Encryption keys used for the .NET Strong Name Membership Condition must be protected.
An XCCDF Rule
Description
<VulnDiscussion>The Strong Name Membership condition requires that member assemblies be defined with Strong Names. A strong name consists of the assembly's identity, simple text name, version number, and culture information (if provided) — plus a public key and a digital signature. If assemblies do not have a strong name assigned, the assembly cannot be unique and the author of the code cannot be uniquely identified. In order to create the strong name, the developer must use a cryptographic key pair to sign the assembly. If the developer does not protect the key, the key can be stolen and used to sign any application, including malware applications. This could adversely affect application integrity and confidentiality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-225226r941354_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Ask the Systems Programmer how the private keys used to sign the assembly are protected.
Private keys are simply values stored as strings of data. Keys can be stored in files on the file system or in a centralized data repository.
Adequate protection methods include, but are not limited to:
- utilizing centralized key management;