|
|
|
|
|
|||||||
 |
Computer Security - How safe is the NTFS encryption system |
|
|
Thread Tools | Search this Thread |
01-18-2004, 10:18 PM
|
#1 |
How safe is the NTFS encryption system
Hi' Folks
I know that safty is a relative term, but how safe is the NTFS encryption system (WindowsXP), who can access the files encrypted, just me, or any member of the administrators group? Would it be safer/better to use an external (from the filesystem) encryption system? Regards Per Pedersen Per Pedersen |
|
|
|
01-19-2004, 05:39 AM
|
#2 |
|
Posts: n/a
|
Re: How safe is the NTFS encryption system
The Encryption is as safe as a 128 bit encryption can be. You will have a
hard time to find anything safer then NTFS if we only talk about the safety in the EFS. AT "Per Pedersen" <> wrote in message news:400b061a$0$24875$ ... > Hi' Folks > > I know that safty is a relative term, but how safe is the NTFS encryption > system (WindowsXP), who can access the files encrypted, just me, or any > member of the administrators group? > > Would it be safer/better to use an external (from the filesystem) encryption > system? > > Regards > > Per Pedersen > > |
|
|
|
01-21-2004, 04:41 PM
|
#3 |
|
Posts: n/a
|
Re: How safe is the NTFS encryption system
On Sun, 18 Jan 2004 23:18:06 +0100, whilst in NewsFroup
alt.computer.security, "Per Pedersen" <> articulated the following sentiments : >Hi' Folks > >I know that safty is a relative term, but how safe is the NTFS encryption >system (WindowsXP), who can access the files encrypted, just me, or any >member of the administrators group? Hmm, in Windows 2000, the default Administrator account is defined as the default 'Recovery Agent'. I take this to mean that this account can decrypt encrypted files in the case of a lost private key from another user. Say when someone leaves a company, and the private key goes missing too. Other than that, only the user who encrypted the data, and any other assigned Recovery Agents can access that data. There's a bit of reading available in 2000/XP about the EFS, as well as on Microsoft's web site of course. My Windows XP Pro install does not have any account set by default as a recovery agent. Does yours ? >Would it be safer/better to use an external (from the filesystem) encryption >system? I'm a big fan of PGP, and I paid for the one of the latest versions (8.0.2) so I could use PGP disk. I'm pretty used to this program, and have multiple backups of my private keys in seperate locations. PGP disk does a fine job and is so straight forward and easy to set up and use. http://www.pgpi.org I wouldn't know which was safer to use, as both EFS and PGP are good encryption applications IMO, but PGP has more options for me, and although it can't beat the integration of EFS, it is my preferred choice. Perhaps the greatest risk in using these kind of programs that I've seen is not in worrying about if someone can break the encryption or not, but rather making sure you don't end up being locked out of your own data, by losing keys and/or not backing them up. HTH a bit. Egardses, Pete. |
|
|
|
01-24-2004, 08:33 PM
|
#4 |
|
Posts: n/a
|
Re: How safe is the NTFS encryption system
AT wrote:
Actually it isn't 128 bit encryption, that is a myth. I did some digging on this recently and they use plain old 56-bit DES encryption. DES was cracked a few years ago, but that really isn't the problem. Sure, you could brute force it but it would take a LONG time. The real risk here is twofold. The password to the user id is the key to read the file. Hacking a password in XP is EASY with a good utility and local access to the box. Also, if you aren't the administrator, the administrator also has access to the files as a backup in case you lose yours or leave the company. In a nutshell, it is decent, but far from great if you don't have a hard password (12+ characters, numbers, symbols) or if you don't hold the administrator password to the box. Regards, Aaron > The Encryption is as safe as a 128 bit encryption can be. You will have a > hard time to find anything safer then NTFS if we only talk about the safety > in the EFS. > > AT > > "Per Pedersen" <> wrote in message > news:400b061a$0$24875$ ... > >>Hi' Folks >> >>I know that safty is a relative term, but how safe is the NTFS encryption >>system (WindowsXP), who can access the files encrypted, just me, or any >>member of the administrators group? >> >>Would it be safer/better to use an external (from the filesystem) > > encryption > >>system? >> >>Regards >> >>Per Pedersen >> >> > > > |
|
|
|
01-24-2004, 09:39 PM
|
#5 |
|
Posts: n/a
|
Re: How safe is the NTFS encryption system
"Aaron Delp" <> wrote in message
news:yEAQb.5707$ m... > AT wrote: > Actually it isn't 128 bit encryption, that is a myth. I did some > digging on this recently and they use plain old 56-bit DES encryption. Out of interest, cite? Used to be advertised as 128-bit DES for the North American market, and 40-bit elsewhere. Should have gone to 128-bit with the High Encryption Pack (or whatever they called it) -- Hairy One Kenobi Disclaimer: the opinions expressed in this opinion do not necessarily reflect the opinions of the highly-opinionated person expressing the opinion in the first place. So there! |
|
|
|
01-25-2004, 12:39 PM
|
#6 |
|
Posts: n/a
|
You are COMPLETELY correct!
Sorry about that. I read that on a NON-Microsoft site that was
obviously wrong and I can't seem to find again. They probably heard the algorithm was DES and assumed 56 bit like I did. Here are links to Windows 200 WS and Server that explain exactly what you say. The first link states they use DESX in either 40bit or 128bit for 2000. The second link is for Windows XP and Windows 2003 Server which I just dug up as well. It is a GREAT link that shows everything step by step and includes the following information concerning the bits strength (including that they use 56 bit and 128 bit): All exported versions of Windows 2000 use 56-bit key sizes by default unless the 128-bit encryption pack is applied. Workstations that have the 128-bit encryption pack installed may decrypt files with 56-bit key lengths and will encrypt all new files with 128-bit key lengths. However, machines that are only 56-bit-capable may not open files that have been encrypted with 128-bit key lengths. This scenario is especially important where a user has a roaming user profile and may use different machines that have different encryption capabilities. The Windows XP operating system supports the use of a stronger symmetric algorithm than the default DESX algorithm included with the Windows 2000 operating system. The default algorithm for Windows 2000 and Windows XP is DESX. The default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled. Here are the links: Windows 2000: http://www.microsoft.com/windows2000...ty/encrypt.asp Windows Xp and Server 2003: http://www.microsoft.com/technet/tre...oy/CryptFS.asp Regards, Aaron Hairy One Kenobi wrote: > "Aaron Delp" <> wrote in message > news:yEAQb.5707$ m... > >>AT wrote: >>Actually it isn't 128 bit encryption, that is a myth. I did some >>digging on this recently and they use plain old 56-bit DES encryption. > > > Out of interest, cite? > > Used to be advertised as 128-bit DES for the North American market, and > 40-bit elsewhere. Should have gone to 128-bit with the High Encryption Pack > (or whatever they called it) > |
|
|
