Key exchange methods
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Key exchange methods
In addition to key properties, you can set security methods for main mode IKE negotiation. For example, you can specify which algorithms are used for integrity and confidentiality. The same algorithms that are available for quick mode security methods are available for main mode IKE negotiation: MD5 and SHA1 for integrity; DES and 3DES for confidentiality.
In addition to setting integrity and confidentiality algorithms, you can specify which Diffie-Hellman groups to use. Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.
Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.
The Diffie-Hellman group is configured as part of the main mode key exchange settings. New session keys generated during quick mode are derived from the Diffie-Hellman main mode master key material, unless master key or session key perfect forward secrecy (PFS) is enabled. If either master key or session key PFS is enabled, a new Diffie-Hellman exchange is performed to obtain new master key keying material for each new session key that is required. The difference between master key PFS and session key PFS is that master key PFS requires a reauthentication of the main mode SA in addition to the Diffie-Hellman exchange.
For enhanced security, do not use Diffie-Hellman Group 1. For maximum security, use Group 2048 whenever possible. Use Group 2 when required for interoperability with Windows 2000 and Windows XP.
Diffie-Hellman Group 2048 is provided only with the Windows Server 2003 family.
For a standard level of security, it is generally recommended that all of the IKE settings (for example, master key PFS and key lifetime) and security methods remain at their defaults. For more information about IKE settings, see Internet Key Exchange.
Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows Server 2003 operating system support 3DES and do not require installation of the High Encryption Pack.