#### 5.2.X.x **[MI-AUTH-2]** Transmitted credentials must be encrypted
The VPN client shall by default encrypt all transmitted user credentials or sensitive authentication material using for any supported authentication method or transport protocol.
The VPN client shall by default encrypt all transmitted user credentials or sensitive authentication material used for any supported authentication method or transport protocol.
* Test: for each supported authentication and transport method, authenticate a user while capturing the network traffic for the entire authentication process, search the captured traffic for a plaintext string matching the user's password or token
* Result: no plaintext string matching the user's credential is found
* Documentation: the authentication method and transport used, a packet capture, the plain text of the user's credential(s), and the output of a search for the credential(s)
* False negative prevention: deliberately revert the client or server to an unencrypted transport method and re-run the test, confirming that the credentials are then visible in plaintext
* Reference: TR-AUTH
* Objective: Confidentiality of credentials
* Preparation: None
* Activities: For each supported authentication and transport method, authenticate a user while capturing the network traffic for the entire authentication process, search the captured traffic for a plaintext string matching the user's credential
* Verdict: No plaintext string matching the user's credential is found => PASS, otherwise FAIL
* Evidence: The authentication method and transport used, a packet capture, the plain text of the user's credential, and the output of a search for the credential in the packet capture
