Solved

How do I determine the method of encryption?

Posted on 2006-11-02
11
563 Views
Last Modified: 2013-12-04
I have enabled EFS. When I encrypt a file, it turns green. How do I determine which version of encryption it is using. I want to use 3DES and have made the registry change, but it could also be using DESX and I wouldn't know the difference. Is there some way to tell the difference between 128 bit vis 256 bit and DESX vs 3DES?
0
Comment
Question by:shakdk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 

Author Comment

by:shakdk
ID: 17863291
further info...
This is on a WinXP, SP2 workstation.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863486
There is a header that tells what it is, I've never looked that closely or changed the defaults so I'm not sure what to look for... but by default, XP SP1 and greater is AES, using anything other than AES your stepping backward in encryption strength
http://support.microsoft.com/kb/329741
http://technet2.microsoft.com/WindowsServer/en/library/997fdd99-73ec-4041-9cf4-1370739a59201033.mspx?mfr=true
DESX was used in win2k, 3DES was XP, and AES is XP SP1 and 2003's default. I've moved files between older OS's and the newer OS can read them fine, however, files created on newer OS's using AES cannot be moved to the older OS, but I haven't tried this lately... maybe you can now.
-rich
0
 

Author Comment

by:shakdk
ID: 17863545
I guess this is the information I needed.

1. Decrypt all the EFS encrypted files in Windows XP SP1.
2. On the Windows XP SP1-based workstation, start Registry Editor.
3. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
4. On the Edit menu, click Add Value, and then add the following registry value:
Value name: AlgorithmID
Data type: REG_DWORD
Radix: Hexadecimal
Value data: Use any of the values from the following list:
• 3DES: 0x6603 (This value is compatible with Windows XP and later.)
• DESX: 0x6604 (This value is compatible with all versions of Windows 2000 and Windows XP.)
• AES_256: 0x6610 (This is the default value. It is compatible with only Windows XP SP1 and later.)
 
5. Quit Registry Editor.
6. Restart the Windows XP SP1-based workstation.
7. Encrypt the files again using either operating system.

But would still like to find out what version of encryption its using.  I changed my registry entry to 6610 so I'm assuming that it's now using AES_256. Funny that by default there is no entry called AlgorithmID so I can't confirm the level of encryption before making adding the registry edit above.

Anyone else know what to look for in the header?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863832
When Xp is upgraded to SP2, AES is the default. 2003 is AES by default, because the EFS files are updated. Creating the registry key is a way to force a certain encryption level incase there are older systems that need this info. EFSinfo(or the details under advanced properties) can give you some additional info on the EFS file, but if you view the cert EFS is using, it does not say what algo is being used for the file. This is the best I can do...
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_duwf.mspx?mfr=true

http://technet2.microsoft.com/WindowsServer/en/library/fc339cb3-5c17-43e6-9e48-7cf72a761bbf1033.mspx?mfr=true
3DES algorithm support
Windows XP Professional can be configured to use the triple-DES (3DES) algorithm instead of DESX. 3DES, which is compliant with Federal Information Processing Standards (FIPS 140-1 Level 1), offers significantly stronger encryption using a 128-bit or 168-bit key.
3DES is enabled through a Group Policy setting.
Note When 3DES is enabled, it is used as the encryption algorithm for IP Security as well as for EFS. For more information about configuring 3DES support, see “Enabling 3DES” later in this chapter.
When 3DES is enabled, all new encryptions are completed by using 3DES. Note that DESX and 3DES are always available for decryption, regardless of the encryption policy.
Note As of Service Pack 1 for Windows XP, the Advanced Encryption Standard (AES) algorithm is used by default for encrypting files with EFS. For more information, see article 329741, “EFS Files Appear Corrupted When You Open Them,” in the Microsoft Knowledge Base at http://support.microsoft.com.
-rich
0
 
LVL 3

Expert Comment

by:Stekman99
ID: 17867885
Check this one:

Best practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
0
 

Author Comment

by:shakdk
ID: 17868486
You mention that my version of Windows XP Pro SP2, should be using AES by default. Which flavor of AES should it be using. I show that are three flavors.

AES-128, AES-192, AES-256

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/aes_provider_algorithms.asp

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17868536
it's 256
Look for the heading: Default Encryption Algorithms
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
The default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled.

EFS is a lost cause I feel, I prefer TrueCrypt, it's secure out of the box, and you don't have to do 10 steps to make sure its secured as you do with EFS, see Stekman99's link.
-rich
0
 

Author Comment

by:shakdk
ID: 17869459
Okay, so what's better AES-256 or 3DES. In your first message you said "anything other than AES your stepping backward in encryption strength." Then in your last post you said "The default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled."

I'm not trying to pick on you for what you said because I know these are pasted from other written documents on FES. I just need to know which is stronger and/ormore secure cause other than knowing the more bits the better, I really don't know or have I seen a chart listing them in order of strength/security.

Thanks!
Dave
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 17869657
I see that now... here is a clarification: http://support.microsoft.com/kb/811833 (the article above I think mis-stated it's case)
Encrypting File System (EFS) is also affected by this setting. By default, Windows XP uses the Data Encryption Standard (DESX) algorithm with a 56-bit key length. If the Windows high encryption pack is installed, the key length for this algorithm is Triple-DES (3DES) or 128 bits. By default, on Windows XP Service Pack 1 (SP1)-based and Windows Server 2003-based computers, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting on these computers, the operating system will use 3DES with a 128-bit key length instead.
AES-256 is without question stronger than 3DES-128... but AES isn't listed as a FIPS-1 algo http://en.wikipedia.org/wiki/FIPS_140 (AES is a FIPS 140-2 approved algo, 140-1 came out before AES was created/released)
-rich
0
 

Author Comment

by:shakdk
ID: 17882584
I believe I need to use FIPS140-2 so can go with the default Windows XP Pro SP2 algo. How do I verify that I have the high encryption pack installed or do I even need it?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17882857
It's installed by default on XP I believe, it was an upgrade/patch for win2k and nt4, the latest SP's of those OS's will have that patch.  Only win2k and nt4 should need it installed, but if they have the latest SP it's installed.
-rich
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question