The mobile operating system PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33149 | SRG-OS-000167-MOS-000087 | SV-43547r1_rule | High |
| Description |
|---|
| If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong. The electronic code book mode of AES is the most appropriate mode for encryption of the key store, but the implemented may select other AES modes if they are more appropriate in the given environment. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41409r1_chk ) |
|---|
| Review system documentation and operating system configuration to determine if the operating system uses AES encryption with 128-bit or longer keys to encrypt the contents of the key store. If the key store is not encrypted or does not use AES encryption, this is a finding. |
| Fix Text (F-37049r1_fix) |
|---|
| Configure the mobile operating system (or selected third party application) to encrypt the contents of the key with AES encryption using 128-bit or longer keys. |