Descriptions of the IPsec Algorithms and Methods

  • Article

Applies To: Windows Server 2008, Windows Vista

This topic describes the algorithms and methods supported by the Windows operating system. For a table that shows which of these algorithms and methods are supported in different versions of Windows, see IPsec Algorithms and Methods Supported in Windows.

In this topic:

  • Key exchange algorithms

  • Integrity algorithms

  • Encryption algorithms

  • Authentication methods

Key exchange algorithms

Key exchange algorithms are used to securely exchange a shared secret value between two computers over an unsecured network connection. The computers exchange information that, when processed by the algorithm, produces the shared secret value. A third computer listening on the network and intercepting network packets between the first two computers cannot determine the shared secret value. The shared secret value can then be used as a session key, or to generate a session key, to encrypt the rest of the communications used in the IPsec negotiations.

Diffie-Hellman Groups 1, 2, and 14

The Diffie-Hellman (DH) key exchange algorithms are described in RFC 2631 (https://go.microsoft.com/fwlink/?linkid=129157) and defined by American National Standards Institute (ANSI) X9.42. The DH groups provide increasing key strengths at the cost of increased CPU calculations. DH Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, and Group 14 provides 2048 bits.

DH Groups 1 and 2 are available on computers running Windows 2000 or later. DH Group 14 is available on computers running Windows XP or later.

Security Note
DH Group 1 is no longer considered secure and should be used only for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is provided for backward compatibility only.

ECDH P-256 and EDCH P-384

The Elliptic Curve Diffie-Hellman (ECDH) key exchange protocols are part of the National Security Agency (NSA) “Suite B” and are documented in National Institute of Standards and Technology (NIST) Special Publication 800-56A (https://go.microsoft.com/fwlink/?linkid=129022). They provide advanced key exchange values with stronger key strength than DH Groups 1, 2 and 14.

ECDH P-256 and ECDH P-384 are available on computers running Windows Vista with SP1 and Windows Server 2008.

Integrity algorithms

Data integrity algorithms help ensure that a network packet received from a remote computer was not modified in transit. The sending computer calculates a hash value from the data payload of the network packet. This hash is then cryptographically signed and attached to the network packet. The receiving computer performs the same calculation on the data payload of the packet and compares it to the hash that was attached by the sender. If the hashes match, then the data is the same as it was transmitted and the receiving computer accepts the packet. If the hash values do not match, then the packet was altered between the source and the destination and the receiving computer drops the packet. Data integrity algorithms do not encrypt the data; encryption protocols must be used for that purpose.

MD5

Message Digest 5 (MD5) is documented in RFC 1321 (https://go.microsoft.com/fwlink/?linkid=128011).

MD5 is available on computers running Windows 2000 or later.

Security Note
MD5 is no longer considered secure and should be used only for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is provided for backward compatibility only.

SHA-1, SHA-256, and SHA-384

Secure Hash Algorithm 1 (SHA-1) and its derivatives SHA-256 and SHA-384 are documented in Federal Information Processing Standards Publication 180-2 (https://go.microsoft.com/fwlink/?linkid=128010). SHA-256 and SHA-384 are part of the NSA “Suite B.” The SHA-1 computation results in a 160-bit hash that is used for the integrity check. SHA-256 and SHA-384 produce 256-bit and 384-bit hashes, respectively. The longer hash algorithms provide more security, but due to the higher cryptographic complexity of the calculations, they also require more CPU utilization.

SHA-1 is available on computers running Windows 2000 or later versions of Windows.

SHA-256 and SHA-384 are available on computers running Windows Vista with SP1 and Windows Server 2008.

AES-GMAC 128, 192, and 256

The Advanced Encryption Standard Galois Message Authentication Code (AES-GMAC) integrity algorithms are part of the NSA “Suite B” and are documented in NIST Special Publication 800-38D (https://go.microsoft.com/fwlink/?linkid=127882). AES-GMAC is based on AES, which is documented in Federal Information Processing Standards Publication 197 (https://go.microsoft.com/fwlink/?linkid=127986). AES-GMAC is the same as AES-GCM without encryption; it can be used with key lengths of 128, 192, and 256 bits.

The AES-GMAC algorithms are available on computers that are running Windows Vista with SP1 and Windows Server 2008.

Note

If you select one of the AES-GMAC algorithms as the integrity algorithm, then you must select the corresponding AES-GCM algorithm as the encryption algorithm.

AES-GCM 128, 192, and 256

The Advanced Encryption Standard Galois/Counter Mode (AES-GCM) serves as both an integrity algorithm and an encryption algorithm. AES-GCM is part of the NSA “Suite B” and is documented in NIST Special Publication 800-38D (https://go.microsoft.com/fwlink/?linkid=127882). AES-GCM is based on AES, which is documented in Federal Information Processing Standards Publication 197 (https://go.microsoft.com/fwlink/?linkid=127986). The AES-GCM algorithm is a symmetric block cipher that can encrypt and decrypt information in data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Longer key lengths provide better security at the cost of CPU performance due to the more intensive computational requirements.

