COMMAND

    IPsec

SYSTEMS AFFECTED

    Windows 2000

PROBLEM

    Sami  Vaarala  found   following.   Export   version  of   Win2000
    (5.00.2195) may default to  DES IPsec encryption even  though ONLY
    3DES is  configured to  be acceptable.   Export Win2000  does  not
    support 3DES at  all, but instead  of notifying the  administrator
    it will  accept 3DES  in configuration  phase and  use DES instead
    for  actual  network  traffic.   This  can  only  be  detected  by
    examining the event log; no visible error or warning is displayed.

    The bug may result in an administrator falsely believing that 3DES
    is used for IPsec encryption  while DES is actually used  instead.
    It   might    cause   problems    in   interoperating    IPsec/IKE
    implementations of other vendors, because Win2000 does not  follow
    administrator policy strictly.

    IPsec is  an IETF  standard for  encrypting and  authenticating IP
    packets using  standard algorithms  such as  DES, 3DES,  HMAC-MD5,
    and  HMAC-SHA-1.   Outgoing  packets  are  divided  into   traffic
    categories based  on _security  policy_.   Each category  receives
    different  security  treatment  (e.g.  different  algorithms   for
    encryption/authentication).   Incoming packets  are decrypted  and
    authenticated, and checked for security policy conformance.

    IKE  (Internet  Key  Exchange)  is  a  protocol  for   negotiating
    encryption and authentication  algorithms between hosts  for IPsec
    protection.   IKE  also  performs  a  key  exchange to establish a
    session key for IPsec.

    IKE  is  a  two-phase  protocol.   First  phase  establishes  host
    authentication,  encryption  algorithm,  and  keys for further IKE
    traffic.   Second phase  establishes actual  IPsec algorithms  and
    keys, which are used to protect  IP packets.  Both phases have  an
    "offer-response"   component:     the   initiating   host   offers
    alternative  algorithm  combinations,  and  the  responding   host
    chooses  one  of   them  (or  refuses   to  accept  any   of   the
    alternatives).

    These  offer-response  decisions  are  based on configured policy,
    which makes policy  a critical component  of any secure  IPsec/IKE
    system.  Policy allows the administrator to define what traffic is
    protected and how to protect  it.  For instance, an  administrator
    may  want  to  secure  all  traffic  to  a database server hosting
    confidential data with 3DES since he considers DES to be insecure.

    Because the administrator is  generally unable to verify  that the
    policy  is  actually  honored  on  the  wire,  it is critical that
    secure  systems  follow  policy   to  the  letter.   For   further
    information about IPsec/IKE see RFCs 2401-2411 (www.ietf.org/).

    Windows 2000 export version  does not support 3DES  encryption for
    IPsec  or  IKE  message  protection.  An  administrator  can still
    configure 3DES  to be  used, but  Windows will  silently turn 3DES
    into  DES  for  actual  IKE  negotiation.   This  behavior is only
    detectable  by  examining  the  event  log;  however,  there is no
    visible  warning.    This  could  essentially   be  described   as
    "ignorance of configured policy", and occurs in both IKE phases.

    This  bug  has  been  confirmed  in  Win2000 version 5.00.2195, by
    configuring Win2000 to  use only 3DES,  and by inspecting  the IKE
    messages received  on an  UNIX host  implementing IPsec/IKE;   the
    messages  contain  DES  proposals.   The  negotiating  IKE   hosts
    eventually agree on DES encryption  for IPsec (and IKE), which  is
    wrong.

    The bug may  be difficult to  reproduce, since IPsec  protected IP
    packets  do  not  carry  information  about the algorithm used for
    encryption.  Similarly, IKE messages  are encrypted in the end  of
    IKE phase 1 and for the whole phase 2.  Programs such as  Ethereal
    may be used to dump IKE  messages, but this will only work  in the
    beginning of IKE  phase 1 (before  encryption kicks in).   This is
    sufficient to verify phase 1 misbehavior.  It should be emphasized
    that even though you *ONLY* allow 3DES, DES will be used.

    This  bug  does  not  cause  any blatantly obvious security holes.
    However,  DES  is  certainly  less  secure  than 3DES, and in some
    applications DES  may be  unacceptable (e.g.  for legal  reasons).
    Administrators  should  be  aware  of  this,  and install the high
    encryption pack in case 3DES is required.

SOLUTION

    Install  the  high  encryption  pack.   This  will  enable 3DES in
    Win2000 and will fix the problem.  (Without high encryption  pack,
    3DES  will  not  be  available  at  all.)  High encryption pack is
    available from:

        http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp