Internet Protocol Security |
Windows 2000 IPSec uses the US Data Encryption Standard (DES) to provide confidentiality (data encryption).
The DES algorithm was published in 1977 by the US National Bureau of Standards. IPSec enables the ability to frequently regenerate keys during a communication. This prevents the entire data set from being compromised if one DES key is broken. For more information, see "Key Lifetimes" later in this chapter.
DES uses a 56-bit key, and maps a 64-bit input block into a 64-bit output block. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key.
The input block is initially put through rounds to produce a 64-bit output block. A round is like shuffling a deck of cards—it is a randomization process to ensure that different values are produced each time. This key is used to generate 16, 48-bit, per-round keys. Each round takes as its input the outcome (key) of the previous round, plus the 48-bit key, and produces the next 56-bit key. After the sixteenth round, the key is permutated with the inverse of the initial permutation.
Cipher Block Chaining (CBC) is also used to hide patterns of identical blocks of data within a packet. An Initialization Vector (an initial random number) is used as the first random block to encrypt and decrypt a block of data. Different random blocks are used in conjunction with the secret key to encrypt each block. This ensures that identical cleartext data (unsecured data) results in unique, encrypted data blocks. Repeats can compromise the security of the key by providing a pattern with which an attacker can crack your encryption. Lack of repeats also prevents data expansion during encryption.
Windows 2000 IPSec supports the use of:
This process is reversed if the computer is decrypting a packet. Windows 2000 IPSec uses 3DES for confidentiality.