Scribd

Upload a Document

Top of Form

Search Books, Presentations, Business, Academics...

Bottom of Form

Explore

Documents

Books - Fiction

Books - Non-fiction

Health & Medicine

Brochures/Catalogs

Government Docs

How-To Guides/Manuals

Magazines/Newspapers

Recipes/Menus

School Work

+ all categories

Featured

Recent

People

Authors

Students

Researchers

Publishers
Government &Nonprofits

Businesses

Musicians

Artists & Designers

Teachers

+ all categories

Most Followed

Popular

eddd32e

Account

Home

My Documents

My Collections

My Shelf

View Public Profile

Messages

Notifications

Settings

Help

Log Out

First Page

Previous Page

Next Page

/ 90
Sections not available

Zoom Out

Zoom In

Fullscreen

Exit Fullscreen

Select View Mode

View Mode

BookSlideshowScroll

Top of Form

Bottom of Form

Readcast

Add a Comment

Embed & Share

Reading should be social! Post a message on your social networks to let others
know what you're reading. Select the sites below and start sharing.

Link account
 Link account

Readcast this Document

Readcast Complete!

Click 'send' to Readcast!

edit preferences

Set your preferences for next time...Choose 'auto' to readcast without being
prompted.

Top of Form

eddd32e

Link account

Link account

Advanced Cancel
Bottom of Form

Top of Form

8238293c8d6217

Add a Comment

Submit

Characters: 400

1 document_comme 4gen

Bottom of Form

Share & Embed

Add to Collections

Download this Document for Free

Auto-hide: on

Implementation of the IPSec Protocol in Microsoft

Windows 2003/XP Environment

Paul Szymanski
MCSE

Acknowledgments

I would like to thank the following people for taking time to review this

document:

Monika Szymanski
Boris Taratine Ph.D.
Yang Yong
Jean Paul Bourget
Bénoni MARTIN
Guglielmo Alfieri
Sean Lewis

I am not a graphic artist so I had to use the graphics from the various

sources. They are:

Deploying IPSechttp: //tec h net.mic r os of t.com /en- us /lib r ar y/c c 7370 24.
aspx

TCP/IP Guide Charles M. Kozierokhttp:// www.tc p ipguide.com

An Illustrated Guide to IPsec by Steve Friedlht tp:// ww w. un ix wi z.ne

t/techtips / igu id e-ipsec .htm l

Table of Contents

INTRODUCTION TO ENCRYPTION.................................................................... 5

Preparing confidential
information.............................................................................................. 6
Encrypting
information..............................................................................................................
... 6 Establishing secure
link................................................................................................................ 6
Mutual
Authentication.........................................................................................................
.......... 7 Exchange of
Keys.........................................................................................................................
. 7 Error Free
Transmission............................................................................................................
... 7
Decryption...............................................................................................................
....................... 8 Accessing decrypted
information................................................................................................ 9
Processing decrypted
information.............................................................................................. 9
Replying...................................................................................................................
....................... 9

WHAT IS THE IPSEC?......................................................................................... 9

How does IPSec

work?................................................................................................................ 11
Tunnel Mode vs. Transport
Mode.............................................................................................. 12 Core
Protocols: Authentication Header (AH) and Encapsulating Security Payload
(ESP) .. 17 Authentication Header
(AH)........................................................................................................ 18
Encapsulating Security Payload
(ESP)...................................................................................... 19 Internet Key
Exchange................................................................................................................
21 Data Encryption Algorithms and Hash Function
Algorithms.................................................. 23 Hash Function
Algorithms.......................................................................................................... 23
Encryption
Algorithms...............................................................................................................
. 25 Microsoft Windows XP Pro\2000\2003 IPSec
implementation................................................ 27 Windows IPSec in transport
mode............................................................................................. 29 Tunnel
Mode........................................................................................................................
......... 31 Default IPSec Policies in Windows 2000/2003/XP
Pro............................................................. 33

IPSEC FOR SMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . 57

The overview of the IP Security Monitor

Console.................................................................... 69 The Main
Mode........................................................................................................................
..... 72 The Quick
Mode........................................................................................................................
... 76 IPSec
Statistics..................................................................................................................
.......... 79

NETWORK MONITOR AND IPSEC. . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

APPENDIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 90

Introduction to encryption

In order to successfully troubleshoot encryption, one should understand its

purpose and the general principles of how it works. Believe it or not, the
principles of encryption have not changed since its invention thousands of years
ago. Encryption is as old as human civilization and it is a tool that allows
scrambling the information, so that only the authorized recipients can access it
after applying specific predefined key.

