The Nokia router must use Federal Information Processing Standard (FIPS)-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283782 | NOKI-ND-000740 | SV-283782r1223371_rule | CCI-002890 | high |
| Description | ||||
| Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoW data may be compromised. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets the specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., Simple Network Management Protocol [SNMP] v3, Secure Shell [SSH] v2, Network Time Protocol [NTP], HyperText Transfer Protocol Secure [HTTPS], and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP), which can be used for secure file transfers. Satisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331 | ||||
| STIG | Date | |||
| Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide | 2026-06-15 | |||
Details
Check Text (C-283782r1223371_chk)
Verify the Nokia router uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
SSH server list example:
- show system security ssh server-lists
SSH Server configurable algorithm lists
SSHv2 Cipher List : aes256-ctr
aes192-ctr
aes128-ctr
aes128-cbc
aes192-cbc
aes256-cbc
SSHv2 MAC List : hmac-sha2-512
hmac-sha2-256
SSHv2 KEX List : ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
SSHv2 Host Key List : ecdsa-sha2-nistp521
ecdsa-sha2-nistp256
rsa-sha2-512
rsa-sha2-256
SSH client list example:
- show system security ssh client-lists
If the Nokia router does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.
Fix Text (F-88252r1203584_fix)
Configure the Nokia router to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.
When in FIPS mode, the non-FIPS algorithms are removed. To remove any of SSH ciphers, use the command below:
- configure system security ssh
Use the command below to view all ciphers available for "client-cipher-list", "server-cipher-list", "client-mac-list", and "server-mac-list":
- info detail
Remove any unwanted cipher from any of the lists above using the command below. For example, to remove cipher id 190 from server-cipher-list, use the following:
- server-cipher-list no cipher 190