The AES-GCM algorithms can be used only with quick mode algorithm combinations.

The AES-GCM algorithms are available on computers that are running Windows Vista with SP1 and Windows Server 2008.

Note

If you select an AES-GCM algorithm as either the encryption or integrity algorithm, then you must select the same AES-GCM algorithm for both.

Encryption algorithms

Data encryption algorithms are used to provide confidentiality to the data payload of an IPsec-protected network packet. Encryption algorithms can be very computationally intensive and can significantly impact computer performance. We recommend that you only encrypt network traffic that requires encryption. If you find that encryption impacts performance more than expected, consider using a network adapter that supports IPsec task offload.

DES

DES is a block cipher encryption protocol that uses a 56-bit key and is documented in Federal Information Processing Standards Publication 46-3 (https://go.microsoft.com/fwlink/?linkid=128014). A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.

DES is available on computers running Windows 2000 or later.

Security Note
DES is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is provided for backward compatibility only.

3DES

Triple-DES or 3DES is an encryption protocol that provides stronger encryption than DES. It is documented in Federal Information Processing Standards Publication 46-3 (https://go.microsoft.com/fwlink/?linkid=128014). 3DES is a block cipher that uses a three-step encryption process that is more secure than DES. A block cipher is an encryption algorithm that operates on a fixed size block of data.

3DES is available on computers running Windows 2000 or later.

AES-CBC 128, 192, and 256

The AES in Cipher Block Chaining mode (AES-CBC) encryption algorithms are part of the NSA “Suite B” and are documented in RFC 3602 (https://go.microsoft.com/fwlink/?linkid=127990). AES is documented in Federal Information Processing Standards Publication 197 (https://go.microsoft.com/fwlink/?linkid=127986). The AES algorithm is a symmetric block cipher that can encrypt and decrypt information in data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Longer key lengths provide better security at the cost of CPU performance due to the more intensive computational requirements. Cipher block chaining (CBC) is used to hide patterns of identical blocks of data within a packet. An initialization vector (an initial random number) is used as the first random block to encrypt and decrypt a block of data. Different random blocks are used in conjunction with the secret key to encrypt each successive block. This ensures that identical sets of unsecured data (plaintext) result in unique, encrypted data blocks.

The AES-CBC algorithms are available on computers that are running Windows Vista with SP1.

AES-GCM 128, 192, and 256

AES-GCM is both an integrity and encryption algorithm and is described in the Integrity algorithms section.

Authentication methods

Authentication methods define the way in which a computer or user can securely assert identity to a remote computer. The methods involve sharing credentials that can be cryptographically verified, proving that the sending computer or user is who it claims to be.

Preshared key

The preshared key authentication method uses a plaintext value that must be separately configured on each computer.

Security Note
The preshared key method is not considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure method. It is provided for backward compatibility only.

The preshared key method is available on computers running Windows 2000 or later.

Kerberos V5

Kerberos V5 is an authentication protocol that uses cryptographic tickets to transmit credentials from an Active Directory domain to identify users or computers. Both computers (or users) must be members of the same domain or separate domains that share a trust relationship. For more information, see Kerberos V5 Authentication (https://go.microsoft.com/fwlink/?linkid=129171).

Kerberos V5 is available on computers running Windows 2000 or later.

Certificate

Certificates based on the X.509 standard and issued by trusted certification authorities (CAs) can be used as an authentication method. Computers or users that have been issued a certificate can include the certificate in IPsec negotiations with a remote computer. The remote computer cryptographically confirms that the owner of the certificate is the one who sent it. For more information about setting up a certificate server, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkID=110820).

Certificate-based authentication is available on computers running Windows 2000 or later.

NTLMv2

NTLM is a Microsoft challenge/response authentication protocol that interoperates with and uses credentials from an Active Directory domain. To use NTLMv2 authentication, both computers (or users) must be members of the same domain or separate domains that share a trust relationship. For more information, see NT LAN Manager (NTLM) Authentication Protocol Specification (https://go.microsoft.com/fwlink/?linkid=129211).

NTLMv2 authentication is available on computers running Windows Vista and Windows Server 2008.

Certificate with ECDSA P-256 and ECDSA P-384

Certificates that are cryptographically signed using the Elliptic Curve Digital Signature Algorithm (ECDSA) can be used as an authentication method. Computers or users that have been issued a certificate can include the certificate in IPsec negotiations with a remote computer. The remote computer cryptographically confirms that the owner of the certificate is the one who sent it. ECDSA signing of certificates is documented in Federal Information Processing Standards Publication 186-2 (https://go.microsoft.com/fwlink/?linkid=129212) and defined by American National Standards Institute (ANSI) X9.62.

Certificates with ECDSA can be used on computers running Windows Vista.