Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1363
  • Last Modified:

Can XP SP3 Provide EFS with AES that is FIPS 140-2 compliant?

I'd like to use EFS on Windows XP Service Pack 3, but am trying to find out if there's a way to make this use a FIPS 140-2 compliant implementation of AES. I know the FIPS compliant modules that you can enable in XP (by setting the FIPS local policy flag) include AES, however I've also found this line in Microsoft documentation detailing what happens when you set this flag:

"In Windows XP SP1 or later and Server 2003, the EFS switches from an non-Approved kernel AES implementation to an approved Three-Key Triple-DES implementation. "

I've not found any way to set the EFS to another FIPS-compliant algorithm after setting the FIPS flag. Is there any way to use a compliant AES implementation for XP SP3?
0
MichaelOwen
Asked:
MichaelOwen
  • 3
  • 2
1 Solution
 
TolomirAdministratorCommented:
Please take a look at this answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_23556919.html

By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. However, EFS uses the kernel-mode AES implementation. This implementation is not FIPS-validated on these platforms. If you enable the FIPS setting on these platforms, the operating system uses the 3DES algorithm with a 168-bit key length.

So the answer is no, windows xp is not able to provide a certified way to offer AES encryption.
0
 
TolomirAdministratorCommented:
Windows XP is only FIPS 140-1 compliant.
0
 
MichaelOwenAuthor Commented:
Just as a comment on your other response, XP Pro SP3 definitely does ship with a 140-2 compliant module - the docs for this are available at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp989.pdf

Thanks!
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
gheistCommented:
It is drilled here hundreds of times
AES is FIPS-compliant.
Windows crypto module is compliant except it supports also non-fips cyphers for interoperability.
You really do not want to turn them off if you want to ever browse the web again.

Instructions on how to do the damage: http://support.microsoft.com/kb/811833



0
 
TolomirAdministratorCommented:
Yes it ships with a module, that is not used by the kernel:

Software developers can dynamically link the Microsoft RSAENH module into their applications to provide FIPS 140-2 compliant cryptographic support.

---
@gheist - Please read your link to understand my answer ;-) no seriously -> Code


Tolomir
By default, in Windows XP Service Pack 1 (SP1), in later Windows XP service packs, and in Windows Server 2003, 
EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key length. 



However, EFS uses the kernel-mode AES implementation. 
This implementation is not FIPS-validated on these platforms. 
If you enable the FIPS setting on these platforms, the operating 
system uses the 3DES algorithm with a 168-bit key length.

Open in new window

0
 
gheistCommented:
AES algorithm allows no variation.
Only problem is initial RNG to generate keys. If it is "high quality PRNG from TSM" you lose with 3DES or with AES.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now