Asymmetric private key encryption should use an authorized encryption type.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-15185	DM6185-SQLServer9	SV-23864r2_rule	IAKM-1 IAKM-2 IAKM-3	Medium

Description
Asymmetric keys stored in the database that also include storage of the private key require protection from any unauthorized user. To protect unauthorized access and use of any asymmetric key by DBA's or users with SYSADMIN privileges, a password must be used to encrypt the private key. Use of the Database Master Key or Service Master Key allows access by the DBA. Consider the protection requirements for asymmetric key usage and document this in the System Security Plan. Avoid storage of static asymmetric private keys that is keys not generated and maintained for temporary session or other temporary usage, in the database.

Description

Asymmetric keys stored in the database that also include storage of the private key require protection from any unauthorized user. To protect unauthorized access and use of any asymmetric key by DBA's or users with SYSADMIN privileges, a password must be used to encrypt the private key. Use of the Database Master Key or Service Master Key allows access by the DBA. Consider the protection requirements for asymmetric key usage and document this in the System Security Plan. Avoid storage of static asymmetric private keys that is keys not generated and maintained for temporary session or other temporary usage, in the database.

STIG	Date
Microsoft SQL Server 2005 Database Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-13839r2_chk )
From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, pvt_key_encryption_type_desc FROM sys.asymmetric_keys WHERE pvt_key_encryption_type = 'PW' ORDER BY name, pvt_key_encryption_type_desc If no records are returned, this is Not a Finding. Review any records returned and the encryption type listed. If any do not match the documented approved encryption method as specified in the System Security Plan, this is a Finding.

Check Text ( C-13839r2_chk )

From the query prompt:

SELECT name
FROM [master].sys.databases
WHERE state = 0

Repeat for each database:

From the query prompt:

USE [database name]
SELECT name, pvt_key_encryption_type_desc
FROM sys.asymmetric_keys
WHERE pvt_key_encryption_type = 'PW'
ORDER BY name, pvt_key_encryption_type_desc

If no records are returned, this is Not a Finding.

Review any records returned and the encryption type listed. If any do not match the documented approved encryption method as specified in the System Security Plan, this is a Finding.

Fix Text (F-14860r1_fix)
If stored with a private key, the private key is always encrypted either by a specified password, or by the database or service master key. Create or alter the asymmetric key with the approved encryption type specified in the System Security Plan. Document the approved encryption method after considering whether the DBA should be trusted to access the asymmetric key.