Title

Mobile applications involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material. (Cat II impact)

Discussion

Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 certificates undergo independent verification and checking of identity and authority which is performed by the issuing (CA). Networks and applications not using Class 3 Certificates are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access to and intrusion in a network. Similarly, using approved PKI class 3 certificates ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. In applying this control, the use of approved PKI Class 3 certificates will assure authentication, message, data and content integrity, and confidentiality encryption.

Check Content

If the mobile application is not involved in the production, control, and distribution of asymmetric cryptography keys, this IA control is not applicable. For mobile applications that are involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to assess if approved Class 3 certificates or prepositioned keying material are used by the application. If the documentation review is inconclusive, perform a dynamic program analysis to assess if approved Class 3 certificates or prepositioned keying material are used by the application. If the dynamic program analysis could not be performed or the results were inconclusive, carry out a static program analysis to assess if the application supports functional code, able to execute routines and functions that enable the application use of approved, Class 3 certificates or prepositioned keying material. If the documentation review, dynamic program analysis and/or the static program analysis reveal that the application is unable to or does not use approved PKI Class 3 certificates or prepositioned keying material, this is a finding.

Fix Text

Modify code and/or architecture of the application to ensure approved, Class 3 certificates or prepositioned keying material is used.

Additional Identifiers

Rule ID: SV-46807r1_rule

Vulnerability ID: V-35520

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.