The mobile operating systems Wi-Fi module must use AES-CCMP encryption when connecting to a DoD network.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33141	SRG-OS-000160-MOS-000082	SV-43539r1_rule		Medium

Description
If data traffic is sent unencrypted, an adversary may be able to read it to obtain sensitive information. Some WPA2 certified Wi-Fi implementations use Temporal Key Integrity Protocol (TKIP), which is not authorized for use in DoD. There are no publicly known breaches of AES-CCMP, which greatly mitigates the risk of unauthorized eavesdropping.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41401r1_chk )
Review system documentation to verify the product is WPA2 certified. If it is, the device supports AES-CCMP encryption. If it is not WPA2 certified, it is very unlikely to support AES-CCMP encryption but the site may provide evidence to the contrary in the possible event that the manufacturer implemented AES-CCMP without obtaining the WPA2 certification. Verify DoD network connections use AES-CCMP and not TKIP or another protocol. If any other data link layer encryption protocol is used besides AES-CCMP to connect to a DoD network, this is a finding.

Check Text ( C-41401r1_chk )

Review system documentation to verify the product is WPA2 certified. If it is, the device supports AES-CCMP encryption. If it is not WPA2 certified, it is very unlikely to support AES-CCMP encryption but the site may provide evidence to the contrary in the possible event that the manufacturer implemented AES-CCMP without obtaining the WPA2 certification. Verify DoD network connections use AES-CCMP and not TKIP or another protocol. If any other data link layer encryption protocol is used besides AES-CCMP to connect to a DoD network, this is a finding.

Fix Text (F-37041r1_fix)
Configure the operating system's Wi-Fi client to use AES-CCMP when connecting to DoD networks.