=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== December 7, 2001 | Vol. 2, #08 | http://www.securius.com/ CONTENTS: 1. REDUX -- STRONG COUNTRY, STRONG CRYPTO 2. NIST RELEASES STANDARDS DOCUMENT FOR AES 3. THE JOYS OF PASSWORD RECOVERY 4. ENCRYPTION PLUS(R) FOLDERS TECHNICAL WHITE PAPER =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- 1. REDUX -- STRONG COUNTRY, STRONG CRYPTO -------------------------------------------------------- The last newsletter -- "Strong Country, Strong Crypto" -- generated a number of reader responses, mostly flames. In the raw aftermath of the September 11 terrorist attacks, some felt my position against further encryption regulation was unpatriotic. Fortunately, calmer minds have prevailed: proposals to further regulate or even ban encryption were floated in the days after 9/11 but dropped a few weeks later. See "Senator Backs Off Backdoors" at http://www.wired.com/news/conflict/0,2100,47635,00.html There's no published evidence that the 9/11 terrorists used or even needed to use encryption. According to reports in the New York Times and elsewhere, the terrorists relied on the security of face-to-face meetings in places where they would not attract attention. On the other hand, encryption technologies are used every minute of every day to protect critical infrastructure and sensitive data from terrorists and other bad actors. Incidentally, the "Strong Crypto" issue was selected by the Library of Congress for inclusion in a special digital archive related to the 9/11 attacks. If you missed it, you can find it here (in HTML format): http://www.securius.com/Features/Encryption/49.html or here (in plain text format): http://www.securius.com/newsletter/archive/207.txt Also, the current issue marks the second anniversary of the first Securius Newsletter (December 7, 1999). I'd like to take a moment to thank all those here at PC Guardian who make it possible, particularly Noah Groth, CEO; Ann Laurenson, Senior Vice President, and Emily Navarre, Knowledgebase Manager and Documentation Specialist. -------------------------------------------------------- 2. NIST RELEASES STANDARDS DOCUMENT FOR AES -------------------------------------------------------- Speaking of strong crypto, the US government body responsible for setting cryptography standards -- the National Institute of Standards and Technology (NIST) -- has announced the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard (AES), FIPS-197. This standard specifies Rijndael as a FIPS-approved symmetric encryption algorithm that may be used by US Government organizations and others to protect sensitive information. For more information on AES, see the FIPS-197 document: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf -------------------------------------------------------- 3. THE JOYS OF PASSWORD RECOVERY -------------------------------------------------------- In most corporate computing environments, users who forget their logon passwords need to call a help desk and ask for a manual password reset. These resets represent a costly administrative burden for Information Technology (IT) departments -- approximately $16.50 per PC per year. They're also a time-waster for both users and IT departments. PC Guardian has released a new software product -- Encryption Plus Secure Password Recovery -- that provides a safe and effective way for users to regain access to their computers when they forget their Windows logon passwords, without contacting an IT administrator. The program uses PC Guardian's trademark Authenti-Check method for self-service password recovery. When the program is installed, the user is prompted at the next logon to set up one or more questions, as well as corresponding answers. Common questions might be items like, "What was your first pet's name?", "What's your employee number?", or "With what company did you hold your first job?". The program uses the answers -- plus two strong cryptographic algorithms -- to protect the Windows password. Later, when the user forgets his or her password and is unsuccessful in logging on to Windows, Encryption Plus Secure Password Recovery launches and poses the challenge questions. If the user provides the correct answers, Encryption Plus Secure Password Recovery unlocks the forgotten password, displays it to the user, and completes the Windows logon process. For more information, see the product web page at: http://www.pcguardian.com/software/epspr/index.html For a detailed account of how the program's internal security works, see the "How it Works" page: http://www.pcguardian.com/software/epspr/how_it_works.html -------------------------------------------------------- 4. ENCRYPTION PLUS FOLDERS TECHNICAL WHITE PAPER -------------------------------------------------------- If you're interested in the inner workings of cryptosystems, I invite you to