The ancient Egyptians used non-standard hieroglyphs to encrypt secret texts.

The ancient Greeks used a “scytale”, which is a wooden baton of a specific size
and shape onto which they rolled a leather strap. The sender wrote a message
onto the strap and filled the rest of the strap with random letters. The recipient
would use the baton of the same size

as a key to decrypt the message that was written by the sender. Obviously, the
technology evolved over the thousands of years. The “scytale” was replaced by
the Enigma machine and later, by very powerful algorithms that run on
computers that encrypt data and generate the security keys. However, the
principle of encryption remained the same. First, you must write the message or
generate data. Then you encrypt the message or your data. Finally, you provide
a key to a recipient and yourself with a set of instructions on how to apply the
key so that he/she and you can read what you wrote. You also have to remember
that not only the recipient must be able to read the massage and access the
data, but that the sender must be able to access his or her own encrypted
creation. Human memory fades with time.
People often confuse coding with encryption. To code is to replace one word or
information with another word or a set of characters or even pictures. For
example, a sender could replace a word “cat” with a word “dog”. The sender
could also code a word “dog” in a set of the Morse’s characters and represent it

as:-.. --- --. . The same could be done with numbers. For example, we could
represent the number “15” in as binary digits00 001111, but even though the
information is represented in a different format, it is not encrypted. Encryption is
the process of obscuring information to make it unreadable without some special
knowledge. It is sometimes referred to as scrambling. Coding is often used along
with encryption to ensure the security of the confidential communication.

All secure communications, regardless of their nature and the means of

communication, follow the same basic steps:

Preparing confidential information

Encrypting information

Establishing secure link

Secure Authentication

Exchange of security keys

Secure Transmission

Decryption

Accessing decrypted information

Processing decrypted information

•

Replying

Preparing confidential information

First, you must decide what information you would consider as confidential. This
step is the most critical and also the most difficult. Not all communications must
be encrypted, but at the same time, defining which information must be
encrypted could present a lot of challenges. The encryption algorithm can be
broken through logical analysis of the unencrypted information. You do not want
to encrypt every single message either because you could put a lot of strain on
your communication systems and eventually overload them.

Encrypting information

You have to decide how and what technology you are going to use to encrypt the
message. There are many ways to do it and some of them are better than
others. The type of encryption depends on the sensitivity of the information. For
example, the government may use the most complicated ciphers to encrypt the
launching sequence of the nuclear missiles, but you, on the other hand, may use
a simple encryption as a toy when sending a romantic message to your loved
one or simply place a letter into a secure envelope.

You must not forget that you are trying to communicate with a recipient of the
message; therefore, the recipient has to be able to decipher the message in a
relatively quick and easy fashion.

Once you have chosen the appropriate cipher, then you encrypt the information.

Establishing secure link

Once the information is encrypted, it needs to be delivered to the recipient.

Encryption can be compared to secure envelop or a special safe that can be
opened only with a key. That key is kept secret, but the secure envelop is
exposed to the public. However, if the key is compromised and intercepted, the
message could be opened by unauthorized recipient. Special consideration has
to be given to the fact that the encrypted message and its security could be also
compromised at the point of decryption through eeavesdropping or mishandling
of the secure message. For example, you established a secure and encrypted

tunnel between two remote networks to send sensitive e-mails. Your tunnel goes
from secure gateway A to secure gateway B and the encryption and decryption
of the messages is handled by the gateways. However, once the message is
decrypted, it is being sent to its final destination in clear text. On route, it could
have been picked up by an unauthorized person with relative ease. Your
architecture has a serious hole between the gateway that encrypts and decrypts
the message and the final destination. Therefore, defining how to design your
secure link is very critical to the entire secure communication process. You
should define the path the secure message will take to reach the recipients
involved in this communication, then you should decide at what point the
messaged should be encrypted and decrypted. Business and technical
requirements will dictate the approach to be taken.

