From IPSec VPN Gateway Security Technical Implementation Guide
Part of SHA is not being used for IKE hashing.
Associated with IA controls: ECSC-1
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore, MD5 is considered cryptographically broken and should be not be used—and certainly not for security-based services relying on collision resistance. Using a weak hash algorithm such as MD5 could enable a rogue device to discover the authentication key enabling it to establish an Internet Key Exchange (IKE) Security Association with either of the VPN end points. Hence, Secure Hash Algorithm (SHA) must be used for IKE cryptographic hashing operations required for authentication and integrity verification.
Examine all ISAKMP policies configured on the VPN gateway to determine what hash algorithm is being used for establishing an IKE Security Association.
Configure all ISAKMP policies to use SHA for IKE cryptographic hashing operations.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer