Solved

Can XP SP3 Provide EFS with AES that is FIPS 140-2 compliant?

Posted on 2011-02-24
6
1,336 Views
Last Modified: 2012-08-13
I'd like to use EFS on Windows XP Service Pack 3, but am trying to find out if there's a way to make this use a FIPS 140-2 compliant implementation of AES. I know the FIPS compliant modules that you can enable in XP (by setting the FIPS local policy flag) include AES, however I've also found this line in Microsoft documentation detailing what happens when you set this flag:

"In Windows XP SP1 or later and Server 2003, the EFS switches from an non-Approved kernel AES implementation to an approved Three-Key Triple-DES implementation. "

I've not found any way to set the EFS to another FIPS-compliant algorithm after setting the FIPS flag. Is there any way to use a compliant AES implementation for XP SP3?
0
Comment
Question by:MichaelOwen
  • 3
  • 2
6 Comments
 
LVL 27

Accepted Solution

by:
Tolomir earned 500 total points
ID: 34977666
Please take a look at this answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23556919.html

By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

So the answer is no, windows xp is not able to provide a certified way to offer AES encryption.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34977669
Windows XP is only FIPS 140-1 compliant.
0
 
LVL 1

Author Closing Comment

by:MichaelOwen
ID: 34978234
Just as a comment on your other response, XP Pro SP3 definitely does ship with a 140-2 compliant module - the docs for this are available at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf

Thanks!
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 62

Expert Comment

by:gheist
ID: 34978287
It is drilled here hundreds of times
AES is FIPS-compliant.
Windows crypto module is compliant except it supports also non-fips cyphers for interoperability.
You really do not want to turn them off if you want to ever browse the web again.

Instructions on how to do the damage: http://support.microsoft.com/kb/811833



0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34978372
Yes it ships with a module, that is not used by the kernel:

Software developers can dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support.

---
@gheist - Please read your link to understand my answer ;-) no seriously -> Code


Tolomir
By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, 
EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. 



However, EFS uses the kernel-mode AES implementation. 
This implementation is not FIPS-validated on these platforms. 
If you enable the FIPS setting on these platforms, the operating 
system uses the 3DES algorithm with a 168-bit key length.

Open in new window

0
 
LVL 62

Expert Comment

by:gheist
ID: 34978452
AES algorithm allows no variation.
Only problem is initial RNG to generate keys. If it is "high quality PRNG from TSM" you lose with 3DES or with AES.


0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
OnPage: Incident management and secure messaging on your smartphone
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question