The mobile operating system must enforce complexity requirements for the authentication to access private keys saved in the key certificate stores.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32994	SRG-OS-000067-MOS-000042	SV-43392r2_rule		Medium

Description
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can impersonate the authorized user. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring complexity requirements for the authentication to access keys saved in the certificate store protects sensitive information. A weak password may enable an adversary to crack it, and give it the ability to use the private key to decrypt sensitive information or improperly impersonate the user of the device.

Description

The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can impersonate the authorized user. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring complexity requirements for the authentication to access keys saved in the certificate store protects sensitive information. A weak password may enable an adversary to crack it, and give it the ability to use the private key to decrypt sensitive information or improperly impersonate the user of the device.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41291r2_chk )
Examine the mobile operating system for complexity requirements for the authentication to access private keys saved in the key certificate stores. If the mobile operating system does not enforce complexity requirements to access private keys, this is a finding. NOTE: These complexity requirements must be met. - 1 = minimum number of upper case alphabetic characters - 1 = minimum number of lower case alphabetic characters - 1 = minimum number of numeric characters - 8 = minimum length of password - disallow more than two sequential numbers (e.g., 456) Other requirements may be organizationally defined.

Check Text ( C-41291r2_chk )

Examine the mobile operating system for complexity requirements for the authentication to access private keys saved in the key certificate stores. If the mobile operating system does not enforce complexity requirements to access private keys, this is a finding.

NOTE: These complexity requirements must be met.
- 1 = minimum number of upper case alphabetic characters
- 1 = minimum number of lower case alphabetic characters
- 1 = minimum number of numeric characters
- 8 = minimum length of password
- disallow more than two sequential numbers (e.g., 456)
Other requirements may be organizationally defined.

Fix Text (F-36906r1_fix)
Configure the mobile operating system to enforce complexity requirements for the authentication to access private keys saved in the key certificate stores.