Solved

Can XP SP3 Provide EFS with AES that is FIPS 140-2 compliant?

Posted on 2011-02-24
6
1,339 Views
Last Modified: 2012-08-13
I'd like to use EFS on Windows XP Service Pack 3, but am trying to find out if there's a way to make this use a FIPS 140-2 compliant implementation of AES. I know the FIPS compliant modules that you can enable in XP (by setting the FIPS local policy flag) include AES, however I've also found this line in Microsoft documentation detailing what happens when you set this flag:

"In Windows XP SP1 or later and Server 2003, the EFS switches from an non-Approved kernel AES implementation to an approved Three-Key Triple-DES implementation. "

I've not found any way to set the EFS to another FIPS-compliant algorithm after setting the FIPS flag. Is there any way to use a compliant AES implementation for XP SP3?
0
Comment
Question by:MichaelOwen
  • 3
  • 2
6 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 500 total points
ID: 34977666
Please take a look at this answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23556919.html

By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

So the answer is no, windows xp is not able to provide a certified way to offer AES encryption.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34977669
Windows XP is only FIPS 140-1 compliant.
0
 
LVL 1

Author Closing Comment

by:MichaelOwen
ID: 34978234
Just as a comment on your other response, XP Pro SP3 definitely does ship with a 140-2 compliant module - the docs for this are available at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf

Thanks!
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 62

Expert Comment

by:gheist
ID: 34978287
It is drilled here hundreds of times
AES is FIPS-compliant.
Windows crypto module is compliant except it supports also non-fips cyphers for interoperability.
You really do not want to turn them off if you want to ever browse the web again.

Instructions on how to do the damage: http://support.microsoft.com/kb/811833



0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34978372
Yes it ships with a module, that is not used by the kernel:

Software developers can dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support.

---
@gheist - Please read your link to understand my answer ;-) no seriously -> Code


Tolomir
By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, 
EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. 



However, EFS uses the kernel-mode AES implementation. 
This implementation is not FIPS-validated on these platforms. 
If you enable the FIPS setting on these platforms, the operating 
system uses the 3DES algorithm with a 168-bit key length.

Open in new window

0
 
LVL 62

Expert Comment

by:gheist
ID: 34978452
AES algorithm allows no variation.
Only problem is initial RNG to generate keys. If it is "high quality PRNG from TSM" you lose with 3DES or with AES.


0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question