Dynamic regeneration key
IPSec policy controls the frequency of generating new keys during communication through a method called dynamic re-encryption. Communication is sent in blocks, and each data block is protected by a different key. This can prevent an attacker who has obtained part of the communication and the corresponding session key from obtaining the rest of the communication. This request security negotiation and automatic key management service is provided by using "Internet Key Exchange (IKE)" defined in RFC 2409.
IPSec policy allows you to control how often new keys are generated. If no value is configured, the key will be automatically regenerated at the default time interval.
Key length
Every time the key length increases by one bit, the number of possible keys will double, which increases the difficulty of cracking keys. IPSec policy provides various algorithms that allow the use of short or long key lengths.
Key Material Generation: Diffie-Hellman Algorithm
To achieve secure communication, two computers must be able to obtain the same * * * shared key (session key) without sending or revealing the key through the network.
Diffie-Hellman algorithm (DH) appeared before Rivest-Shamir-Adleman (RSA) encryption, which can provide better performance. This is one of the oldest and most secure key exchange algorithms. Both parties can exchange key information publicly, and Windows XP further protects this information through hash function signature. Neither party exchanges actual keys, but after exchanging key materials, each party can generate the same * * * shared key.
The DH key materials exchanged by both parties can be based on 768-bit or 1024-bit key materials, that is, DH group. The security provided by DH group is equivalent to that provided by keys calculated from DH exchange. The DH group that provides strong security is used in combination with the long key length, which increases the computational difficulty of trying to determine the key.
IPSec uses DH algorithm to provide key material for all other encryption keys. DH does not provide authentication. In the implementation of Windows XP IPSec, DH will be authenticated after exchange to prevent man-in-the-middle attacks.