@@ -848,17 +848,17 @@ If the VPN claims to support IPv6, it shall provide full, native IPv6 connectivi
The VPN shall use strong cryptography.
#### 5.2.14.2 MI-CRYPT-1: Use a PSK
#### 5.2.14.2 MI-CRYPT-1: Pre-shared key mixing for post-quantum security
The VPN shall use a preshared key to mitigate post-quantum decryption
The VPN shall support mixing a preshared key (PSK) into the key derivation process to mitigate the risk of quantum-enabled decryption.
* Applicability: (optional, for requirements that depend on a feature)
* Reference: TR-CRYPT
* Objective: Confidentiality
* Preparation: Obtain a configuration file from the VPN manufacturer to setup the VPN with an open source product
* Activities: Open the configuration file in an editor
* Verdict: The configuration file contains a PSK or preshared key => PASS, otherwise => FAIL
* Evidence: The configuration file
* Preparation: Attach a debugger to the VPN client binding to cryptographic functions or capture traffic on all interfaces
* Activities: Create protocol trace when setting up a post-quantum safe tunnel or capture packet showing the encryption headers
* Verdict: Protocol trace or packet capture demonstrating that the PSK is incorporated into key derivation during tunnel establishment => PASS, otherwise => FAIL
* Evidence: The protocol trace or packet capture demonstating the mixing a preshared key into the key derivation process
#### 5.2.14.3 MI-CRYPT-2: Use conformant encryption
@@ -1119,7 +1119,6 @@ This clause lists all the mitigations necessary to meet requirements for each se
