Title

Asymmetric keys should be derived from DoD PKI certificates. (Cat II impact)

Discussion

Asymmetric keys derived from self-signed certificates or self-generated by other means do not meet the security requirements of DOD that require validation by DOD trusted certificate authorities.

Check Content

From the query prompt: SELECT name FROM [master].sys.databases WHERE state = 0 Repeat for each database: From the query prompt: USE [database name] SELECT name, SUSER_SNAME(sid) FROM sys.asymmetric_keys ORDER BY name, SUSER_SNAME(sid) If no keys are defined for any database, this check is Not a Finding. If keys are returned, verify the key is associated with a DOD PKI Certificate. Evidence may include review of the certificate of a signed file used to read the key into the database. If the key is not from a DOD PKI certificate or evidence cannot be determined or presented, this is a Finding.

Fix Text

Where asymmetric key use is required, the asymmetric should be generated using a code-signing certificate or using the database master key to encrypt the private key. Use of the asymmetric key is expected in DOD installations to be used to support symmetric keys that are in turn used to encrypt sensitive data. In a DOD environment, asymmetric keys generated and stored within the SQL Server database are not expected to be used for storage of DOD PKI certificates associated with DOD personnel and used to authenticate them for any database access. CREATE ASYMMETRIC KEY [key name] OR CREATE ASYMMETRIC KEY [key name] FROM [asymmetric key source] [asymmetric key source] may be FILE = [strong file name] or EXECUTABLE FILE = 'executable file' or ASSEMBLY [assembly name] Each of the asymmetric key sources is expected in a DOD environment to files signed with code-signing certificates issued by the DOD PKMO. Use of the database master key to encrypt is acceptable, especially where the key is generated using the service master key which in turn is generated from the server certificate. In cases where the DBAs are not trusted, use of external key sources is required.

Additional Identifiers

Rule ID: SV-23863r2_rule

Vulnerability ID: V-15164

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.