Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-27155 | SRG-APP-NA | SV-34454r1_rule | Medium |
Description |
---|
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or un-tested encryption algorithms undermines the purposes of utilizing encryption to protect data. The integrity and reliability of the algorithms used to generate digital signatures is just as important as those used to encrypt data. Digital signatures provide non-repudiation and authenticity of a message or document, therefore, it is imperative that applications employ FIPS validated algorithms when generating digital signatures to be applied to unclassified data and NSA approved algorithms when generating signatures to be applied to classified data. This application requirement is not applicable. This requirement is addressed by CCI-001342 which requires applications to meet policy and legal requirements regarding the use of approved encryption technology. CCI-001342 is a comprehensive cryptography requirement that mandates the use of FIPS-validation or NSA-approved cryptography when using digital signatures. |
STIG | Date |
---|---|
Application Security Requirements Guide | 2011-12-28 |
Check Text ( None ) |
---|
None |
Fix Text (None) |
---|
None |