Detections
Analytics

SQL2-00-019800 - SQL Server must employ NSA-approved cryptography to protect classified information.

Information

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.

NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as:
'Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed.
Developed using established NSA business processes and containing NSA approved algorithms are used to protect systems requiring the most stringent protection mechanisms.'

NSA-approved cryptography is required to be used for classified information system processing.

Solution

Document within the system documentation the type of information hosted on SQL Server: classified, sensitive, and/or unclassified.

Obtain and utilize native or third-party NIST-validated FIPS 140-2 compliant cryptography solution on SQL Server.

Configure cryptographic functions to use FIPS 140-2 compliant algorithms functions.

Use DoD certificates to create asymmetric keys stored in the database and used to encrypt sensitive data stored in the database.

Run the following SQL script to create a certificate:
USE <database name>
CREATE CERTIFICATE <certificate name>
 ENCRYPTION BY PASSWORD = '<password>'
 FROM FILE = '<path/file_name>'
 WITH SUBJECT = '<name of person creating key>',
 EXPIRY_DATE = '<expiration date: yyyymmdd>'

Run the following SQL script to create a symmetric key and assign an existing certificate:
USE <database name>
CREATE SYMMETRIC KEY <'key name'>
 WITH ALGORITHM = AES_256
 ENCRYPTION BY CERTIFICATE <certificate name>

Assign the application object owner account as the owner of asymmetric and symmetric keys, and certificates. (Ownership is assigned via the AUTHORIZATION clause of the CREATE statement, or the ALTER AUTHORIZATION statement.)

Create audit events for access to the key by other than the application owner account or approved application objects. (If using a server-level SQL Server Audit specification, DATABASE_OBJECT_PERMISSION_CHANGE_GROUP accomplishes this.)

Revoke any privileges on encryption keys assigned to principals other than the application object owner account and authorized users.

Protect the private key by encrypting it with the database or service master key.

For whole-database encryption (Transparent Data Encryption - TDE):
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<password>';
CREATE CERTIFICATE <certificate name> . . .;
USE <database name>;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE <certificate name>;
ALTER DATABASE <database name>
SET ENCRYPTION ON;

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_SQL_Server_2012_V1R20_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13, CAT|II, CCI|CCI-002450, Rule-ID|SV-53272r6_rule, STIG-ID|SQL2-00-019800, Vuln-ID|V-40918

Plugin: MS_SQLDB

Control ID: aa1acb1651613a29fdf3f6ed73f82dc50343260ecea9e991a410fe3a3828feef