• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1356
  • Last Modified:

Can XP SP3 Provide EFS with AES that is FIPS 140-2 compliant?

I'd like to use EFS on Windows XP Service Pack 3, but am trying to find out if there's a way to make this use a FIPS 140-2 compliant implementation of AES. I know the FIPS compliant modules that you can enable in XP (by setting the FIPS local policy flag) include AES, however I've also found this line in Microsoft documentation detailing what happens when you set this flag:

"In Windows XP SP1 or later and Server 2003, the EFS switches from an non-Approved kernel AES implementation to an approved Three-Key Triple-DES implementation. "

I've not found any way to set the EFS to another FIPS-compliant algorithm after setting the FIPS flag. Is there any way to use a compliant AES implementation for XP SP3?
0
MichaelOwen
Asked:
MichaelOwen
  • 3
  • 2
1 Solution
 
TolomirAdministratorCommented:
Please take a look at this answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23556919.html

By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

So the answer is no, windows xp is not able to provide a certified way to offer AES encryption.
0
 
TolomirAdministratorCommented:
Windows XP is only FIPS 140-1 compliant.
0
 
MichaelOwenAuthor Commented:
Just as a comment on your other response, XP Pro SP3 definitely does ship with a 140-2 compliant module - the docs for this are available at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf

Thanks!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
gheistCommented:
It is drilled here hundreds of times
AES is FIPS-compliant.
Windows crypto module is compliant except it supports also non-fips cyphers for interoperability.
You really do not want to turn them off if you want to ever browse the web again.

Instructions on how to do the damage: http://support.microsoft.com/kb/811833



0
 
TolomirAdministratorCommented:
Yes it ships with a module, that is not used by the kernel:

Software developers can dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support.

---
@gheist - Please read your link to understand my answer ;-) no seriously -> Code


Tolomir
By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, 
EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. 



However, EFS uses the kernel-mode AES implementation. 
This implementation is not FIPS-validated on these platforms. 
If you enable the FIPS setting on these platforms, the operating 
system uses the 3DES algorithm with a 168-bit key length.

Open in new window

0
 
gheistCommented:
AES algorithm allows no variation.
Only problem is initial RNG to generate keys. If it is "high quality PRNG from TSM" you lose with 3DES or with AES.


0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now