Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33231 | WIR-WMS-MDM-03 | SV-43637r1_rule | IAKM-1 | Low |
Description |
---|
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice. |
STIG | Date |
---|---|
Mobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG) | 2013-05-08 |
Check Text ( C-41503r3_chk ) |
---|
This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable. Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days. Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used. |
Fix Text (F-37140r1_fix) |
---|
Use an AES master encryption key and set it to rotate at least every 30 days. |