Documentation - V-270569

Title

Oracle Database must use NIST-validated FIPS 140-2/140-3 compliant cryptography for authentication mechanisms.

Description

<VulnDiscussion>Use of weak or not validated cryptographic algorithms undermines the purposes of using encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well ...

Fix Text (Documentation Requirement)

Utilize NIST-validated FIPS 140-2/140-3 compliant cryptography for all authentication mechanisms. Open the fips.ora file in an editor. (The default location for fips.ora is $ORACLE_HOME/ldap/admin/ but alternate locations are possible. An alternate location, if it is in use, is specified in the FIPS_HOME environment variable.) Create or modify fips.ora to include the line "SSLFIPS_140=TRUE". The strength requirements are dependent upon data classification. For unclassified data, where cryptography is required: AES 128 for encryption SHA 256 for hashing NSA has established the suite B encryption requirements for protecting National Security Systems (NSS) as follows: AES 128 for Secret AES 256 for Top Secret SHA 256 for Secret SHA 384 for Top Secret NSS is defined as: (OMB Circular A-13...