Internet Protocol Security |
The base prime numbers (keying material) and the strength of the keys for the master and session keys are enhanced by the following features. The features discussed here apply to one or both keys, as stated.
Key lifetimes determine when a new key is generated, rather than how it is generated. Also called dynamic re-keying or key regeneration, a key lifetime allows you to force a key regeneration after a specific interval. For example, if the communication takes 10,000 seconds and you specify the key lifetime as 1,000 seconds, 10 keys are generated to complete the transfer. This ensures that even if attackers gain part of a communication, they are not able to gain the entire communication. Automatic key regeneration is provided; configuration is optional. Key lifetimes can be specified for both the master and session keys. Any time a key lifetime is reached, the SA is also renegotiated in addition to the key refresh or regeneration. The amount of data processed by a single key should not exceed 100 megabytes. Administrators should check current security and encryption guidelines to be sure of providing adequate protection for the type of data being communicated.
Repeated re-keying off a session key can compromise the Diffie-Hellman shared secret. Thus, a session key refresh limit is implemented to avoid a security compromise.
For example, Alice on Computer A sends a message to Bob on Computer B, and then sends another message to Bob a few minutes later. The same session key material might be reused because an SA was recently established with that computer. If you want to limit the number of times this occurs, set the session key refresh limit to a low number.
If you have enabled Perfect Forward Secrecy (PFS) for the master key, the session key refresh limit is ignored because PFS forces key regeneration. Setting a session key refresh limit to 1 is identical to enabling master key PFS. If both a master key lifetime and a session key refresh limit is specified, whichever limit is hit first causes the subsequent re-key. By default, IPSec policy does not specify a session key refresh limit.
Diffie-Hellman (DH) groupsare used to determine the length of the base prime numbers (key material) for the DH exchange. The strength of any key derived from a DH exchange depends in part on the strength of the DH group on which the primes are based.
Each DH group defines the length of the key material to be used. Group 2 (medium) is stronger than Group 1 (low). Group 1 protects 768 bits of keying material; Group 2 protects 1024 bits. A larger group means the resulting DH has more entropy and, therefore, is harder to break.
IKE takes care of negotiating which group to use, ensuring that there are not any negotiation failures as a result of a mismatched DH group between the two peers.
If PFS for the session is enabled, the DH is passed in the SA with the key information during the first message of the Phase II SA negotiation. This forces a new DH permutation which removes the session keying material from the initial DH exchange.
If the sender is using PFS for the session key, the responder is not required to use it as well. However, if the initiator is not using PFS for the session and the responder is using PFS, negotiation fails.
The DH group is the same for both the Phase I and Phase II SA negotiations. This means that when session key PFS is enabled, even though the DH group is set as part of the Phase I SA negotiation, it affects any re-keys during session key establishment.
Unlike key lifetimes, Perfect Forward Secrecy (PFS) determines how a new key is generated, rather than when it is generated. Specifically, PFS ensures that compromise of a single key permits access only to data protected by that single key—not necessarily to the entire communication. To achieve this, PFS ensures that a key used to protect a transmission, in whichever phase, cannot be used to generate any additional keys. In addition, if the key used was derived from specific keying material, that material cannot be used to generate any other keys.
Master key PFS requires a re-authentication, so use it with caution. When it is enabled, the IKE service must re-authenticate identities, causing additional overhead for any domain controllers. It requires a new Phase I negotiation for every Phase II negotiation that will take place.
However, session key PFS can be done without the re-authentication and is therefore less resource-intensive. Session key PFS results in a DH exchange to generate new key material. It requires only four messages and no authentication.
PFS is not required to be enabled on both peers because it is not a negotiable property. If the responder requires PFS and the sender's Phase II SA expires, it simply rejects the sender's message and requires a new negotiation. The sender expires the Phase I SA and renegotiates. PFS can be individually set for both the master and session keys.