmetric for encryption. The certificate may be the code-signing certificate used by the application.