UCF STIG Viewer Logo

For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.


Overview

Finding ID Version Rule ID IA Controls Severity
V-204671 SRG-APP-000171-AAA-000510 SV-204671r981567_rule High
Description
Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. AAA Services must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times. Using a strong, one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password. Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised.
STIG Date
AAA Services Security Requirements Guide 2024-07-02

Details

Check Text ( C-4794r981565_chk )
Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose.

Confirm databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table.

Review AAA Services configuration for use of the MD5 algorithm to create password hashes.

If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding.

If AAA Services are configured to use MD5 to create password hashes, this is a finding.

Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.
Fix Text (F-4794r981566_fix)
Configure AAA Services to encrypt locally stored credentials using a FIPS-validated cryptographic module.

Configure all associated databases, configuration files, and audit files to use only encrypted representations for all passwords so that no password strings are readable/discernable.