How safe is the NTFS encryption system

Discussion in 'Computer Security' started by Per Pedersen, Jan 18, 2004.

  1. Per Pedersen

    Per Pedersen Guest

    Hi' Folks

    I know that safty is a relative term, but how safe is the NTFS encryption
    system (WindowsXP), who can access the files encrypted, just me, or any
    member of the administrators group?

    Would it be safer/better to use an external (from the filesystem) encryption
    system?

    Regards

    Per Pedersen
     
    Per Pedersen, Jan 18, 2004
    #1
    1. Advertising

  2. Per Pedersen

    AT Guest

    The Encryption is as safe as a 128 bit encryption can be. You will have a
    hard time to find anything safer then NTFS if we only talk about the safety
    in the EFS.

    AT

    "Per Pedersen" <> wrote in message
    news:400b061a$0$24875$...
    > Hi' Folks
    >
    > I know that safty is a relative term, but how safe is the NTFS encryption
    > system (WindowsXP), who can access the files encrypted, just me, or any
    > member of the administrators group?
    >
    > Would it be safer/better to use an external (from the filesystem)

    encryption
    > system?
    >
    > Regards
    >
    > Per Pedersen
    >
    >
     
    AT, Jan 19, 2004
    #2
    1. Advertising

  3. Per Pedersen

    Pete Guest

    On Sun, 18 Jan 2004 23:18:06 +0100, whilst in NewsFroup
    alt.computer.security, "Per Pedersen" <>
    articulated the following sentiments :

    >Hi' Folks
    >
    >I know that safty is a relative term, but how safe is the NTFS encryption
    >system (WindowsXP), who can access the files encrypted, just me, or any
    >member of the administrators group?


    Hmm, in Windows 2000, the default Administrator account is defined as the
    default 'Recovery Agent'. I take this to mean that this account can decrypt
    encrypted files in the case of a lost private key from another user. Say
    when someone leaves a company, and the private key goes missing too. Other
    than that, only the user who encrypted the data, and any other assigned
    Recovery Agents can access that data. There's a bit of reading available in
    2000/XP about the EFS, as well as on Microsoft's web site of course.

    My Windows XP Pro install does not have any account set by default as a
    recovery agent. Does yours ?

    >Would it be safer/better to use an external (from the filesystem) encryption
    >system?


    I'm a big fan of PGP, and I paid for the one of the latest versions (8.0.2)
    so I could use PGP disk. I'm pretty used to this program, and have multiple
    backups of my private keys in seperate locations. PGP disk does a fine job
    and is so straight forward and easy to set up and use.

    http://www.pgpi.org

    I wouldn't know which was safer to use, as both EFS and PGP are good
    encryption applications IMO, but PGP has more options for me, and although
    it can't beat the integration of EFS, it is my preferred choice.

    Perhaps the greatest risk in using these kind of programs that I've seen is
    not in worrying about if someone can break the encryption or not, but rather
    making sure you don't end up being locked out of your own data, by losing
    keys and/or not backing them up.

    HTH a bit.

    Egardses,

    Pete.
     
    Pete, Jan 21, 2004
    #3
  4. Per Pedersen

    Aaron Delp Guest

    AT wrote:
    Actually it isn't 128 bit encryption, that is a myth. I did some
    digging on this recently and they use plain old 56-bit DES encryption.
    DES was cracked a few years ago, but that really isn't the problem.
    Sure, you could brute force it but it would take a LONG time.

    The real risk here is twofold. The password to the user id is the key
    to read the file. Hacking a password in XP is EASY with a good utility
    and local access to the box. Also, if you aren't the administrator, the
    administrator also has access to the files as a backup in case you lose
    yours or leave the company.

    In a nutshell, it is decent, but far from great if you don't have a hard
    password (12+ characters, numbers, symbols) or if you don't hold the
    administrator password to the box.

