DBMS should use NIST FIPS 140-2 validated cryptography.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15610 | DG0025-SQLServer9 | SV-24074r1_rule | DCNR-1 | Medium |
| Description |
|---|
| Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS 140-2 cryptographic standards provide proven methods and strengths to employ cryptography effectively. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-04-03 |
Details
| Check Text ( None ) |
|---|
| None |
| Fix Text (F-19678r1_fix) |
|---|
| Upgrade to a FIPS 140-2 certified SQL Server version if encryption is required by the Information Owner. Configure cryptographic functions to use FIPS 140-2 compliant algorithms and hashing functions. If the DBMS does not employ validated cryptographic modules, consider obtaining and using a third-party FIPS 140-2 validated solution. Note: FIPS 140-2 compliance or non-compliance for the host and network is outside the purview of the Database STIG/Checklist. FIPS 140-2 non-compliance at the host/network level does not negate this requirement. Configure symmetric keys to use approved encryption algorithms. Existing keys are not re-configurable to use different algorithms. This may only be specified at key creation time: CREATE SYMMETRIC KEY [key name] WITH ALGORITHM = AES_256 ENCRYPTION BY [certificate or asymmetric key] Other approved algorithms that may be specified are TRIPLE_DES, AES_128 and AES_192. The symmetric key must specify a certificate or asymmetric for encryption. The certificate may be the code-signing certificate used by the application. |