«
»

Windows 7 Features Support for Suite B Cryptographic Algorithms via IPsec

Published by
Mire_B
at April 18, 2009 in Windows 7. Comment

Windows 7 features support for Suite B Cryptographic Algorithms via IPsec, just like Windows Vista Service Pack 1 (SP1) and Windows Server 2008.

“The authoring of policies that contain Suite B algorithms is supported via the “Windows Firewall with Advanced Security” Microsoft Management Console (MMC) snap-in for Windows 7 and for later versions of Windows,” from kb949856.

Support limitations

Support limitations for Suite B include the following:

  • The creation and enforcement of IPsec policy by using Suite B algorithms is supported only in Windows Vista Service Pack 1 (SP1), in Windows Server 2008, or in later versions of Windows.
  • The authoring of policies that contain Suite B algorithms is supported via the “Windows Firewall with Advanced Security” Microsoft Management Console (MMC) snap-in for Windows 7 and for later versions of Windows.
  • The Netsh advfirewall help command does not display configuration options for Suite B algorithms. This applies only to Windows Vista SP1.
Back to the top

Definitions

  • Suite B Suite B is a set of standards that are specified by the National Security Agency (NSA). Suite B provides the industry with a common set of cryptographic algorithms that can be used to create products that meet the widest range of U.S. government needs. Suite B includes specification of the following types of algorithms:
    • Integrity
    • Encryption
    • Key exchange
    • Digital signature
  • Federal Information Processing Standards (FIPS)FIPS is a set of guidelines and standards that govern federal computing resources. All Suite B algorithms are FIPS-approved.

    For more information, visit the following Web site:

    http://www.itl.nist.gov/fipspubs/geninfo.htm (http://www.itl.nist.gov/fipspubs/geninfo.htm)
  • NISTThis is an acronym for the National Institute of Standards and Technology.
  • Data integrity algorithmsData integrity algorithms use message hashes to make sure that information is not being changed while it is in transit.
  • Data encryption algorithmsData encryption algorithms are used to hide information that is being transmitted. The encryption algorithms are used to convert plain text to a secret code.

    For example, the encryption algorithms can convert plain text to ciphertext. The ciphertext can then be decoded to the original plain text. Each algorithm uses a “key” to perform the conversion. The type of key and the length of the key depend on the algorithm that is being used.

  • IPsecThis is an abbreviation for the term “Internet Protocol security.”

    For more information about IPsec, visit the following Microsoft Web site:

    http://technet.microsoft.com/en-us/network/bb531150.aspx (http://technet.microsoft.com/en-us/network/bb531150.aspx)
  • Advanced Encryption Standard Galois Message Authentication Code (AES-GMAC)This algorithm is described in NIST Special Publication 800-38D. To view this document, visit the following Web site:
    http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf (http://csrc.nist.gov/publications/nistpubs/800-38d/sp-800-38d.pdf)
  • Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) This algorithm is described in NIST Special Publication 800-38D. To view this document, visit the following Web site:
    http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf (http://csrc.nist.gov/publications/nistpubs/800-38d/sp-800-38d.pdf)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)Elliptic curve (EC) is a variant of the digital signature algorithm that operates on EC groups. The EC variant provides smaller key sizes for the same security level.

    This algorithm is described in FIPS publication 186-2. To view this publication, visit the following Web site:

    http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf (http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf)
  • Certification authority (CA)A certification authority is an entity that issues digital certificates. IPsec can use these certificates as an authentication method.
  • Authentication Header (AH)Authentication Header is an IPsec protocol that provides authentication, integrity, and anti-replay functionality for the whole packet. This includes the IP header and the data payload.

    AH does not provide confidentiality. This means that AH does not encrypt the data. The data is readable, but it is unwriteable.

  • Encapsulating Security Payload (ESP)ESP is an IPsec protocol that provides confidentiality, authentication, integrity, and anti-replay functionality. ESP can be used alone, or it can be used together with AH.
Back to the top

Main-mode algorithms

In Windows Vista SP1 and in Windows Server 2008, the following integrity algorithms are supported in addition to those algorithms that are already supported in the release version of Windows Vista:

  • SHA-256
  • SHA-384

Note The key exchange algorithm and the encryption algorithm are not changed.

Back to the top

Quick-mode algorithms

In Windows Vista SP1 and in Windows Server 2008, the following algorithms are supported in addition to those algorithms that are already supported in the release version of Windows Vista.

Integrity (AH or ESP)

  • SHA-256
  • AES-GMAC-128
  • AES-GMAC-192
  • AES-GMAC-256

Integrity and encryption (ESP only)

  • AES-GCM-128
  • AES-GCM-192
  • AES-GCM-256

For more information about AH and ESP combinations that are supported and not supported, see the “Quick-mode cryptographic algorithm combinations that are supported and not supported” section.

Restrictions for Quick mode

  • The same integrity algorithm should be used for both AH and ESP.
  • The AES-GMAC algorithms are available for an integrity algorithm that has null encryption. Therefore, if any of these algorithms are specified for ESP integrity, the encryption algorithm cannot be specified.
  • If you use an AES-GCM algorithm, the same algorithm should be specified for both ESP integrity and encryption.
Back to the top

Authentication

In Windows Vista SP1 and in Windows Server 2008, the following authentication methods are supported in addition to those authentication methods that are already supported in the release version of Windows Vista.

  • Computer certificate with ECDSA-P256 signing
  • Computer certificate with ECDSA-P384 signing

Note The default authentication method for Windows Vista is RSA SecurId authentication.

 

The full Knowledge Base article is here.

1 Response to “Windows 7 Features Support for Suite B Cryptographic Algorithms via IPsec”

Feed for this Entry Trackback Address
  1. 1 KrisBelucci
    Jun 1st, 2009 at 9:37 pm

    da best. Keep it going! Thank you

Leave a Reply

«
»