Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to create SQL logins in FIPS compliant environment ?

85 views
Skip to first unread message

Rajeswar

unread,
Jan 28, 2010, 5:06:01 AM1/28/10
to
Hi, our objective is to make our application FIPS compliant. One of the
procedure accepts username and password as parameters and does a CREATE LOGIN
call. But with FIPS, if we pass the password to the procedure in clear text
format, it will be a violation.

Can you suggest any other method of passing the password to the procedure
and still be FIPS compliant? Or any other way to achive the same result?

Also want to know that when SQL Server Management Studio opens a connection
using sql user and password, how is the password sent to the SQL Server? Is
it in clear text? In other words, is SQL Server Management Studio FIPS
compliant?

Michael Coles

unread,
Jan 29, 2010, 9:25:29 AM1/29/10
to
It seems like it should be possible to import a certificate or asymmetric
key into both SQL Server and your .NET application and use the cert/asym key
to encrypt the password before sending to the server and decrypt once it
gets there. Notice I said it "should" be possible, I haven't tried it yet.
It is an interesting question.

You can't do it with symmetric encryption (AES, Triple DES, etc.) because
SQL Server can't import and export symmetric keys. You only need the public
key of an asymmetric key pair to actually encrypt the data. It would be an
interesting proof of concept if you could make it work - you'll be limited
in what you can encrypt asymmetrically in each string though. The limit is
117 bytes of 8-bit plain text or 58 bytes of Unicode plaintext. Probably
more than adequate for most passwords, however.

--
Thanks

Michael Coles
SQL Server MVP
Author, "Expert SQL Server 2008 Encryption"
(http://www.apress.com/book/view/1430224649)
----------------

"Rajeswar" <Raje...@discussions.microsoft.com> wrote in message
news:72F66050-8BF0-4CB6...@microsoft.com...

Michael Coles

unread,
Jan 29, 2010, 12:02:17 PM1/29/10
to
Here's how you can do it:
http://sqlblog.com/blogs/michael_coles/archive/2010/01/29/encrypt-it-in-net-decrypt-it-on-sql-server.aspx

--
Thanks

Michael Coles
SQL Server MVP
Author, "Expert SQL Server 2008 Encryption"
(http://www.apress.com/book/view/1430224649)
----------------

"Rajeswar" <Raje...@discussions.microsoft.com> wrote in message
news:72F66050-8BF0-4CB6...@microsoft.com...

0 new messages