UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must not cache smartcard or certificate store passwords for more than two hours.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33293 SRG-OS-999999-MOS-000136 SV-43712r1_rule Medium
Description
The longer passwords remain in the cache, the more likely it is that malware or other mechanisms will discover them. Once an adversary has obtained a password from the cache, the adversary can further compromise the device and networks to which the device is attached. Minimizing the time passwords are stored in the cache mitigates the risk of this attack. The absence of caching altogether eliminates the risk. If caching is available, the caching period should be configurable with organizations able to select a value from between 15 and 120 minutes. Organizations are encouraged to enforce time periods less than 120 minutes.
STIG Date
Mobile Operating System Security Requirements Guide 2012-10-01

Details

Check Text ( C-41590r2_chk )
Review the operating system configuration to verify smartcard and certificate store passwords are not cached for longer than two hours. If this is not apparent from the configuration, perform a transaction requiring CAC. After entering the CAC PIN, perform another transaction to check that the system does not prompt for re-entry of the PIN. If it does not prompt for the PIN, caching is active. Then wait the organization defined time limit and perform the same transaction. If the system does not prompt for a PIN, then the system is caching credentials in excess of the time limit. Repeat this process for another service requiring access to the certificate store (e.g., web site using password protected soft certificate authentication). If the caching period is longer than organization defined time limit (no more than two hours) for either the smart card or the certificate store, this is finding.
Fix Text (F-37223r2_fix)
Configure the operating system to prohibit caching of smartcard and certificate store passwords for longer than two hours.