Advanced Key Exchange Settings
Applies To: Windows Server 2008
Key exchange settings
Security methods include integrity algorithms and encryption algorithms. You can use any combination of these algorithms to secure the key exchanges. You can have as many suites as you need, and you can arrange them in sequential order in the list. These suites will be attempted in the order in which you arrange them. The first set to be agreed upon by both peer computers is used. If the peer computer is not capable of using any of the suites you define, the connection will not be established.
Some algorithms are supported only by computers running this version of Windows. To add a method to the list, click Add.
As a best practice, order the suites in decreasing levels of security. This ensures that the most secure method that both peers can support is used.
Lifetime settings determine when a new key is generated. Lifetimes allow you to force the generation of a new key (regeneration) after a specified interval or after a specified number of sessions. For example, if the communication takes 100 minutes and you specify a key lifetime of 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised. You can specify the lifetime in both minutes and number of sessions. The first threshold reached is used and the key is regenerated.
Shorter key lifetimes increase the security level of the exchanges, but also require more computing resources.
Key lifetime (in minutes)
You can use this setting to configure how long the key used to perform data integrity lasts, in minutes. After this interval, the key will be regenerated. Subsequent communications will use the new key.
The maximum lifetime is 2879 minutes (48 hours). The minimum lifetime is 1 minute.
Key lifetime (in sessions)
A session is a distinct message or set of messages. This setting specifies how many sessions can be protected using the same master key information. After this threshold is reached, the counter is reset, and the key is regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,147,483,647 sessions. The minimum lifetime is 0 sessions.
A session limit of zero (0) will cause rekeys to be determined only by the Key lifetime (in minutes) setting.
The higher the number of sessions allowed per master key, the greater the chances of the master key being discovered. If you want to limit the number of times this reuse occurs, you can specify a session key limit.
To configure main mode perfect forward secrecy (PFS), set Key lifetime in sessions to 1. Although this configuration provides significant additional protection, it also carries a significant performance penalty. Every new quick mode session regenerates the main mode keying material, and then causes the two computers to reauthenticate. We recommend that you enable PFS only in hostile environments where IPsec traffic might be exposed to sophisticated attackers who might try to compromise the strong cryptographic protection provided by IPsec.
Key exchange algorithm
Elliptic Curve Diffie-Hellman P-384 and P-256
Elliptic Curve Cryptography (ECC) uses mathematical algorithms that provide a much higher level of security than standard Diffie-Hellman (DH) algorithms while requiring only slightly greater resources. For example, a 256-bit ECC parameter has the same equivalent protection as a 3,072-bit standard DH parameter. A 384-bit ECC parameter has the same equivalent protection as a 7,680-bit standard DH parameter.
The ECC P-384, P-256, and DH Group 14 algorithms are not available on earlier versions of Windows. If you are protecting communications with Windows XP or Windows 2000, then you should use the DH Group 2 key exchange algorithm.
Diffie-Hellman Group 14, Group 2, and Group 1
Windows Firewall with Advanced Security supports the following DH groups (in order of descending strength):
Diffie-Hellman Group 14 (2048 bits)
Diffie-Hellman Group 2 (1024 bits)
Diffie-Hellman Group 1 (768 bits)
We recommend that you do not use Diffie-Hellman Group 1 in a production environment because it is no longer considered to be a secure choice. It is provided only for interoperability with earlier operating systems. Use DH Group 2, Group 14, or one of the Elliptic Curve DH groups to secure your network traffic.
DH Group 14 and the Elliptic Curve DH algorithms are not available on earlier versions of Windows. If you are protecting communications with Windows XP or Windows 2000, then you should use the DH Group 2 key exchange algorithm.
More information about key exchange and key management
Windows Firewall with Advanced Security uses keys to protect data that is communicated between computers. It also controls how often a new key is generated during communication, using a method called dynamic rekeying. The communication is sent in blocks; each block of data is secured with a different key. This prevents an attacker who has obtained part of a communication and the corresponding session keys from obtaining the remainder of the communication. If no values are configured, keys are regenerated automatically at default intervals.
Session key refresh limit
Repeated rekeying based on a session key can compromise the Diffie-Hellman shared secret. Because of this, a session key refresh limit is implemented.
For example, Alice on Computer A sends a message to Bob on Computer B, and then sends another message to Bob a few minutes later. The same session key material might be reused because an SA was recently established. If you want to limit the number of times this occurs, set the session key refresh limit to a low number. If both a master key lifetime and a session key refresh limit are specified, the limit reached first causes the subsequent rekey. By default, IPsec policy does not specify a session key refresh limit.
Before secured data can be exchanged, a contract between the two computers must be established. This is a two-step process involving Main Mode and Quick Mode security associations (SAs).
An SA is the combination of a negotiated key, security protocol, and security parameters index (SPI), which together define the security used to protect the communication from sender to receiver. The SPI is a unique, identifying value in the SA that is used to distinguish among multiple SAs that exist at the receiving computer. For example, multiple associations might exist if a computer is securely communicating with multiple computers at the same time. This is a common occurrence when the computer is a file server or a remote access server that serves multiple clients. In these situations, the receiving computer uses the SPI to determine which SA is used to process the incoming packets.
The Main Mode SA is cached to allow multiple Quick Mode SA negotiations (unless master key PFS is enabled). When a key lifetime is reached for the master or session key, the SA is renegotiated. In addition, the key is refreshed or regenerated.
When the default timeout period elapses for the Main Mode SA, or the master or session key lifetime is reached, a delete message is sent to the responder, which tells the responder to cause the Main Mode SA to expire. This prevents additional new Quick Mode SAs from being created from the expired Main Mode SA. IKE does not cause the Quick Mode SA to expire because only the IPsec driver contains the number of seconds or bytes that have passed to reach the key lifetime.
Use caution when setting very different key lifetimes for master and session keys. For example, setting a master key lifetime of eight hours and a session key lifetime of two hours might leave a Quick Mode SA in place for almost two hours after the Main Mode SA has expired. This occurs when the Quick Mode SA is generated shortly before Main Mode SA expiration.