Applications must employ FIPS-validated or NSA-approved cryptography to implement digital signatures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27155	SRG-APP-NA	SV-34454r1_rule		Medium

Description
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. The integrity and reliability of the algorithms used to generate digital signatures is just as important as those used to encrypt data. Digital signatures provide non-repudiation and authenticity of a message or document, therefore, it is imperative that applications employ FIPS validated algorithms when generating digital signatures to be applied to unclassified data and NSA approved algorithms when generating signatures to be applied to classified data. This application requirement is not applicable. This requirement is addressed by CCI-001342 which requires applications to meet policy and legal requirements regarding the use of approved encryption technology. CCI-001342 is a comprehensive cryptography requirement that mandates the use of FIPS-validation or NSA-approved cryptography when using digital signatures.

Description

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. The integrity and reliability of the algorithms used to generate digital signatures is just as important as those used to encrypt data. Digital signatures provide non-repudiation and authenticity of a message or document, therefore, it is imperative that applications employ FIPS validated algorithms when generating digital signatures to be applied to unclassified data and NSA approved algorithms when generating signatures to be applied to classified data. This application requirement is not applicable. This requirement is addressed by CCI-001342 which requires applications to meet policy and legal requirements regarding the use of approved encryption technology. CCI-001342 is a comprehensive cryptography requirement that mandates the use of FIPS-validation or NSA-approved cryptography when using digital signatures.

STIG	Date
Application Security Requirements Guide	2011-12-28

Details

Check Text ( None )
None

Fix Text (None)
None