Tuesday, July 1, 2008

Windows Vista Encryption News

Security can't work without encryption, and of course Microsoft operating systems (except for MS-DOS) have all included some kind of encryption since Microsoft released OS/2 1.0 in 1987. But over the years, the sort of encryption that Microsoft builds into its OSes, and what it does with them, changes. Here are few notes on new crypto capabilities in Vista.

Vista Includes New Cryptographic Services

Every software vendor has to make the choice about whether to try creating its own encryption algorithms or to employ standard algorithms. It might seem at first glance that a software vendor would be better off building their own encryption algorithm and keeping its inner workings secret, but according to security expert Bruce Schneier, writing in his book Secrets and Lies: Digital Security in a Networked World (Wiley, 2000), the better route is not to build crypto algorithms that are studied and cross-checked by a handful of insiders, but instead to use a crypto algorithm that's been reviewed by hundreds of mathematical experts. In his book Schneier took Microsoft to task for this, claiming that every single time that Microsoft creates a proprietary cryptographic algorithm, it's cracked in just a few months.

I don't know if that always happens, but it's surely happened enough. Maybe that's why Microsoft's using more and more standard cryptographic algorithms. (Maybe they read Schneier's book?) Two that come to mind are the Secure Hashing Algorithm (SHA) and the Advanced Encryption System (AES). Both were developed under the aegis of the U.S. government's National Institute for Standards and Technology (NIST) with the intention of providing a well-thought-out set of algorithms for hashing (SHA) and encryption (AES). AES seems well thought of in the crypto community, but SHA has been attacked successfully in some specialized situations. The most recent version of SHA, "SHA-2," has not been successfully attacked as I write this.

Microsoft has had AES built into XP since SP1 and 2003 since its original release, but only in limited use; as far as I know, the only use XP had for AES was in the Encrypting File System (EFS). With Vista, Microsoft says that you will be able to use AES for encryption with IPsec. Granted, it's not earth-shaking, as previously only offered Triple DES (Data Encryption Standard), and cracking TDES probably won't be practical for some time, but it's a step ahead. Adding SHA-2 to IPsec will also be good, but I should note that as I write this, the group policy interface does not show options for either AES or SHA-2. I can confirm, however, that another Windows technology, BitLocker Full Volume Encryption, does indeed use AES in 128-bit and 256-bit encryption.

You Can Encrypt Your Pagefile

Here's good news for the completely paranoid: you can encrypt your pagefile. Just take my advicedon't. Not unless you want to wait, say, an hour or so every time you turn your computer on while you wait for it to decrypt a gigabyte or so of pagefile.

Offline Files Folders Are Encrypted per User

Offline Files is a great technology that allows you to cache data from oft-used file shares locally. It first appeared in Windows 2000 and while it's not for everyone, lots of people like it. But once details of how Offline Files works got out, people soon realized that it presented something of a security hole. You see, in Windows 2000, all of the cached files were stored in a directory easily viewed by any user. Thus, if I shared a computer with you and you used Offline Files, then I could poke around the folder holding the cached files-everyone on the same machine shared the same folder-and that might not be good.

When XP came around, Microsoft encrypted the folder that held the cached Offline Files data. But the process that did the encrypting was a service that ran as the LocalSystem account, which meant that the EFS encryption key for the Offline Files data was easily utilized by anyone running as LocalSystem. Unfortunately, it turned out to be really easy to log on as Local-System-just use the at.exe scheduler program to start up a command prompt; as the scheduler program runs as LocalSystem, you get a command prompt running under the Local-System account-cracking Offline Files to peek into the cached files of someone who shares your machine was still relatively easy.

Vista changes that in two ways. First of all, everyone's cached files are cached with their EFS key, not LocalSystem's. Second, even if Microsoft hadn't changed that about the operating system, it'd still be pretty tough to exploit, as logging on as LocalSystem has gotten a lot harder. All of the old tricks that I've been able to use in the past to log on as LocalSystem no longer work in Vista!

Source of Information : Sybex Administering Windows Vista Security: The Big Surprises

No comments: