Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the user's private key.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000041	SRG-APP-000516-MAPP-000041	SRG-APP-000516-MAPP-000041_rule		Medium

Description
Class 3 and 4 certificates are issued by individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). A hardware token offers an additional layer of security in addition to a password. Networks and applications not using hardware tokens to protect the private Class 3 certificates are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access and intrusion in a network. Networks and applications not using Class 3 and 4 certificates and hardware tokens are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access to and intrusion in a network. Similarly, using approved PKI class 3/4 certificates and hardware tokens, ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. Users of Class 3/4 certificates, as well as hardware tokens, will be assured of an extra level of security that will protect their certificates and the user's private key. The DoD CAC is an example of a compliant solution.

Description

Class 3 and 4 certificates are issued by individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). A hardware token offers an additional layer of security in addition to a password. Networks and applications not using hardware tokens to protect the private Class 3 certificates are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access and intrusion in a network. Networks and applications not using Class 3 and 4 certificates and hardware tokens are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access to and intrusion in a network. Similarly, using approved PKI class 3/4 certificates and hardware tokens, ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. Users of Class 3/4 certificates, as well as hardware tokens, will be assured of an extra level of security that will protect their certificates and the user's private key. The DoD CAC is an example of a compliant solution.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000041_chk )
This requirement does not apply to the use of ephemeral key material (i.e., keys used only once for transactions such as wrapping or generating other keys). For mobile apps that are involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to assess if the app employs use of approved Class 3 or 4 certificates in conjunction with hardware token. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. The DoD CAC is a compliant solution. If the documentation review is inconclusive, perform a dynamic program analysis to assess if the app employs use of approved, Class 3 and 4 certificates in conjunction with a hardware token. If the documentation and/or review reveals that the app is unable to or does not use approved PKI Class 3 certificates or hardware tokens, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000041_chk )

This requirement does not apply to the use of ephemeral key material (i.e., keys used only once for transactions such as wrapping or generating other keys). For mobile apps that are involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to assess if the app employs use of approved Class 3 or 4 certificates in conjunction with hardware token. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. The DoD CAC is a compliant solution. If the documentation review is inconclusive, perform a dynamic program analysis to assess if the app employs use of approved, Class 3 and 4 certificates in conjunction with a hardware token. If the documentation and/or review reveals that the app is unable to or does not use approved PKI Class 3 certificates or hardware tokens, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000041_fix)
Modify the mobile app code to use approved Class 3 or 4 certificates in conjunction with a hardware token that protects the user's private key.