The Nokia router must use Federal Information Processing Standard (FIPS)-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-283782NOKI-ND-000740SV-283782r1223371_ruleCCI-002890high
Description
Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoW data may be compromised. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets the specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., Simple Network Management Protocol [SNMP] v3, Secure Shell [SSH] v2, Network Time Protocol [NTP], HyperText Transfer Protocol Secure [HTTPS], and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP), which can be used for secure file transfers. Satisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331
STIGDate
Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide2026-06-15

Details

Check Text (C-283782r1223371_chk)

Verify the Nokia router uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. SSH server list example: - show system security ssh server-lists SSH Server configurable algorithm lists SSHv2 Cipher List : aes256-ctr aes192-ctr aes128-ctr aes128-cbc aes192-cbc aes256-cbc SSHv2 MAC List : hmac-sha2-512 hmac-sha2-256 SSHv2 KEX List : ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 SSHv2 Host Key List : ecdsa-sha2-nistp521 ecdsa-sha2-nistp256 rsa-sha2-512 rsa-sha2-256 SSH client list example: - show system security ssh client-lists If the Nokia router does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.

Fix Text (F-88252r1203584_fix)

Configure the Nokia router to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications. When in FIPS mode, the non-FIPS algorithms are removed. To remove any of SSH ciphers, use the command below: - configure system security ssh Use the command below to view all ciphers available for "client-cipher-list", "server-cipher-list", "client-mac-list", and "server-mac-list": - info detail Remove any unwanted cipher from any of the lists above using the command below. For example, to remove cipher id 190 from server-cipher-list, use the following: - server-cipher-list no cipher 190