Title

The API keys must be securely generated using a FIPS-validated Random Number Generator (RNG). (Cat II impact)

Discussion

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. DRBGs (Deterministic Random Bit Generators) are cryptographic algorithms that generate random-looking bits using a deterministic process seeded with high-quality entropy. The DRBGs Hash_DRBG, HMAC_DRBG, and CTR_DRBG are recommended for use with RNGs.

Check Content

This requirement is applicable only to devices that use a web interface for device management. Verify the API keys are securely generated using a FIPS-validated RNG. Review the API documentation and interview the API administrator. Identify the cryptographic modules utilized by the API for key generation. Identify the cryptographic service provider utilized by the API and reference the NIST validation website to ensure the algorithms utilized are approved: https://csrc.nist.gov/projects/cryptographic-module-validation-program. If the API does not use a FIPS 140-3-approved RNG, this is a finding.

Fix Text

This requirement is applicable only to devices that use a web interface for device management. Build or configure the API to use FIPS 140-3-validated cryptographic modules when the API implements RNGs for key generation.

Additional Identifiers

Rule ID: SV-274603r1143636_rule

Vulnerability ID: V-274603

Group Title: SRG-APP-000224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.