The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-70193 | APSC-DV-002030 | SV-84815r1_rule | Medium |
| Description |
|---|
| Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. If the application resides on a National Security System (NSS) it must not use a hashing algorithm weaker than SHA-256. |
| STIG | Date |
|---|---|
| Application Security and Development Security Technical Implementation Guide | 2017-01-09 |
Details
| Check Text ( C-70669r1_chk ) |
|---|
| Review the application components and the application requirements to determine if the application is capable of generating cryptographic hashes. Review the application documentation and interview the application administrator to identify the cryptographic modules used by the application. If the application is not designed to generate cryptographic hashes, this requirement is not applicable. Have the application admin or the developer demonstrate how the application generates hashes and what hashing algorithms are used when generating a hash value. SHA 1 is currently an approved hashing algorithm, however if SHA 2 is available, SHA 2 is recommended. If the application resides on a National Security System (NSS) and uses an algorithm weaker than SHA-256, this is a finding. If the application is designed to generate cryptographic hash values and the application is not configured to use SHA1, SHA2, or if the application is configured to use the MD5 hashing algorithm, this is a finding. |
| Fix Text (F-76429r1_fix) |
|---|
| Configure the application to use a FIPS-validated hashing algorithm such as SHA1 or SHA2 when creating a cryptographic hash. |