Mutual Authentication

Before the secure link is established parties have to be sure they talk to those
who they claim they are. The authentication itself also has to be done over a
secure channel.

Exchange of Keys

The keys allow the parties to decrypt encrypted information. Without the key,
the information cannot be accessed. The sender and the recipient must validate
the authenticity of the key to make sure the messages are not forged.

The security keys provide the only protection from unauthorized access to the
encrypted message, given a strong cipher is chosen. They must be secured and
protected. They are the keys to your safe. In the spy movies, the agents not only
exchange passwords (secure authentication), but they also exchange
prearranged tokens, such us ripped out book pages, money or playing cards,
before they continue exchanging the information. The reason why they do it is
very simple. The passwords can be guessed or compromised, but it is a lot more
difficult to fake prearranged tokens. The same principle is used in secure
communication between computers and computer networks. But in the case of
IPSec, the symmetrical keys are being exchanged via secure channel (after
Diffie-Hellman public key exchange) hence they cannot be compromised, which
makes IPSec a very secure protocol.

Error Free Transmission

Any encrypted communication requires error free transmission. Distortion and

any noise during the transmission could have negative impact not only on
encrypted messaged itself, but also on authentication negotiations required by
IPSec.

For example, you can securely transmit information over the radio waves. that

the waves are broadcasted by antennas the open air is the medium through

which they travel. The link between point A and point B has inherent security
problems because the airspace is a public domain. The radio waves can be
picked up by anyone. The radio waves are susceptible to all kinds of atmospheric
disturbances that are beyond your control. The transmission of the data could be
secured and encrypted, but because of the bad weather it may not reach its
destination. The owners of the Satellite TV dish are very familiar with the service
outages during the weather storms. The TV signal from the satellite is encrypted,
it travels through the public airspace but the storms can block it all together.
Another example are the cell phones. You may not get appropriate coverage and
you will not get an encrypted signal. In both cases, you the disturbances during
the transmission affect the quality of the link between the two points.

Data can and is transmitted securely over public broadcast systems. Public
broadcast systems can be secured. The encrypted data must be delivered
without errors. Errors caused by inter

Decryption

Decryption is the process of getting clear text, data or other information from the
cipher text If key is secure and algorithm is strong, it is assumed that the only
way for the unauthorized person to gain access to the encrypted message is
through a brute force. This is tedious and time consuming process which is
compounded by key lengths.

Decryption of the data is as important and serious as the encryption process.

Sloppy decryption procedures can cause errors or jeopardize the entire secure
communication system. During the Polish-Soviet War of 1920, Polish
cryptologists were able to obtain some of the keys to the Soviet ciphers through
eavesdropping of their radio traffic. In some cases, Polish cryptologists
pretended to be Soviet radio operators and asked them to repeat the key
portions of the encrypted information in clear text. The obtained information
allowed Poles to decrypt those messages, and with the combination of crypto
analysis, they were able to break all Soviet ciphers. The lack of training and
sloppiness of the Soviet soldiers responsible for encrypting and decrypting the
messages cost the Red Army the war. The Soviets had not learned about this
breech until the end of the World War II.

Let me stress this point again, the encrypted message can be accessed by
anyone once the keys that are used to decrypt it are compromised. They can be
compromised during the faulty decryption process. Sloppy encryption practices
by the Germans during WW II helped Allies to decrypt messages encrypted by
Enigma machines. The operators of the Enigma machines quite often forgot to
reset the rotors or they did not follow the established reset policies. With this in
mind, you should carefully define where the encryption and decryption takes
place and how it affects the encrypted message.

Accessing decrypted information

Once the data is decrypted, it is ready to be accessed. But since you bothered to
encrypt this data in the first place, it must contain sensitive information.
Therefore, it must be securely accessed after decryption; otherwise the whole
process would make no sense.
You should be aware how, where, and by what means you will access decrypted
information. You should ask yourself if the environment in which you access it,
will not undermine the entire process you have just gone through. For example,
you get a very sensitive database file. You decrypt it and decide to access it by
mounting the database on server that would allow unauthorized personal to see
the entire content of the sensitive database. Consequently, your elaborate
security process has just become a mirage.

