Internet Protocol Security |
IPSec can also use pre-shared keys for authentication. Pre-shared means the parties must agree on a shared, secret key that becomes part of the IPSec policy. During security negotiation, information is encrypted before transmission using the shared key, and decrypted on the receiving end using the same key. If the receiver can decrypt the information, identities are considered authenticated.
Microsoft does not recommend frequent use of pre-shared key authentication, because the authentication key is stored, unprotected, in the IPSec policy. Pre-shared key methodology is provided only for interoperability purposes and to adhere to the IPSec standards set forth by the IETF. To safely use this authentication method, the policy must be restricted to administrator-only read and write access, encrypted for privacy when communicated between the domain controller and domain member computers, and restricted to system-only read access on each computer.