Keys
use a set of instructions that dictate how their cryptographic
functions are to be performed. These instructions are called
algorithms. There are several algorithms available in SQL Server and
selecting the optimal algorithm can be a daunting task, with the high
complexity of the mathematical equations that define these algorithms
simply adding to the challenge. Each encryption project is unique and a
suitable algorithm for one project may not be suitable for another.
With the following information you can more confidently select the
algorithm that is best for your situation.
Symmetric Key Algorithms
The available symmetric key algorithms in SQL Server fall into two categories:
Block ciphers:
This type of algorithm processes a fixed number of bits of the plain
text into the same fixed number of bits of encrypted text. Decryption
of a block cipher reverses the process.
Stream ciphers:
This type of algorithm processes a single bit of plain text into a
single bit of cipher text and the results have a keystream, which is a
series of bits that provides the key to the encryption, appended to its
results.
Depending upon the
algorithm selected, the resulting block or stream cipher is a key of a
specific length. In general, the longer key lengths result in stronger
encryption; although stronger encryption means more resources when it
is processed.
The following key algorithms are available for symmetric keys in SQL Server:
Advanced Encryption Standard
AES 128: This is a block cipher that processes text in 128 bit blocks. The result is a key size of 128 bits.
AES 192: This is a block cipher that processes text in 128 bit blocks. The result is a key size of 192 bits.
AES 256: This is a block cipher that processes text in 128 bit blocks. The result is a key size of 256 bits.
Data Encryption Standard
DES: This is a block cipher that processes text in 64 bit blocks. The result is a key size of 56 bits.
DESX: This option in SQL Server is actually a misnomer and when it is used, Triple_DES_3KEY is actually applied. The DESX option will not be an option in future versions of SQL Server.
Triple_DES: This is a block cipher that processes text in 64 bit blocks. The result is a key size of 168 bits. The Triple_DES option in SQL Server actually returns a 128 bit key size. The Triple_DES_3KEY option returns a 192 bit key size. Triple_DES is the algorithm used when a database master key is created.
Rivest Cipher
RC2: This is a block cipher that processes text in 64 bit blocks. The result is a key size of 64 bits.
RC4:
This is a stream cipher resulting in a key size between 40-256 bits.
This option will be removed from future versions of SQL Server.
128-bit RC4: This is a stream cipher resulting in a key size of 128 bits. This will not be an option in future versions of SQL Server.
Of the three options, AES,
DES and RC, the AES group of algorithms is the strongest. This is
reflected in the fact that the US National Security Agency states that
the AES algorithm should be used to protect systems and information of
national security interest.
Due to the inherent weaknesses of the RC4 and 128-bit RC4 algorithms these options will not be available in future versions of SQL Server. Their use is therefore discouraged.
Asymmetric Key Algorithms
Asymmetric keys utilize a
series of computational methods to derive the private and public key
instead of the block/stream methods identified for symmetric keys. The
following Rivest/Shamir/Adleman (RSA) key algorithms are available for asymmetric keys in SQL Server:
RSA 512: The result is a private key size of 512 bits.
RSA 1024: The result is a private key size of 1024 bits.
RSA 2048: The result is a private key size of 2048 bits.
When a self-signed certificate is generated within SQL Server, the private key that is created uses the RSA 1024 algorithm.
It is important to note that
the term "key length" for asymmetric keys is in reference to the
portion of the algorithm calculation that is called the "modulus";
whereas the key length for symmetric keys is the resulting block or
stream cipher. The physical storage size of a key that uses the RSA 512
algorithm is actually 64 bits. This can be a source of confusion when
comparing the key lengths of symmetric and asymmetric keys.
Asymmetric algorithms are, in general, stronger than symmetric algorithms; but they are significantly more resource intensive.
Due to the key length of the RSA 512 algorithm, which is 512 bits, it is not considered suitable for protecting highly sensitive data.
In addition to encryption,
the RSA algorithms are also used as a method of digitally signing
messages. Message signing is the process in which the original message
is encrypted with a private key and attached to the plain text message.
When the message is received, the message is encrypted again through
the use of a public key. The two hash values are then compared. If they
are a match, it is verification that the message has not been altered
during transit and verifies that the sender is authentic.
Hashing Algorithms
Hashing is a process in
which plain text is encrypted without the intent of it being decrypted.
The revelation of the plain text value occurs when a string is
encrypted with the same algorithm and returns a positive match. This is
also known as one-way encryption.
The following key algorithms are available for hashing functions in SQL Server:
Message Digest
MD2: The result is a 128 bit hash.
MD4: The result is a 128 bit hash.
MD5: The result is a 128 bit hash.
Secure Hash Algorithm
Both offerings within the
Secure Hash Algorithm (SHA) series utilize the same base algorithm to
determine its hash value; but the SHA1 option contains an extra step in its processing to address a security flaw discovered in SHA option.
With the hash length of the SHA being greater than the MD options, the former are considered to be the more secure.
The SignByAsymKey and VerifySignedByAsymKey cryptographic functions of SQL Server utilize the MD5 algorithm when signing plain text with an asymmetric key.