The API must protect the private keys used to sign assertions and tokens.

STIG ID: SRG-APP-000970-API-001660  |  SRG: SRG-APP-000970 |  Severity: medium |  CCI: CCI-005157,CCI-000366 |  Vulnerability Id: V-274840

Vulnerability Discussion

Private keys are used to sign tokens and assertions, which verify the identity and permissions of users or systems requesting access. If these keys are compromised, attackers could generate fraudulent tokens or assertions, granting unauthorized access to sensitive resources and potentially causing significant damage to both the system and its users.

The level of protection required for these private keys depends on the sensitivity of the information and the potential impact of a security breach. By ensuring private keys are properly secured through strong encryption, access controls, and key management, the API can prevent unauthorized access, safeguard the integrity of the authentication process, and minimize the risk of severe consequences from key compromise.

Check

To check if the API protects the private keys used to sign assertions and tokens:

Verify private keys used for signing tokens and assertions are stored securely. These keys must not be hard coded in the codebase or stored in plaintext files.

Verify private keys are stored in a secure location such as a hardware security module (HSM) or key management service (KMS), which provides encryption and access control.

Verify only authorized personnel or systems can access the keys. Review filesystem permissions.

Verify that the private keys are encrypted both at rest and in transit. If using cloud-based key management systems, ensure that encryption is enabled by default.

Verify private keys are only used for their intended purpose—signing tokens and assertions.

Audit the system to ensure that keys are only accessible during token generation or signing processes and not left accessible longer than needed.

Confirm that there is a key rotation policy in place for the private keys used to sign tokens and assertions. These keys should be rotated regularly to reduce the risk of compromise.

Implement monitoring and logging mechanisms to audit any access to, or use of, private keys. Logs must capture who accessed the key, when, and for what purpose.

Review the API's or key management system's documentation to confirm private key protection practices align with industry standards, such as NIST guidelines and FIPS compliance.

If the API is not protecting private keys, this is a finding.

Fix

Build or configure the API to properly protect private keys used to sign assertions and tokens.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.