UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30967 NET-VPN-130 SV-41009r1_rule ECSC-1 High
Description
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision. For a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore MD5 is considered cryptographically broken and should not be used—and certainly not for security-based services relying on collision resistance. Hence Secure Hash Algorithm (SHA) must be used for IPSec cryptographic hashing operations required for authentication and integrity verification.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2016-09-28

Details

Check Text ( C-39627r2_chk )
Review all transform sets defined in IPSec profiles and crypto maps and verify SHA has been enabled for performing cryptographic hashing operations.
Fix Text (F-34777r1_fix)
Configure all IPSec transform sets to use SHA for performing cryptographic hashing operations.