Instructions for using SQL Server 2005 SP1 or a later version of SQL Server in the FIPS 140-2 compliant mode

This article discusses FIPS 140-2 instructions and how to use Microsoft SQL Server 2005 Service Pack 1 (SP1) or a later version of SQL Server in the FIPS 140-2 compliant mode.

What is FIPS?

FIPS stands for Federal Information Processing Standard. A FIPS is a standard developed by two government bodies. One is NIST, the National Institute of Standards and Technology, in the United States. The other is CSE, the Communications Security Establishment, in Canada. FIPS are standards that are either recommended or mandated for use in federal (either U.S. or Canadian) government-operated IT systems.

What is FIPS 140-2?

FIPS 140-2 is a statement of the "Security Requirements for Cryptographic Modules." It specifies which encryption algorithms and which hashing algorithms can be used and how encryption keys are to be generated and managed. It is possible for some hardware, software, and processes to be FIPS 140-2 certified. It is also possible for some to be FIPS 140-2 compliant.

What is the difference between being FIPS 140-2 compliant versus being FIPS 140-2 certified?

SQL Server 2005 SP1 or a later version of SQL Server can be configured and run in a way that is compliant with FIPS 140-2. To do that, SQL Server 2005 SP1 or a later version of SQL Server must run on an operating system that is FIPS 140-2 certified or provides a cryptographic module that has been certified. The difference between compliance and certification is not subtle. Algorithms can be certified. Note that it is not sufficient to use an algorithm from the approved lists in FIPS 140-2. It is necessary to use an instance of such an algorithm that has been certified. Certification requires testing and verification by a government-approved evaluation lab. Microsoft Windows Server 2003 and Microsoft Windows XP contain the allowed algorithms, and an instance of each of them has been evaluation lab tested and government certified.

What application products can be FIPS 140-2 compliant?

All applications that perform encryption or hashing and that run on a certified version of Microsoft Windows have the opportunity to be compliant by using only the certified instances of the approved algorithms and by complying with the key generation and key management requirements either by using the Windows function for these or by complying to key generation and management requirements within the application. It should be noted that within an application places may exist where non-compliant algorithms or processes are allowed within a FIPS compliant application. For example, some internal processes that stay within the system or some external data that is to be further encrypted by a certified algorithm instance are allowed.

Does this mean that SQL Server 2005 SP1 or a later version of SQL Server is always FIPS 140-2 compliant?

No. It means that SQL Server 2005 SP1 or a later version of SQL Server can be FIPS 140-2 compliant, because it can be configured and run such that it uses only the FIPS 140-2 certified algorithm instances called by using the Windows CryptoAPI for encryption or by hashing in every instance where FIPS 140-2 compliance is required.

How can SQL Server 2005 SP1 or a later version of SQL Server be configured to be FIPS 140-2 compliant?

• Operating system requirement
  You must install SQL Server 2005 SP1 or a later version of SQL Server on a Windows Server 2003-based server or on a Windows XP-based server.
• Windows system administration requirement
  The FIPS mode must be set before SQL Server 2005 SP1 or a later version of SQL Server is started. SQL Server reads the setting at startup. To do this, follow these steps:
  1. Log on to Windows as a Windows system administrator:
  2. Click Start.
  3. Click Control Panel.
  4. Click Administrative Tools.
  5. Click Local Security Policy. The Local Security Settings window appears.
  6. In the left pane, click Local Policies, and then click Security Options.
  7. In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
  8. In the dialog box that appears, click Enabled, and then click Apply.
  9. Click OK.
  10. Close the Local Security Settings window.
SQL Server administrator requirement
• When the SQL Server service detects that the FIPS mode is enabled at startup, SQL Server logs the following message in the SQL Server error log:
  Service Broker transport is running in FIPS compliance mode
  Additionally, you may find the following message is logged in the Windows Event log:
  Database Mirroring transport is running in FIPS compliance mode
  You can verify that the server is running in the FIPS mode by these messages.
• For dialog security (between services), the encryption will use the FIPS-certified instance of AES if the FIPS mode is enabled. If the FIPS mode is disabled, the encryption will use RC4.
• When you configure a Service Broker endpoint in the FIPS mode, the administrator must specify "AES" for the Service Broker. If the endpoint is configured to RC4, SQL Server will generate an error. Therefore, the transport layer will not start.

How is SQL Server 2005 SP1 or a later version of SQL Server operated in FIPS 140-2 compliant mode?

• With the FIPS mode in Windows turned on, in all places where the user has no choice about whether to encrypt/hash and how it will be done, SQL Server 2005 SP1 or a later version of SQL Server will execute in compliance with FIPS 140-2. (SQL Server 2005 SP1 or a later version of SQL Server will use the CryptoAPI in Windows and will use only the certified instances of the algorithms.)
• With the FIPS mode in Windows turned on, in all places where the user has a choice of whether or not to use encryption, SQL Server 2005 SP1 or a later version of SQL Server will either allow only FIPS 140-2 compliant encryption or will not allow any encryption.
• Important information for application developers
  In all places where the developer or the user writes his or her own code for encryption or hashing, they must be instructed to use only the Windows CryptoAPI (and therefore only the certified instances) and to specify only the algorithms allowed by FIPS 140-2, specifically only Triple DES (3DES) or AES for encryption and only SHA-1 for hashing.

What is the effect of running SQL Server 2005 SP1 or a later version of SQL Server in FIPS 140-2 compliant mode?

• The use of stronger encryption may have a small effect on performance for those processes where less strong encryption is allowed when the process is not operating as FIPS 140-2 compliant.
• Selection of encryption for SSIS (UseEncryption=True) will generate an error message that the available encryption is incompatible with FIPS compliance and is not allowed. In other words, no encryption of the message process is performed.
• The use of encryption with legacy DTS is not compliant with FIPS 140-2. Note that for DTS, the FIPS mode in Windows is not checked, and it is the responsibility of the user to select no encryption to remain compliant.
• Because most SQL Server 2005 encryption and hashing processes were already FIPS 140-2 compliant, executing at full compliance (with the FIPS mode in Windows turned on) will have little or no effect on the use or performance of the product.

Where can I learn more about FIPS 140-2?

For more information about the standard and how to download it, visit the following NIST Web site: