[ Pobierz całość w formacie PDF ]
.Of course this approach todata security has a tremendous negative side; portability comes to a screaming halt.Physical security is notreally a solution in today s world; the technological solution is file encryption.Many file encryption products currently offered on the market by third-party vendors are designed aroundpassword keys.This kind of encryption is not very secure, because the encrypted file can be hacked quicklyby brute force.Security products that were available before Windows 2000 required the user to encrypt anddecrypt files manually with each usage.Most users do not have the time to back up their hard drive daily,and it is just as difficult to make the time to encrypt/decrypt files.On occasion, users encrypt a file and then forget the password.The third-party product can handle this majorproblem in one of two ways: the product can provide data recovery, or it can not provide recovery.The moresecure encryption software at the application level will not provide data recovery.The downside of thisbecomes evident when a person is authorized, needs to get to the data, and has forgotten the password.If thevendor did provide some form of data recovery, security is weakened, and the recovery code is now thesystem s weak point.Some of the Windows 2000 Encrypting File System code runs down in protected mode.The kernel modemust not be available to users, or the operating system will crash.Microsoft has built encryption into theoperating system, making encrypted data more secure than ever before.The new feature of Encrypting FileSystem on Windows 2000 provides an element of security that Windows NT and third-party encryptionsoftware never approached in the past.Using a Encrypting File SystemThe Encrypting File System that is supported in Windows 2000 is a new piece of security in the NTFS filesystem.Both public key encryption and secret key encryption are implemented within the complete process,so data gets encrypted quickly and in such a way that it can stand up against an attack from anycryptanalysts.U.S.customers who purchase Windows 2000 will receive a 56-bit standard DES algorithm forimplementation, but they can also obtain a 128-bit encryption DES algorithm.Until export approval isreceived, Microsoft will also have a 40-bit DES algorithm for all international customers.The encrypted file can be read by anyone with a private key that can decrypt the File Encryption Key.If auser leaves the company, or if a user s private key becomes corrupted or is accidentally deleted, Windows2000 can implement data recovery.This may sound like a security weak spot, but data recovery in Windows2000 is not a security weakness.Microsoft has written code to establish an Encrypted Data Recovery Policy(EDRP), which controls who can recover the data if the owner s private key is lost or if the employee leavesthe organization.In the Workgroup environment, Windows 2000 automatically sets up the EDRP on thelocal machine.In the domain environment, the EDRP is set up in the domain policy by the systemadministrator, and computers belonging to the domain will receive the EDRP from that location.Encryption FundamentalsEncryption is the process of taking a plaintext file and processing it so that the original data is in a newciphertext format.Typically the encryption process uses an algorithm and a secret value that is referred to asthe key.Public key cryptography is designed so that each person has two keys, a public and a private key.Table 6.1identifies the differences between them.Table 6.1 Public and Private KeysKey Description UsedPrivate Never made known to anyone else DecryptionPublic Known worldwide EncryptionPublic key cryptography is also known as asymmetric cryptography, since different keys are used bydifferent users to encrypt and decrypt a file.Public-key-based algorithms usually are very high at the securitylevel, but they are considered to be a slow process.The basic process of public key encryption anddecryption is illustrated in Figure 6.1.http://corpitk.earthweb.com/reference/pro/1928994024/ch06/06-01.html (2 of 3) [8/3/2000 6:53:28 AM]Configuring Windows 2000 Server Security:Encrypting File System for Windows 2000Figure 6.1 This is a public key encryption.Instead of the key pair, symmetric cryptography uses a single secret key.One popular method of symmetriccryptography is Data Encryption Standard (DES), which was defined in 1977 by the National Bureau ofStandards for commercial and nonclassified use.Developed by a team of IBM engineers, who used theirLucifer cipher and input from the National Security Agency, DES is an encryption algorithm using a 56-bitbinary number key.Figure 6.2 This is a secret key algorithm.Secret key algorithms are implemented quickly.Because the DES algorithm is the key that is used for bothencrypting and decrypting data, this security mechanism is weak in its design.Figure 6.2 illustrates the secretkey algorithm method.One major difference between symmetric and asymmetric algorithms is the number of keys that are used inthe process.Public key algorithms use a key pair, but secret key algorithms use a single key.This majordifference can clearly be seen in Figures 6.1 and 6.2.What the figures do not show is the difference betweenthe two algorithms in the amount of time needed to process fully the encrypting/decrypting of the file.At oneend of the spectrum, the symmetric algorithms are useful for large amounts of data; at the other end,asymmetric algorithms are useful for small amounts of data.Public key encryption is a slower processmethod than secret key encryption, so each should be implemented appropriately.How EFS WorksMicrosoft implements both secret key encryption, which is a fast and less secure process, along with publickey encryption, which is slow but more secure [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

wblaskucienia.xlx.pl