Detections
Analytics

5.4.1.7 Ensure passwords use FIPS 140-2 approved cryptographic hashing algorithm

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

ENCRYPT_METHOD (string) - This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values:

 - MD5 - MD5-based algorithm will be used for encrypting password
 - SHA256 - SHA256-based algorithm will be used for encrypting password
 - SHA512 - SHA512-based algorithm will be used for encrypting password
 - BCRYPT - BCRYPT-based algorithm will be used for encrypting password
 - YESCRYPT - YESCRYPT-based algorithm will be used for encrypting password
 - DES - DES-based algorithm will be used for encrypting password (default)

Note:

 - This parameter overrides the deprecated MD5_CRYPT_ENAB variable.
 - This parameter will only affect the generation of group passwords.
 - The generation of user passwords is done by PAM and subject to the PAM configuration.
 - It is recommended to set this variable consistently with the PAM configuration.

The SHA-512 algorithm provides a strong FIPS 140-2 approved hash for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local group passwords.

The operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and data may be compromised.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.

Solution

Edit /etc/login.defs and set the ENCRYPT_METHOD to SHA512 :

ENCRYPT_METHOD SHA512

Note:

 - This only effects local groups' passwords created after updating the file to use sha512.
 - If it is determined that the password algorithm being used is not sha512, once it is changed, it is recommended that all group passwords be updated to use the stronger hashing algorithm.
 - It is recommended that the chosen hashing algorithm is consistent across /etc/login.defs and the PAM configuration

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: d6c5b32e585a8235916effe34ee1e3b54796d6c7c1765f02f510dd3e2d34a89e