|
View Full Version : How good is W2K encryption
Hi,
The subject lines should be pretty clear.
Assuming one could get a copy of a file or folder, how difficult would
it be to break the encryption? Are there commercial services that can
do that? (My M.D. wants to know!)
Is there any difference between W2K and XP encryption?
Thanks a lot,
Peter Kaufman MCP
|
"Peter Kaufman" wrote in message
news:an9ma0hrjdhb1i513qvg7ua3m6mjpg5a6f@4ax.com...
> Assuming one could get a copy of a file or folder, how difficult would
> it be to break the encryption? Are there commercial services that can
> do that? (My M.D. wants to know!)
>
> Is there any difference between W2K and XP encryption?
So you mean EFS (Encrypting File System)? Under W2K, it is not very reliable
- if you have certificates (encryption keys), the files can be decrypted
even without
knowledge of password. Under XP, it is much better, but still can be broken
if
password is known. Have a look at "Advanced EFS Data Recovery":
http://www.elcomsoft.com/aefsdr.html
Some technical details (presentation on BlackHat security conference):
http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-malyshev.pdf
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov@elcomsoft.com
http://www.elcomsoft.com
|
Thanks a lot - I appreciate that.
Peter
On Wed, 19 May 2004 16:29:42 +0400, "Vladimir Katalov"
wrote:
>"Peter Kaufman" wrote in message
>news:an9ma0hrjdhb1i513qvg7ua3m6mjpg5a6f@4ax.com...
>> Assuming one could get a copy of a file or folder, how difficult would
>> it be to break the encryption? Are there commercial services that can
>> do that? (My M.D. wants to know!)
>>
>> Is there any difference between W2K and XP encryption?
>
>So you mean EFS (Encrypting File System)? Under W2K, it is not very reliable
>- if you have certificates (encryption keys), the files can be decrypted
>even without
>knowledge of password. Under XP, it is much better, but still can be broken
>if
>password is known. Have a look at "Advanced EFS Data Recovery":
>
>http://www.elcomsoft.com/aefsdr.html
>
>Some technical details (presentation on BlackHat security conference):
>
>http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-malyshev.pdf
|
Having an encryption key (certificate) doesn't mean you also have the
decryption key (private key - not in the certificate).
In a domain, not running as local system, EFS is pretty good - only knowing
the user's password or brute-forcing the crypto gains access to a file's
contents.
XP SP1 and later use AES as their symmetric algorithm by default. And XP
has a fix for the Win2k non-domain loophole.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Vladimir Katalov" wrote in message
news:2h12ilF7nebeU1@uni-berlin.de...
> "Peter Kaufman" wrote in message
> news:an9ma0hrjdhb1i513qvg7ua3m6mjpg5a6f@4ax.com...
> > Assuming one could get a copy of a file or folder, how difficult would
> > it be to break the encryption? Are there commercial services that can
> > do that? (My M.D. wants to know!)
> >
> > Is there any difference between W2K and XP encryption?
>
> So you mean EFS (Encrypting File System)? Under W2K, it is not very
reliable
> - if you have certificates (encryption keys), the files can be decrypted
> even without
> knowledge of password. Under XP, it is much better, but still can be
broken
> if
> password is known. Have a look at "Advanced EFS Data Recovery":
>
> http://www.elcomsoft.com/aefsdr.html
>
> Some technical details (presentation on BlackHat security conference):
>
>
http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-malyshev.pdf
>
> --
> Sincerely yours,
> Vladimir
>
> Vladimir Katalov
> Managing Director
> ElcomSoft Co.Ltd.
> Member of Association of Shareware Professionals (ASP)
> Member of Russian Cryptology Association
> mailto:vkatalov@elcomsoft.com
> http://www.elcomsoft.com
>
|
Hey Drew,
Did you look at the link Vladimir provided?
Thanks,
Peter
On Wed, 19 May 2004 18:53:27 -0700, "Drew Cooper [MSFT]"
wrote:
>Having an encryption key (certificate) doesn't mean you also have the
>decryption key (private key - not in the certificate).
>
>In a domain, not running as local system, EFS is pretty good - only knowing
>the user's password or brute-forcing the crypto gains access to a file's
>contents.
