T 2.130 Inappropriate selection of VPN encryption methods

The importance of using a suitable VPN encryption procedure increases as the data throughput in the VPN increases, but also as the protection requirements of the information processed increases. If an unsuitable encryption procedure is selected, the information requiring protection are subjected to numerous risks during transmission over insecure networks.

Here, static cryptographic keys and pre-shared keys (PSKs, keys that have been agreed to in advance) in particular are susceptible to attacks using cryptographic analysis. Furthermore, the selection of a PSK may have an impact on the security, for example in connection with dictionary and brute force attacks.

When an authentication component fails, there could be serious disruptions to operations if the contingency planning was performed poorly (e.g. no redundancy was planned) due to the users being unable to log in and use the VPN.

Examples:

• The use of static cryptographic keys comes in conjunction with serious security disadvantages. Since the keys are often left unchanged for long periods of time, in many cases large amounts of data are encrypted with them. This makes it much easier to analyse the encrypted data cryptographically and simultaneously increases the ability to exploit the results of the cryptographic analysis.
• In one company, only one PSK is used for the entire VPN infrastructure. This results in a significant impact on security if the VPN is ever compromised.