UCF STIG Viewer Logo

The application server must employ approved cryptographic mechanisms when transmitting sensitive data.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35438 SRG-APP-000264-AS-000167 SV-46725r1_rule Medium
Description
Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. The application server must utilize approved encryption when transmitting sensitive data.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43792r1_chk )
Review AS configuration, and encryption certificates to validate that the server supports AES encryption for data in transit. Confirm that at least AES 128 bit encryption is used. If the AS does not provide AES encryption for sensitive data in transit, this is a finding
Fix Text (F-39982r1_fix)
Configure the AS to use AES 128 or AES 256 encryption for data in transit.