O112-C2-013700 - The DBMS must use organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts - SQLNET.CRYPTO_CHECKSUM_SERVER

Information

An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message.

Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security), and time synchronous or challenge-response one-time authenticators.

Replay attacks, if successfully used against a database account, could result in access to database data. A successful replay attack against a non-privileged database account could result in a compromise of data stored on the database.

Oracle Database enables you to encrypt data that is sent over a network. There is no distinction between privileged and non-privileged accounts.

Encryption of network data provides data privacy so that unauthorized parties are not able to view plain-text data as it passes over the network. Oracle Database also provides protection against two forms of active attacks.

Data modification attack: An unauthorized party intercepting data in transit, altering it, and retransmitting it is a data modification attack. For example, intercepting a $100 bank deposit, changing the amount to $10,000, and retransmitting the higher amount is a data modification attack.

Replay attack: Repetitively retransmitting an entire set of valid data is a replay attack, such as intercepting a $100 bank withdrawal and retransmitting it ten times, thereby receiving $1,000.

AES and Triple-DES operate in outer Cipher Block Chaining (CBC) mode.

The DES algorithm uses a 56-bit key length.

Solution

Configure DBMS, OS and/or enterprise-level authentication/access mechanism to require organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.

If appropriate, apply Oracle Data Network Encryption to protect against replay mechanisms.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Database_11-2g_V1R18_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(1), CAT|II, CCI|CCI-000776, Rule-ID|SV-66483r5_rule, STIG-ID|O112-C2-013700, Vuln-ID|V-52267

Plugin: Windows

Control ID: 4942ed273ea270f5a2ed06f3ff1d4b49cc3e79bcc9dee47a096b4793bb438247