>
>XP SP1 and later use AES as their symmetric algorithm by default. And XP
>has a fix for the Win2k non-domain loophole.
|
"Drew Cooper [MSFT]" wrote in message
news:uV4O80gPEHA.3328@TK2MSFTNGP09.phx.gbl...
> Having an encryption key (certificate) doesn't mean you also have the
> decryption key (private key - not in the certificate).
Thanks for the correction -- yes, you're right; in order to decrypt the
files,
we need the private keys, of course.
> In a domain, not running as local system, EFS is pretty good - only
knowing
> the user's password or brute-forcing the crypto gains access to a file's
> contents.
Not exactly. In domain environment, the private keys sometimes (I'd even
say,
very often) cached locally, and encrypted using "old-style" hash (as in
Windows
2000), even if the local system is running Windows XP -- and so
brute-forcing is
not needed.
> XP SP1 and later use AES as their symmetric algorithm by default.
Algorithm does not really matter. If we have a key, AES is not stronger than
DESX or 3DES.
> And XP
> has a fix for the Win2k non-domain loophole.
Sorry, could you explain, please?
--
Sincerely yours,
Vladimir
Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov@elcomsoft.com
http://www.elcomsoft.com
|
The encryption itself is extremely good if you are using at least SP2 and
awesome if you use XP SP1 which uses AES 256. The link below tells a little
bit about that.
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741
However the vulnerability is access to the private key used for EFS - not
cracking the encryption itself if using at least SP2. W2K requires a
recovery agent which on a non domain computer will be the built in local
administrator account and a lot if users did not know that. Plus in W2K the
private key can be accessed if the user key is "reset" which allowed
attackers to use a password reset disk to reset the local administrators
password and then potentialy decrypt ANY files on the disk if the RA private
key was still present by then logging on as the administrator. The use of an
"offline" syskey password/disk can greatly reduce that threat.
Windows XP/2003 greatly increased EFS security with stronger encryption and
better protection of the private key. No longer can a password be "reset" to
allow access to a users EFS files and no recovery agent is required.
However as long as the EFS private keys exist on a computer, there is
possibility to access EFS files even if the attack is just password
guessing. The risk is much greater if the attacker has physical access to
the computer which makes laptops very vulnerable. The steps below can help
protect your EFS files and what you do depends on how bad you want to secure
your data.
-- Use complex passwords as is best practice anyhow.
-- Encrypt only folders - never the files themselves and save the files to
the EFS encrypted folder.
-- Use syskey offline protection which would require the use of a floppy or
password to access the operating system which will greatly mitigate attacks
to the local administrator account and therefore possibilty of installing
password cracking software.
-- Disable storing of weak lm hash for passwords which will require change
of password to implement.
-- If EFS is used on domain computer and users should NOT have access to EFS
files over the network make sure the computer is not trusted for delegation.
-- Export/delete the private keys for user and recovery agent if one is
used. This is the single best thing to do to protect your EFS files but is
inconvenient, though may be necessary for laptops. Physically secured
computers do not have the urgent need to do such.
-- To truely clean up things you would need to scrub hard drive of any clear
text remnanats of deleted files. Cipher /w is built in and free but a third
party program that also scrubs the page file and memory before shutdown
would be better. Again, this would be most important on computer that can
not be physiaclly secured.
-- W2K is a four year old operating system. If EFS is going to be used and
you want the best protection then use XP SP1 and Windows 2003 for EFS on
servers.
The links below may be helpful and be sure to have a recovery plan that
includes backup of EFS private keys so as not to lose YOUR access to your
EFS files. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
"Peter Kaufman" wrote in message
news:an9ma0hrjdhb1i513qvg7ua3m6mjpg5a6f@4ax.com...
> Hi,
>
> The subject lines should be pretty clear.
>
> Assuming one could get a copy of a file or folder, how difficult would
> it be to break the encryption? Are there commercial services that can
> do that? (My M.D. wants to know!)
>
> Is there any difference between W2K and XP encryption?
>
> Thanks a lot,
>
> Peter Kaufman MCP
|
|
|
|