STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated just now
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide

V-283782

CAT I (High)

The Nokia router must use Federal Information Processing Standard (FIPS)-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.

Rule ID

SV-283782r1223371_rule

STIG

Nokia Service Router OS 25.x Network Device Management Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002890CCI-003123

Discussion

Unapproved mechanisms used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoW data may be compromised. Nonlocal maintenance and diagnostic activities are activities conducted by individuals communicating through an external network (e.g., the internet) or internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets the specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., Simple Network Management Protocol [SNMP] v3, Secure Shell [SSH] v2, Network Time Protocol [NTP], HyperText Transfer Protocol Secure [HTTPS], and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes layer 7 protocols such as Secure Copy (SCP) and Secure File Transfer Protocol (SFTP), which can be used for secure file transfers. Satisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331

Check Content

Verify the Nokia router uses FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.

SSH server list example:

- show system security ssh server-lists

SSH Server configurable algorithm lists

SSHv2 Cipher List   : aes256-ctr
                      aes192-ctr
                      aes128-ctr
                      aes128-cbc
                      aes192-cbc
                      aes256-cbc

SSHv2 MAC List      : hmac-sha2-512
                      hmac-sha2-256

SSHv2 KEX List      : ecdh-sha2-nistp521
                      ecdh-sha2-nistp384
                      ecdh-sha2-nistp256
                      diffie-hellman-group16-sha512
                      diffie-hellman-group14-sha256

SSHv2 Host Key List : ecdsa-sha2-nistp521
                      ecdsa-sha2-nistp256
                      rsa-sha2-512
                      rsa-sha2-256

SSH client list example:

- show system security ssh client-lists

If the Nokia router does not use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.

Fix Text

Configure the Nokia router to use FIPS-validated HMAC to protect the integrity of nonlocal maintenance and diagnostic communications.

When in FIPS mode, the non-FIPS algorithms are removed. To remove any of SSH ciphers, use the command below:

- configure system security ssh

Use the command below to view all ciphers available for "client-cipher-list", "server-cipher-list", "client-mac-list", and "server-mac-list":

- info detail

Remove any unwanted cipher from any of the lists above using the command below. For example, to remove cipher id 190 from server-cipher-list, use the following:
 
- server-cipher-list no cipher 190