Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35519	SRG-APP-000193-MAPP-00038	SV-46806r1_rule		Medium

Description
Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of asymmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the application and system. In applying this control, the DoD can be assured of a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

Description

Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. If non-standard practices are applied to production, control, and distribution of asymmetric cryptographic keys, then the DoD is potentially vulnerable to attack from adversaries who are able to exploit weak encryption keys that have been used by the application and system. In applying this control, the DoD can be assured of a much higher degree of assurance that intruders will not gain access to the network through weaknesses that are mitigated or eradicated through best and approved practices and key management technologies.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43859r1_chk )
If the mobile application is not involved in the production, control, and distribution of asymmetric cryptography keys, this IA control is not applicable. For mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the application. If the documentation review is inconclusive, perform a static program analysis to assess the application for inclusion of functional code, able to execute routines and functions that enable the application to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NSA recommendations for key management are not used or enforced, this is a finding

Check Text ( C-43859r1_chk )

If the mobile application is not involved in the production, control, and distribution of asymmetric cryptography keys, this IA control is not applicable. For mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to verify NIST SP 800-57 approved technology and processes have been applied to the design of the application. If the documentation review is inconclusive, perform a static program analysis to assess the application for inclusion of functional code, able to execute routines and functions that enable the application to comply with the above requirements. If any of the above requirements cannot be executed by the code, this is a finding. If NSA recommendations for key management are not used or enforced, this is a finding

Fix Text (F-40060r1_fix)
Modify code to adopt the recommendation of NIST SP 800-57 for key management processes and technologies.