The VPN gateway must use Secure Hash Algorithm for IPSec cryptographic hashing operations required for authentication and integrity verification.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-30967 | NET-VPN-130 | SV-41009r1_rule | ECSC-1 | High |
| Description |
|---|
| Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision. For a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore MD5 is considered cryptographically broken and should not be used—and certainly not for security-based services relying on collision resistance. Hence Secure Hash Algorithm (SHA) must be used for IPSec cryptographic hashing operations required for authentication and integrity verification. |
| STIG | Date |
|---|---|
| IPSec VPN Gateway Security Technical Implementation Guide | 2018-11-27 |
Details
| Check Text ( C-39627r2_chk ) |
|---|
| Review all transform sets defined in IPSec profiles and crypto maps and verify SHA has been enabled for performing cryptographic hashing operations. |
| Fix Text (F-34777r1_fix) |
|---|
| Configure all IPSec transform sets to use SHA for performing cryptographic hashing operations. |