UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must use Secure Hash Algorithm for IKE cryptographic hashing operations required for authentication and integrity verification.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30950 NET-VPN-060 SV-40992r1_rule ECSC-1 High
Description
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore, MD5 is considered cryptographically broken and should be not be used—and certainly not for security-based services relying on collision resistance. Using a weak hash algorithm such as MD5 could enable a rogue device to discover the authentication key enabling it to establish an Internet Key Exchange (IKE) Security Association with either of the VPN end points. Hence, Secure Hash Algorithm (SHA) must be used for IKE cryptographic hashing operations required for authentication and integrity verification.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2013-10-08

Details

Check Text ( C-39610r1_chk )
Examine all ISAKMP policies configured on the VPN gateway to determine what hash algorithm is being used for establishing an IKE Security Association.
Fix Text (F-34760r1_fix)
Configure all ISAKMP policies to use SHA for IKE cryptographic hashing operations.