The CA API Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71487	CAGW-GW-000900	SV-86111r1_rule		Medium

Description
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC). Encryption operations are performed in the following assertions: "Encrypt XML Element" and "Encrypt Element". Any of the listed encryption methods (AES 128 CBC, AES 192 CBC, AES 128 GCM, AES 256 GCM, Triple DES) included with the Assertions are NIST-FIPS validated. The FIPS-140-2 Certified RSA BSAFE Crypto-J Module is used for encryption operations. All CA API Gateway references to Triple-DES directly imply three-key and NOT two-key.

Description

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The network element must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. This requirement applies only to ALGs that provide encryption intermediary services (e.g., HTTPS, TLS, or DNSSEC). Encryption operations are performed in the following assertions: "Encrypt XML Element" and "Encrypt Element". Any of the listed encryption methods (AES 128 CBC, AES 192 CBC, AES 128 GCM, AES 256 GCM, Triple DES) included with the Assertions are NIST-FIPS validated. The FIPS-140-2 Certified RSA BSAFE Crypto-J Module is used for encryption operations. All CA API Gateway references to Triple-DES directly imply three-key and NOT two-key.

STIG	Date
CA API Gateway ALG Security Technical Implementation Guide	2017-04-07

Details

Check Text ( C-71877r1_chk )
Open the CA API Gateway - Policy Manager. Double-click each of the Registered Services that requires NIST-FIPS validated encryption services. Verify that the "Encrypt XML Element" or "Encrypt Element" Assertion has/have been added to the policy in accordance with organizational requirements. If the Assertion(s) is/are not present, this is a finding.

Fix Text (F-77807r1_fix)
Open the CA API Gateway - Policy Manager. Double-click each of the Registered Services that require NIST-FIPS validated encryption services. Add the "Encrypt XML Element" and/or "Encrypt Element" to the policy and configure in accordance with organizational requirements.