Internet Protocol Security

Previous Topic Next Topic

Key Management

A key is a secret code or number required to read, modify, or verify secured data. Keys are used in conjunction with algorithms (a mathematical process) to secure data. Windows 2000 automatically handles key generation and implements the following keying properties that maximize protection:

Dynamic Re-Keying

IPSec policy controls how often a new key is generated during the communication, using a method called dynamic re-keying. The communication is sent in blocks, and each block of data is secured with a different key. This prevents an attacker who has obtained part of a communication, and the corresponding session keys, from obtaining the rest of the communication. This on-demand security negotiation and automatic key management service is provided using the IETF-defined Internet Key Exchange (IKE), RFC 2409.

IPSec policy allows expert users to control how often a new key is generated. If no values are configured, keys are regenerated automatically at default intervals.

Key Lengths

Every time the length of a key is increased by one bit, the number of possible keys doubles, making it exponentially more difficult to break the key. IPSec policy provides multiple algorithms to allow for short or long key lengths.

Key Material Generation: The Diffie-Hellman Algorithm

To enable secure communication, two computers must be able to gain the same, shared key (session key), without sending the key across a network because that would severely compromise the secret.

The Diffie-Hellman algorithm (DH) predates Rivest-Shamir-Adleman (RSA) encryption and offers better performance. It is one of the oldest and most secure algorithms used for key exchange.

The two parties publicly exchange some keying information, which Windows 2000 additionally protects with a hash function signature. Neither party ever exchanges the actual key; however, after their exchange of keying material, each is able to generate the identical shared key. At no time is the actual key ever exchanged.

DH keying material exchanged by the two parties can be based on 96 or 128 bytes of keying material, known as DH groups. The strength of the DH group is directly related to the strength of the key. Strong DH groups combined with longer key lengths increase the degree of computational difficulty in trying to break the key.

IPSec uses the DH algorithm to provide the keying material for all other encryption keys. DH on its own provides no authentication; in the Windows 2000 IPSec implementation, identities are authenticated after the DH exchange takes place.

For more detailed information on the key generation process, see the "Internet Key Exchange" section of this chapter.

© 1985-2000 Microsoft Corporation. All rights reserved.