From: Rajeswar on 28 Jan 2010 05:06 Hi, our objective is to make our application FIPS compliant. One of the procedure accepts username and password as parameters and does a CREATE LOGIN call. But with FIPS, if we pass the password to the procedure in clear text format, it will be a violation. Can you suggest any other method of passing the password to the procedure and still be FIPS compliant? Or any other way to achive the same result? Also want to know that when SQL Server Management Studio opens a connection using sql user and password, how is the password sent to the SQL Server? Is it in clear text? In other words, is SQL Server Management Studio FIPS compliant?
From: Michael Coles on 29 Jan 2010 09:25 It seems like it should be possible to import a certificate or asymmetric key into both SQL Server and your .NET application and use the cert/asym key to encrypt the password before sending to the server and decrypt once it gets there. Notice I said it "should" be possible, I haven't tried it yet. It is an interesting question. You can't do it with symmetric encryption (AES, Triple DES, etc.) because SQL Server can't import and export symmetric keys. You only need the public key of an asymmetric key pair to actually encrypt the data. It would be an interesting proof of concept if you could make it work - you'll be limited in what you can encrypt asymmetrically in each string though. The limit is 117 bytes of 8-bit plain text or 58 bytes of Unicode plaintext. Probably more than adequate for most passwords, however. -- Thanks Michael Coles SQL Server MVP Author, "Expert SQL Server 2008 Encryption" (http://www.apress.com/book/view/1430224649) ---------------- "Rajeswar" <Rajeswar(a)discussions.microsoft.com> wrote in message news:72F66050-8BF0-4CB6-BE5A-FE147BB8E775(a)microsoft.com... > Hi, our objective is to make our application FIPS compliant. One of the > procedure accepts username and password as parameters and does a CREATE > LOGIN > call. But with FIPS, if we pass the password to the procedure in clear > text > format, it will be a violation. > > Can you suggest any other method of passing the password to the procedure > and still be FIPS compliant? Or any other way to achive the same result? > > Also want to know that when SQL Server Management Studio opens a > connection > using sql user and password, how is the password sent to the SQL Server? > Is > it in clear text? In other words, is SQL Server Management Studio FIPS > compliant? >
From: Michael Coles on 29 Jan 2010 12:02 Here's how you can do it: http://sqlblog.com/blogs/michael_coles/archive/2010/01/29/encrypt-it-in-net-decrypt-it-on-sql-server.aspx -- Thanks Michael Coles SQL Server MVP Author, "Expert SQL Server 2008 Encryption" (http://www.apress.com/book/view/1430224649) ---------------- "Rajeswar" <Rajeswar(a)discussions.microsoft.com> wrote in message news:72F66050-8BF0-4CB6-BE5A-FE147BB8E775(a)microsoft.com... > Hi, our objective is to make our application FIPS compliant. One of the > procedure accepts username and password as parameters and does a CREATE > LOGIN > call. But with FIPS, if we pass the password to the procedure in clear > text > format, it will be a violation. > > Can you suggest any other method of passing the password to the procedure > and still be FIPS compliant? Or any other way to achive the same result? > > Also want to know that when SQL Server Management Studio opens a > connection > using sql user and password, how is the password sent to the SQL Server? > Is > it in clear text? In other words, is SQL Server Management Studio FIPS > compliant? >
|
Pages: 1 Prev: Consequences to setting the db compatibility level to SQL Server 2000 Next: Nested Count |