Processing decrypted information

You should also put a lot of thought into actions that you will use to process
decrypted information. These procedures should be written down and analyzed
before you implement them. You should ask yourself who should process the
data, how this data is going to be processed which servers you will use to
process it and who is going to ensure that the processing of sensitive information
is secure. These questions sound easy, but once you start answering them, you
will find out that the answers could be very tricky.

Replying

Since the communication is a process of exchanging information, you will most

likely reply to the encrypted information. There is no point in encrypting
anything, if you send a reply in clear text.

You must always keep in mind that the reason why you encrypt the data is to
protect its content from unauthorized access. Yes, it is an obvious statement, but
a lot of people go through the trouble of encrypting the data and securing the
links, but at the end, they dump sensitive information on the server so that
everyone can access it.

What is the IPSec?

The IPSec is a suite of protocols for securing one or more Internet Protocol (IP)
paths between a pair of hosts or security gateways through authenticating and
or encrypting each IP packet in a data stream. It is designed to provide
interoperable, cryptographically-based security for IPv4 and IPv6.

Therefore, IPSec includes protocols for cryptographic key establishment.1

1 Request for Comments: 2401 S. Kent & R. Atkinson, the Internet Society
(1998).

Implementation of the IPSec Protocol in Microsoft Windows 2003/XP Environment

Download this Document for FreePrintMobileCollectionsReport Document

Report this document?

Please tell us reason(s) for reporting this document

Top of Form
 8238293c8d6217

doc

Spam or junk

Porn adult content

Hateful or offensive

If you are the copyright owner of this document and want to report it, please
follow these directions to submit a copyright infringement notice.

Report Cancel

Bottom of Form

This is a private document.

Info and Rating

Reads:

4,941

Uploaded:

11/22/2008

Category:

Uncategorized.

Rated:

4.5 5 false false 0

(4 Ratings)

Implementation of the IPSec Protocol in Microsoft Windows 2003/XP Environment

md5

des

ipsec
encryption sha1

3des

Technology-Windows

pre shared

set

setupipsec

microsoft pre

ipsecmicrosoft

(more tags)

md5

des

ipsec

encryption sha1

3des

Technology-Windows

pre shared

set

setupipsec

microsoft pre

ipsecmicrosoft

shared keys

client response

windowsxp

ipsec encrypt

encrypt client

(fewer)

Paul Szymanski

Ads by Google
Network Security Webinar
Business Risks Webcast by
Gartner on Dec. 8. Register Now.
www.BarracudaNetworks.com/Webcast
Israel BA in English
Live in Israel & Study in English.
Order Online a Free BA Catalog!
rris.idc.ac.il/BA_Israel
encryption
Protect your software easy and
very strong against pirate copies.
www.wibu.co.uk
Share & Embed

Related Documents

PreviousNext

39 p.

57 p.

126 p.
126 p.

126 p.

126 p.

p.

15 p.
 p.

16 p.

p.

p.

More from this user

PreviousNext

3 p.
 24 p.

Recent Readcasters

Add a Comment

Top of Form

8238293c8d6217
Submit

Characters: 400

document_comme

4gen

Bottom of Form

Print this document

High Quality

Open the downloaded document, and select print from the file menu (PDF reader
required).

Add this document to your Collections

This is a private document, so it may only be added to private collections.

Top of Form

8238293c8d6217

Enter a name for your new colle

Name:
Description:

public - locked

Collection Type:

public locked: only you can add to this collection, but others can view it
public moderated: others can add to this collection, but you approve or reject
additions
private: only you can add to this collection, and only you will be able to view it

Save collection Cancel

Bottom of Form

Finished? Back to Document

Add this document to your Collections

This is a private document, so it may only be added to private collections.

Top of Form

8238293c8d6217

Name:
Description:

public - locked

Collection Type:

public locked: only you can add to this collection, but others can view it
public moderated: others can add to this collection, but you approve or reject
additions
private: only you can add to this collection, and only you will be able to view it

Save collection Cancel

Bottom of Form

Finished? Back to Document

Scribd Archive > Charge to your Mobile Phone Bill

Upload a Document

Top of Form

Bottom of Form
Follow Us!

scribd.com/scribd

twitter.com/scribd

facebook.com/scribd

About

Press

Blog

Partners

Scribd 101

Web Stuff

Scribd Store

Support

FAQ

Developers / API

Jobs

Terms

Copyright

Privacy