Strong Crypto Redux, AES, Password Recovery

By Seth Ross

The last newsletter — "Strong Country, Strong Crypto" — generated a number of reader responses, mostly flames. In the raw aftermath of the September 11 terrorist attacks, some felt my position against further encryption regulation was unpatriotic. Fortunately, calmer minds have prevailed: proposals to further regulate or even ban encryption were floated in the days after 9/11 but dropped a few weeks later. See "Senator Backs Off Backdoors" at http://www.wired.com/news/conflict/0,2100,47635,00.html There's no published evidence that the 9/11 terrorists used or even needed to use encryption. According to reports in the New York Times and elsewhere, the terrorists relied on the security of face-to-face meetings in places where they would not attract attention. On the other hand, encryption technologies are used every minute of every day to protect critical infrastructure and sensitive data from terrorists and other bad actors.

Incidentally, the "Strong Crypto" issue was selected by the Library of Congress for inclusion in a special digital archive related to the 9/11 attacks. If you missed it, you can find it here (in HTML format): http://www.securius.com/Features/Encryption/49.html or here (in plain text format): http://www.securius.com/newsletter/archive/207.txt

Also, the current issue marks the second anniversary of the first Securius Newsletter (December 7, 1999). I'd like to take a moment to thank all those here at PC Guardian who make it possible, particularly Noah Groth, CEO; Ann Laurenson, Senior Vice President, and Emily Navarre, Knowledgebase Manager and Documentation Specialist.

2. NIST RELEASES STANDARDS DOCUMENT FOR AES

Speaking of strong crypto, the US government body responsible for setting cryptography standards -- the National Institute of Standards and Technology (NIST) -- has announced the approval of the Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard (AES), FIPS-197. This standard specifies Rijndael as a FIPS-approved symmetric encryption algorithm that may be used by US Government organizations and others to protect sensitive information.

For more information on AES, see the FIPS-197 document: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

3. THE JOYS OF PASSWORD RECOVERY

In most corporate computing environments, users who forget their logon passwords need to call a help desk and ask for a manual password reset. These resets represent a costly administrative burden for Information Technology (IT) departments -- approximately $16.50 per PC per year. They're also a time-waster for both users and IT departments.

PC Guardian has released a new software product -- Encryption Plus Secure Password Recovery -- that provides a safe and effective way for users to regain access to their computers when they forget their Windows logon passwords, without contacting an IT administrator.

The program uses PC Guardian's trademark Authenti-Check method for self-service password recovery. When the program is installed, the user is prompted at the next logon to set up one or more questions, as well as corresponding answers. Common questions might be items like, "What was your first pet's name?", "What's your employee number?", or "With what company did you hold your first job?". The program uses the answers -- plus two strong cryptographic algorithms -- to protect the Windows password.

Later, when the user forgets his or her password and is unsuccessful in logging on to Windows, Encryption Plus Secure Password Recovery launches and poses the challenge questions. If the user provides the correct answers, Encryption Plus Secure Password Recovery unlocks the forgotten password, displays it to the user, and completes the Windows logon process.

For more information, see the product web page at: http:// www.pcguardian.com/ software/ epspr/ index.html

For a detailed account of how the program's internal security works, see the "How it Works" page: http://www.pcguardian.com/software/epspr/how_it_works.html

4. ENCRYPTION PLUS FOLDERS TECHNICAL WHITE PAPER

If you're interested in the inner workings of cryptosystems, I invite you to check the technical white paper I drafted for PC Guardian's Encryption Plus Folders product, at http://www.pcguardian.com/ pdf/ Encryption_Plus_Folders_Technical_White_Paper .pdf

Encryption Plus Folders is a commercial filesystem encryption program designed to protect confidential corporate data on machines running Microsoft Windows operating systems. Encryption Plus Folders protects sensitive data in files that are stored on disk using the FAT, FAT32, and NTFS filesystems. It uses symmetric key encryption in conjunction with public key ciphers to provide confidentiality for files as well as three flexible and independent key recovery mechanisms.

Encryption Plus Folders encrypts files on a folder-by-folder basis, based on selections by the user and/or administrator, and then provides transparent, on-the-fly decryption via a device driver. When a folder is selected for protection, Encryption Plus Folders stores all of the folder's files as encrypted ciphertexts. When an authorized user opens an encrypted file, Encryption Plus Folders transparently decrypts only the needed portions of the file into memory. The file data on the hard disk remains encrypted. The authorized user can view or modify the file and Encryption Plus Folders automatically encrypts the data when it is written back to the hard disk. Other users are denied permission to view or modify the contents of encrypted files unless the authorized user chooses to share the folder. Since the data is only decrypted in memory, attempts to read stored files by using low-level disk tools or other operating systems will only reveal encrypted text.

Encryption Plus Folders is designed to enforce corporate information security policy. Information security officers, system administrators, or other responsible parties exert control over the configuration and set-up of the executable installed on end-user machines. Password strength can be regulated, for example, and pre-determined folders can be specified for unconditional protection. The administrator is also allowed to select the data recovery mechanisms that are invoked when a user forgets a password or when a user is not available to provide it. Encryption Plus Folders is designed to provide both fail-safe confidentiality and availability in the most demanding corporate computing environments.

This document provides details about the cryptosystems implemented in Encryption Plus Folders. Both the Administrator Program, which enables administrative control, and the User Program, which gets deployed on end-user machines, are discussed. This white paper is intended for a technical audience that already has some familiarity with program operations. A more general introduction to the product can be found on the World Wide Web at http:// www.pcguardian.com/ software/ folders_e.html

Here's best wishes for a safe and happy holiday season. See you next issue. 'Til then, keep your guard up!