?
Solved

Can XP SP3 Provide EFS with AES that is FIPS 140-2 compliant?

Posted on 2011-02-24
6
Medium Priority
?
1,344 Views
Last Modified: 2012-08-13
I'd like to use EFS on Windows XP Service Pack 3, but am trying to find out if there's a way to make this use a FIPS 140-2 compliant implementation of AES. I know the FIPS compliant modules that you can enable in XP (by setting the FIPS local policy flag) include AES, however I've also found this line in Microsoft documentation detailing what happens when you set this flag:

"In Windows XP SP1 or later and Server 2003, the EFS switches from an non-Approved kernel AES implementation to an approved Three-Key Triple-DES implementation. "

I've not found any way to set the EFS to another FIPS-compliant algorithm after setting the FIPS flag. Is there any way to use a compliant AES implementation for XP SP3?
0
Comment
Question by:MichaelOwen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 2000 total points
ID: 34977666
Please take a look at this answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23556919.html

By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

So the answer is no, windows xp is not able to provide a certified way to offer AES encryption.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34977669
Windows XP is only FIPS 140-1 compliant.
0
 
LVL 1

Author Closing Comment

by:MichaelOwen
ID: 34978234
Just as a comment on your other response, XP Pro SP3 definitely does ship with a 140-2 compliant module - the docs for this are available at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf

Thanks!
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 62

Expert Comment

by:gheist
ID: 34978287
It is drilled here hundreds of times
AES is FIPS-compliant.
Windows crypto module is compliant except it supports also non-fips cyphers for interoperability.
You really do not want to turn them off if you want to ever browse the web again.

Instructions on how to do the damage: http://support.microsoft.com/kb/811833



0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34978372
Yes it ships with a module, that is not used by the kernel:

Software developers can dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support.

---
@gheist - Please read your link to understand my answer ;-) no seriously -> Code


Tolomir
By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, 
EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. 



However, EFS uses the kernel-mode AES implementation. 
This implementation is not FIPS-validated on these platforms. 
If you enable the FIPS setting on these platforms, the operating 
system uses the 3DES algorithm with a 168-bit key length.

Open in new window

0
 
LVL 62

Expert Comment

by:gheist
ID: 34978452
AES algorithm allows no variation.
Only problem is initial RNG to generate keys. If it is "high quality PRNG from TSM" you lose with 3DES or with AES.


0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question