Creating a symmetric key for the use of protecting other keys or directly encrypting sensitive data is accomplished through the execution of the CREATE SYMMETRIC KEY command. One of the arguments to this command is WITH ALGORITHM which provides the means to select the algorithm used to generate the key.

There are many options available for symmetric keys. The strength of these algorithms is directly affected by the resulting key length. The strongest of the options are the AES (Advanced Encryption Standard) algorithms which return 128, 192 or 256 bit keys.

The RC4 algorithm returns a variable key length between 40 - 256 bits and the RC4_128 algorithm returns a key length of 128 bits. Despite these algorithms returning key lengths that might be considered strong their processing contains issues that result in vulnerable keys.

According to Microsoft the specifics to the weaknesses of RC4 and RC4_128 are: "Repeated use of the same RC4 or RC4_128 KEY_GUID on different blocks of data will result in the same RC4 key because SQL Server does not provide a salt automatically. Using the same RC4 key repeatedly is a well-known error that will result in very weak encryption." (Choosing An Encryption Algorithm: SQL Server Books Online)

In addition, the DESX option which returns a 192 bit key, has a simple problem of being ".incorrectly named." (Choosing An Encryption Algorithm: SQL Server Books Online) The incorrect name comes from the fact that when you select the DESX option, the creation of the key is actually using the TRIPLE_DES_3KEY algorithm, which is another available option.

Based upon these weaknesses in the RC4 and RC4_128 algorithm options and the misnomer of DESX these will not be available in future releases of Microsoft SQL Server. Please be aware of the depreciation of these options when creating new or replacing existing symmetric keys.