check the technical white paper I drafted for PC Guardian's Encryption Plus Folders product, at http://www.pcguardian.com/pdf/Encryption_Plus_Folders_Technical_White_Paper.pdf Here's an excerpt from the introduction: Encryption Plus Folders is a commercial filesystem encryption program designed to protect confidential corporate data on machines running Microsoft Windows operating systems. Encryption Plus Folders protects sensitive data in files that are stored on disk using the FAT, FAT32, and NTFS filesystems. It uses symmetric key encryption in conjunction with public key ciphers to provide confidentiality for files as well as three flexible and independent key recovery mechanisms. Encryption Plus Folders encrypts files on a folder-by-folder basis, based on selections by the user and/or administrator, and then provides transparent, on-the-fly decryption via a device driver. When a folder is selected for protection, Encryption Plus Folders stores all of the folder's files as encrypted ciphertexts. When an authorized user opens an encrypted file, Encryption Plus Folders transparently decrypts only the needed portions of the file into memory. The file data on the hard disk remains encrypted. The authorized user can view or modify the file and Encryption Plus Folders automatically encrypts the data when it is written back to the hard disk. Other users are denied permission to view or modify the contents of encrypted files unless the authorized user chooses to share the folder. Since the data is only decrypted in memory, attempts to read stored files by using low-level disk tools or other operating systems will only reveal encrypted text. Encryption Plus Folders is designed to enforce corporate information security policy. Information security officers, system administrators, or other responsible parties exert control over the configuration and set-up of the executable installed on end-user machines. Password strength can be regulated, for example, and pre-determined folders can be specified for unconditional protection. The administrator is also allowed to select the data recovery mechanisms that are invoked when a user forgets a password or when a user is not available to provide it. Encryption Plus Folders is designed to provide both fail-safe confidentiality and availability in the most demanding corporate computing environments. This document provides details about the cryptosystems implemented in Encryption Plus Folders. Both the Administrator Program, which enables administrative control, and the User Program, which gets deployed on end-user machines, are discussed. This white paper is intended for a technical audience that already has some familiarity with program operations. A more general introduction to the product can be found on the World Wide Web at http://www.pcguardian.com/software/folders_e.html * Here's best wishes for a safe and happy holiday season. See you next issue. 'Til then, keep your guard up! /------------------ BEGIN ADVERTISEMENT ------------------\ PC GUARDIAN OFFERS DEFENSE-IN-DEPTH NOTEBOOK SECURITY Purchase a Notebook Guardian(R) for $59.95 and receive a FREE copy of Encryption Plus Folders 4.5 (list price: $49.95). The Notebook Guardian is a one-piece tamper-proof notebook anti-theft system consisting of a patented stainless steel locking head, cased in chrome-plated brass, and a sleek black polyvinyl-coated galvanized steel cable. The cable lassoes to any secure stationary object and the head fits the security slot on most notebooks. Encryption Plus Folders 4.5 delivers transparent on-the-fly encryption that protects multiple folders and files from being deleted or snooped by those who have physical access to your PC. Don't delay securing your computer and its private data any longer. Visit PC Guardian today at: http://www.pcguardian.com/hardware/nbg2000_folders.html \------------------- END ADVERTISEMENT -------------------/ =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published periodically by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ To download our crypto software, visit http://www.pcguardian.com/securius_download/ You can find our archive of back issues at http://www.securius.com/newsletter/archive/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-securius-nl@lists.securius.com To subscribe to this newsletter, send an email to join-securius-nl@lists.securius.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross sross@pcguardian.com PC Guardian 1133 East Francisco Blvd. San Rafael, CA 94901 US ABOUT THE AUTHOR Seth is the Chief Strategy Officer at PC Guardian and author of the book, _UNIX System Security Tools_ (McGraw-Hill 1999): http://www.amazon.com/exec/obidos/ASIN/0079137881/pcguardian-20 SPECIAL THANKS TO Emily Navarre, editor extraordinaire FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2001 PC Guardian. All rights reserved.