Data confidentiality with encryption

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Data confidentiality with encryption

IPSec in Windows XP and the Windows Server 2003 family uses the US Data Encryption Standard (DES) to provide confidentiality (data encryption). The DES algorithm was published in 1977 by the US National Bureau of Standards.

DES is a block cipher that uses a 56-bit key. A block cipher is an encryption algorithm that operates on a fixed size block of data. DES encrypts data in 64-bit blocks using a 64-bit key. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for error checking, resulting in 56 bits of usable key.

Cipher block chaining (CBC) is also used to hide patterns of identical blocks of data within a packet. An initialization vector (an initial random number) is used as the first random block to encrypt and decrypt a block of data. Different random blocks are used in conjunction with the secret key to encrypt each successive block. This ensures that identical sets of unsecured data (plaintext) result in unique, encrypted data blocks.

The Windows XP and the Windows Server 2003 family implementation of IPSec supports the use of:

  • DES

    Used when the high security and overhead of 3DES are not necessary.

  • 3DES

    Used when high security is required. 3DES processes each block three times, using a unique 56-bit key each time:

    1. Encryption on the block with key 1

    2. Decryption on the block with key 2

    3. Encryption on the block with key 3

      This process is reversed if the computer is decrypting a packet.

Note

  • Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows Server 2003 operating system support 3DES and do not require installation of the High Encryption Pack.