AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.

From Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide

Part of SRG-APP-000171-AAA-000510

Associated with: CCI-000196

SV-95663r1_rule AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.

Vulnerability discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.AAA Services must enforce cryptographic representations of passwords when storing passwords in databases, configuration files, and log files. Passwords must be protected at all times; using a strong one-way hashing encryption algorithm with a salt is the standard method for providing a means to validate a password without having to store the actual password.Performance and time required to access are factors that must be considered, and the one-way hash is the most feasible means of securing the password and providing an acceptable measure of password security. If passwords are stored in clear text, they can be plainly read and easily compromised.

Check content

Where passwords are used, verify AAA Services are configured to encrypt locally stored credentials using a FIPS-validated cryptographic module. AAA Services may leverage the capability of an operating system or purpose-built module for this purpose. Confirm that databases, configuration files, and log files have encrypted representations for all passwords, and that no password strings are readable/discernable. Potential locations include the local file system where configurations and events are stored, or in a related database table. Review AAA Services configuration for use of the MD5 algorithm to create password hashes. If AAA Services are not configured to encrypt locally stored credentials using a FIPS-validated cryptographic module, this is a finding. If AAA Services are configured to use MD5 to create password hashes, this is a finding. Note: FIPS-validated cryptographic modules are listed on the NIST Cryptographic Module Validation Program's (CMVP) validation list.

Fix text

Configure AAA Services to encrypt locally stored credentials using a FIPS-validated cryptographic module. Configure all associated databases, configuration files, and audit files to use only encrypted representations for all passwords and so that no password strings are readable/discernable.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer