Security properties

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security properties

IPSec provides the following properties for secured communications:

• Anti-replay

  Ensures the uniqueness of each IP packet. Anti-replay is also called replay prevention. Anti-replay ensures that data captured by an attacker cannot be reused or replayed to establish a session or gain information illegally. This protects against attempts to intercept a message and then use the identical message to illegally gain access to resources, possibly months later.

• Integrity

  Protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum using a shared, secret key. Only the sender and receiver have the key that is used to calculate the checksum. If the packet contents have changed, the checksum verification fails and the packet is discarded.

• Confidentiality (encryption)

  Ensures that data is only disclosed to intended recipients. This is achieved by encrypting the data before transmission, ensuring that the data cannot be read during transmission, even if the packet is monitored or intercepted. Only the communicating computers with the shared, secret key are able to read the data after it has been decrypted. This property is optional and is dependent on IPSec policy settings.

• Authentication

  Verifies that a message could only have been sent from a computer that has knowledge of the shared, secret key. The sender includes (with the message) a message authentication code with a calculation that includes the shared, secret key. The receiver performs the same calculation and, if the receiver’s calculation does not match the message authentication code that is included in the message, the message is discarded. The message authentication code is the same as the cryptographic checksum that is used for integrity.