Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008


View products that this article applies to.

Introduction

This article discusses why Message Digest 5 (MD5) and the Data Encryption Standard (DES) have been removed from the default list of IPsec cryptographic algorithms in Windows Vista and in Windows Server 2008.

↑ Back to the top


More information

Microsoft is removing cryptographic algorithms that are no longer considered secure from Windows Vista and from Windows Server 2008. Therefore, policies that were created by using the IP Security Policies Management snap-in or by using the netsh ipsec command have been changed to remove MD5 and DES from the default policies. The new defaults are backward compatible with policies that were created by using the defaults in Microsoft Windows 2000, in Windows XP, and in Windows Server 2003. Additionally, MD5 and DES can still be configured as part of a policy if they are required for compatibility or interoperability reasons.

The following settings have been updated.

The main-mode cryptographic set when you use the default settings to create a new policy
PreviousCurrent
3DES, SHA1, DH Medium (2)
3DES, MD5, DH Medium (2)
DES, SHA1, DH Low (1)
DES, MD5, DH Low (1)
3DES, SHA1, DH Medium (2)

New filtration settings for the "netsh ipsec" command when it is used together with the "action=negotiate" parameter
PreviousCurrent
ESP: 3DES, SHA1
ESP: 3DES, MD5
ESP: 3DES, SHA1

Action settings for the default response rule filters
PreviousCurrent
ESP: 3DES, SHA1
ESP: 3DES, MD5
ESP: DES, SHA1
ESP: DES, MD5
AH: SHA1
AH: MD5
ESP: 3DES, SHA1
AH: SHA1

Note The default response rule is deprecated in Windows Vista. The rule is available only to manage policies for earlier versions of Windows.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
942964 How the default response rule for IPsec policies functions in Windows Vista and in Windows Server 2008 Beta 3

↑ Back to the top


Keywords: kbexpertiseinter, kbhowto, kbinfo, KB947211

↑ Back to the top

Article Info
Article ID : 947211
Revision : 3
Created on : 2/1/2008
Published on : 2/1/2008
Exists online : False
Views : 364