    Regards,
    Aaron


    > The Encryption is as safe as a 128 bit encryption can be. You will have a
    > hard time to find anything safer then NTFS if we only talk about the safety
    > in the EFS.
    >
    > AT
    >
    > "Per Pedersen" <> wrote in message
    > news:400b061a$0$24875$...
    >
    >>Hi' Folks
    >>
    >>I know that safty is a relative term, but how safe is the NTFS encryption
    >>system (WindowsXP), who can access the files encrypted, just me, or any
    >>member of the administrators group?
    >>
    >>Would it be safer/better to use an external (from the filesystem)

    >
    > encryption
    >
    >>system?
    >>
    >>Regards
    >>
    >>Per Pedersen
    >>
    >>

    >
    >
    >
     
    Aaron Delp, Jan 24, 2004
    #4
  5. "Aaron Delp" <> wrote in message
    news:yEAQb.5707$...
    > AT wrote:
    > Actually it isn't 128 bit encryption, that is a myth. I did some
    > digging on this recently and they use plain old 56-bit DES encryption.


    Out of interest, cite?

    Used to be advertised as 128-bit DES for the North American market, and
    40-bit elsewhere. Should have gone to 128-bit with the High Encryption Pack
    (or whatever they called it)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Jan 24, 2004
    #5
  6. Per Pedersen

    Aaron Delp Guest

    You are COMPLETELY correct!

    Sorry about that. I read that on a NON-Microsoft site that was
    obviously wrong and I can't seem to find again. They probably heard the
    algorithm was DES and assumed 56 bit like I did. Here are links to
    Windows 200 WS and Server that explain exactly what you say. The first
    link states they use DESX in either 40bit or 128bit for 2000. The
    second link is for Windows XP and Windows 2003 Server which I just dug
    up as well. It is a GREAT link that shows everything step by step and
    includes the following information concerning the bits strength
    (including that they use 56 bit and 128 bit):

    All exported versions of Windows 2000 use 56-bit key sizes by default
    unless the 128-bit encryption pack is applied. Workstations that have
    the 128-bit encryption pack installed may decrypt files with 56-bit key
    lengths and will encrypt all new files with 128-bit key lengths.
    However, machines that are only 56-bit-capable may not open files that
    have been encrypted with 128-bit key lengths. This scenario is
    especially important where a user has a roaming user profile and may use
    different machines that have different encryption capabilities.

    The Windows XP operating system supports the use of a stronger symmetric
    algorithm than the default DESX algorithm included with the Windows 2000
    operating system. The default algorithm for Windows 2000 and Windows XP
    is DESX. The default algorithm for Windows XP Service Pack 1 and Windows
    Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key.
    For users requiring greater symmetric key strength with a FIPS 140-1
    compliant algorithm, the 3DES algorithm can be enabled.

    Here are the links:

    Windows 2000:
    http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

    Windows Xp and Server 2003:
    http://www.microsoft.com/technet/tr...chnet/prodtechnol/winxppro/deploy/CryptFS.asp

    Regards,
    Aaron


    Hairy One Kenobi wrote:
    > "Aaron Delp" <> wrote in message
    > news:yEAQb.5707$...
    >
    >>AT wrote:
    >>Actually it isn't 128 bit encryption, that is a myth. I did some
    >>digging on this recently and they use plain old 56-bit DES encryption.

    >
    >
    > Out of interest, cite?
    >
    > Used to be advertised as 128-bit DES for the North American market, and
    > 40-bit elsewhere. Should have gone to 128-bit with the High Encryption Pack
    > (or whatever they called it)
    >
     
    Aaron Delp, Jan 25, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tech
    Replies:
    3
    Views:
    732
    Plato
    Apr 6, 2004
  2. English Patient
    Replies:
    3
    Views:
    1,932
    Old Gringo
    Oct 4, 2004
  3. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    Which hard drive encryption program has the strongest tested encryption & security?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    3,914
    Kornholio
    Feb 20, 2008
  4. Ari

    Re: Is the WinXP NTFS encryption secure?

    Ari, Nov 15, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    507
  5. Antonio Perez

    Re: Is the WinXP NTFS encryption secure?

    Antonio Perez, Nov 15, 2008, in forum: Computer Security
    Replies:
    2
    Views:
    788
    lexdean
    Nov 17, 2008
Loading...

Share This Page