1.6 Production applications should not implement the default SRPVerifierStore interface for the Secure Remote Password (SRP) protocol

Information

The SRP protocol is a public key exchange protocol similar to Diffie-Hellman. The default implementation of the SRPVerifierStore interface is not recommended for a production security environment because it requires all password hash information to be available as a file of serialized objects.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Application developers should not use the default implementation for SRPVerifierStore, and should extend it to avoid the use of serialized password objects.

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CAT|III

Plugin: Unix

Control ID: 14d93e276cedfe79df3fe0d6f3f5bfef5db9f989e7b40866bbc2612af5ae519e