Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Part 3: Deploying Application-Specific S... > Chapter 1: Cryptography Basics

A.1. Chapter 1: Cryptography Basics

Q:Based on the encryption algorithms discussed in the "Default Encryption Algorithms" section of the white paper, does EFS use symmetric or asymmetric encryption?
A:EFS uses symmetric encryption for actual data encryption. The File Encryption Key (FEK) can use DESX, 3DES, or AES encryption algorithms. In addition, the RSA asymmetric algorithm is used to encrypt the FEK for retrieval.
Q:What encryption algorithm is used to encrypt EFS data on a workstation running Windows 2000?
A:Windows 2000 uses the DESX algorithm to encrypt EFS data.
Q:What encryption algorithms can be used to encrypt EFS data on Windows XP?
A:Windows XP SP1 supports the DESX, 3DES, and AES-256 encryption algorithms.
Q:How does the application of Windows XP SP1 affect EFS encryption?
A:The application of Windows XP SP1 replaces the use of DESX for EFS encryption to AES with a 256-bit key.
Q:What Group Policy setting enables use of 3DES and AES encryption algorithms?
A:You must enable the "System cryptography: Use FIPS-compliant algorithms for encryption" Group Policy setting in Computer configuration\Windows settings\Security settings\Local Policies\Security Options.
Q:What asymmetric encryption algorithm is used to protect the FEK in EFS?
A:EFS uses the RSA asymmetric algorithm to protect the FEK in EFS.
Q:A developer in your organization has a laptop with a dual boot configuration of Microsoft Windows 2000 Professional and Windows XP Professional. Both operating systems have the latest service packs and security updates. The user’s Outlook data file is encrypted, and the same EFS key pair is used in both operating systems to provide access to the Outlook data file.

This morning, your developer was unable to access the Outlook data file when working in Windows 2000, but you are still able to create new encrypted files. Fearing that the Outlook data file was corrupt, she started Windows XP and was able to access the data file. What is the probable cause of this problem?

A:Group Policy is enabling System cryptography. Use FIPS-compliant algorithms for encryption of the Group Policy setting for the Windows XP computer account. The Outlook data file is being encrypted with 256-bit AES encryption, which cannot be decrypted by Windows 2000 Professional because Windows 2000 supports only DESX encryption.
Q:A project manager has read an article on Cryptography Next Generation and asks whether he can use AES-GMAC as the encryption algorithm for his EFS-encrypted files. What is the minimum operating system that he needs to run to support AES-GMAC?
A:AES-GMAC is supported only on Windows Vista SP1 or on Windows Server 2008.
Q:Does EFS support the use of AES-GMAC for EFS encryption? What support does EFS provide for CNG algorithms and certificates that use CNG algorithms?
A:No, EFS does not support the use of AES-GMAC for EFS encryption. Only CNG algorithms that are also supported by CryptoAPI can be used for EFS encryption. The project manager can use a certificate that utilizes CNG algorithms but cannot use CNG-only algorithms to protect his or her EFS encrypted data.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint