Re: Win2000 IKE and 3des

[Frédéric Detienne <fd@cisco.com>]

Honestly, this is well worth a bugtrack notification. The interface should not let you configure 3DES if you can not; not post an obscure event that no one hardly sees (the proof being that nobody saw it here).

(and Thanks for the hint about the domestic versions; good to know).

Regards,

	Frederic

> Sumi Singh wrote:
> 
> Just to clarify the behaviour of Windows 2000 -
> Windows 2000 weakens 3DES policy to DES if you do not have the strong encryption pack (128-bit) installed. This weakening is announced by an event in the Audit log. So if you have 2 peers with no encryption pack installed, and a policy to use 3DES, they will talk DES since they cannot do 3DES.
> 
> However if one of the peers has high encryption pack installed and his policy has 3DES only, then he will not accept DES from the other peer and the negotiation will fail.
> 
> For dometic versions you can install the strong crypto pack for doing 3DES from http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp
> 
> Sumi.
> -----Original Message-----
> From: Frédéric Detienne [mailto:fd@cisco.com]
> Sent: Friday, May 12, 2000 12:56 AM
> To: wprice@cyphers.net
> Cc: Sami Vaarala; ipsec@lists.tislabs.com
> Subject: Re: Win2000 IKE and 3des
> 
> I fully agree.
> 
> Actually, it is not so silent. The first time it does so, Windows posts an event to the event log. But it took me a while to figure it out the first time as the event log is not very handy to debug.
> 
> This is really nasty to me. Especially if you run IPSec between two Win2K boxes => negociation will succeed but you may never notice it is DES instead of 3DES.
> 
> I noticed the issue when negociating against a Cisco router.
> 
> Actually, Win2K will negociate DES instead of 3DES on non US registered releases only (at least). There seem to be a strong encryption version of Win2K (license ?).
> 
>         fred
> 
> Will Price wrote:
> >
> > This sounds fairly serious to me.
> >
> > Perhaps this should be posted to BugTraq.  This needs confirmation.  I
> > thought I saw something like this when I was doing my tests against Win2K,
> > but it's been quite some time since then.
> >
> > Sami Vaarala wrote:
> > > >Are both of you saying that if you set your policy for 3-DES ONLY (not >3-DES prefered but 3-DES only) that Windows 2000 will negotiate DES >anyway?
> 
> > >
> > > Yes, that seems to be the case.  I have only checked that if I configure
> > > 3des, it will send des as an initiator, and a phase 1 SA with des will
> > > be formed (if the remote end accepts des).  Haven't checked if it works
> > > this way as a responder; probably will.
> > >
> > > >Or are you saying that Windows 2000 will fall back from 3-DES to DES if >your configured policy lets it do so and the peer doesn't support >3-DES?
> 
> > >
> > > No.  This would be the correct way to function, and there would not be
> > > an issue if this were the case.
> > >
> > > >The former is a bug which I've not seen in Windows 2000.  The latter is
> > > >expected behavior since you configured it to do so.
> > >
> > > My point exactly.  The latter behavior would be the one I would prefer
> > > to see, of course.
> >
> > --
> > Will Price, Director of Engineering
> > PGP Security, Inc.
> > a division of Network Associates, Inc.

---

References:

• RE: Win2000 IKE and 3des
• From: "Sumi Singh" <sumis@Exchange.Microsoft.com>

---

• Prev by Date: RE: Windows 2000 and Cicsco router interoperability
• Next by Date: Re: Win2000 IKE and 3des
• Prev by thread: RE: Win2000 IKE and 3des
• Next by thread: RE: Win2000 IKE and 3des
• Index(es):
  • Main
  • Thread