Article ID: 955720 - View products that this article applies to.
This article discusses Federal Information Processing Standard (FIPS) 140-2 instructions and how to use Microsoft SQL Server 2008 in FIPS 140-2-compliant mode.
Note The terms "FIPS 140-2–compliant," "FIPS 140-2 compliance," and "FIPS 140-2-compliant mode" are defined here for use and clarity. These terms are not recognized or defined government terms. The United States and Canadian governments recognize the validation of cryptographic modules against standards like FIPS 140-2 and not the use of them in a specified or conformant manner. In this article, we define “FIPS 140-2-compliant," “FIPS 140-2 compliance," and “FIPS 140-2-compliant mode” to mean that SQL Server 2008 uses only FIPS 140-2-validated instances of algorithms and hashing functions in all instances in which encrypted or hashed data is imported or exported to SQL Server 2008. Additionally, these terms mean that SQL Server 2008 will manage keys in a secure manner as required of FIPS 140-2-validated cryptographic modules. The key management process also includes both the key generation and key storage functionalities.
What is FIPS?FIPS means Federal Information Processing Standards. FIPS are standards that are developed by two government bodies. One is the National Institute of Standards and Technology in the United States. The other is the Communications Security Establishment in Canada. FIPS are standards that are either recommended or mandated for use in federal (either United States or Canadian) government-operated IT systems.
What is FIPS 140-2?FIPS 140-2 is a statement of the "Security Requirements for Cryptographic Modules." It specifies which encryption algorithms and which hashing algorithms can be used and how encryption keys are to be generated and managed. Some hardware, software, and processes can be FIPS 140-2 validated by an approved validation lab. Some of them can also be described as FIPS 140-2-compliant as the term is defined in this article.
What is the difference between an application that is "FIPS 140-2-compliant" and an application that is "FIPS 140-2-validated"?You can configure SQL Server 2008 to run as a FIPS 140-2-compliant application. To do this, you must run SQL Server 2008 on an operating system that uses a FIPS 140-2-validated Cryptographic Service Provider or that provides a cryptographic module that has been validated. The difference between compliance and validation is not subtle. Algorithms can be validated. Realize that it is insufficient to use algorithms from the approved lists in FIPS 140-2. You must use instances of algorithms that have been FIPS 140-2 validated. Validation requires testing and verification by a government-approved evaluation lab. Windows Server 2008, Windows Server 2003, and Windows XP contain the approved cryptographic modules, and the modules, including the specific instances of the algorithms, have been lab tested and government validated.
What applications can be FIPS 140-2-compliant?All applications that perform encryption or hashing and that run on a validated version of a Microsoft Windows Cryptographic Service Provider can be compliant if they use only the validated instances of the approved algorithms. These applications must also comply with key generation and key management requirements either by using a Windows key function or by meeting the key generation and key management requirements in the application. Additionally, in some cases, noncompliant algorithms or processes are allowed in a FIPS 140-2-compliant application. For example, data may be encrypted by using a noncompliant algorithm if, in this encrypted form, the data remains within the application, that is, the data is not exported in this form, or if the data is further encrypted (wrapped) using a FIPS-compliant algorithm.
Does this mean that SQL Server 2008 is always FIPS 140-2-compliant?No. It means that SQL Server 2008 can be configured to run in FIPS 140-2-compliant mode.
How can SQL Server 2008 be configured to use a FIPS 140-2-validated cryptographic module?
Operating system requirementsYou must install SQL Server 2008 on a Windows Server 2008-based computer, a Windows Vista-based computer, a Windows Server 2003-based computer, or a Windows XP-based computer.
Windows system administration requirementsYou must enable FIPS mode before you start SQL Server 2008. This is because SQL Server 2008 reads the FIPS setting at startup. To enable FIPS, follow these steps.
For Windows Server 2008 and Windows Vista
SQL Server 2008 administrator notes
How does SQL Server 2008 operate in FIPS 140-2-compliant mode?
What is the effect of running SQL Server 2008 in FIPS 140-2-compliant mode?
Where can I learn more about FIPS 140-2?For more information about the FIPS standard and how to download it, visit the following NIST Web site:
http://csrc.nist.gov/cryptval/140-2.htmMicrosoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
For more information about how to use SQL Server 2005 in FIPS 140-2-compliant mode, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/920995/ )Instructions for using SQL Server 2005 Service Pack 1 or a later version of SQL Server in the FIPS 140-2 compliant mode
Article ID: 955720 - Last Review: March 19, 2009 - Revision: 3.0
Contact us for more help