The application must utilize FIPS-validated cryptographic modules when signing application components.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70191	APSC-DV-002020	SV-84813r1_rule		Medium

Description
Applications that distribute components of the application must sign the components to provide an identity assurance to consumers of the application component. Components can include application messages or application code. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to validate the author of application components. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance the modules have been tested and validated. If the application resides on a National Security System (NSS) it must not use algorithm weaker than SHA-256.

Description

Applications that distribute components of the application must sign the components to provide an identity assurance to consumers of the application component. Components can include application messages or application code. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to validate the author of application components. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance the modules have been tested and validated. If the application resides on a National Security System (NSS) it must not use algorithm weaker than SHA-256.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2017-01-09

Details

Check Text ( C-70667r1_chk )
Review the application documentation and interview the application administrator to identify the cryptographic modules used by the application. Review the application components and the application requirements to determine if the application components are distributable and require digital signatures. If the application components are not distributable, this requirement is not applicable. Have the application admin or the developer demonstrate how the application components are signed and what hashing algorithms are used when signing the application components. SHA 1 is currently an approved hashing algorithm, however if SHA 2 is available, SHA 2 is recommended. If the application resides on a National Security System (NSS) and uses an algorithm weaker than SHA-256, this is a finding. If the application is designed to sign distributable application components and the application is not configured to use SHA1, SHA2, or if the application signs with the MD5 hashing algorithm, this is a finding.

Check Text ( C-70667r1_chk )

Review the application documentation and interview the application administrator to identify the cryptographic modules used by the application.

Review the application components and the application requirements to determine if the application components are distributable and require digital signatures.

If the application components are not distributable, this requirement is not applicable.

Have the application admin or the developer demonstrate how the application components are signed and what hashing algorithms are used when signing the application components.

SHA 1 is currently an approved hashing algorithm, however if SHA 2 is available, SHA 2 is recommended.

If the application resides on a National Security System (NSS) and uses an algorithm weaker than SHA-256, this is a finding.

If the application is designed to sign distributable application components and the application is not configured to use SHA1, SHA2, or if the application signs with the MD5 hashing algorithm, this is a finding.

Fix Text (F-76427r1_fix)
Configure the application to sign application components with a FIPS-validated algorithms such as SHA1 or SHA2.