Documentation - V-274603

V-274603

Application Programming Interface (API) Security Requirements Guide

CAT II

Title

The API keys must be securely generated using a FIPS-validated Random Number Generator (RNG).

Description

<VulnDiscussion>Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffi...

Fix Text (Documentation Requirement)

This requirement is applicable only to devices that use a web interface for device management. Build or configure the API to use FIPS 140-3-validated cryptographic modules when the API implements RNGs for key generation.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel