1997-10-12 - Re: [NTSEC] NT 5 questions (fwd)

Header Data

From: Ray Arachelian <sunder@brainlink.com>
To: cypherpunks <cypherpunks@toad.com
Message Hash: df47d64379d8357925d48dca0d5a546f62c5ac3a0e8cd7878fdb673cb070d3b1
Message ID: <Pine.SUN.3.96.971012140727.6520D-100000@beast.brainlink.com>
Reply To: N/A
UTC Datetime: 1997-10-12 18:09:06 UTC
Raw Date: Mon, 13 Oct 1997 02:09:06 +0800

Raw message

From: Ray Arachelian <sunder@brainlink.com>
Date: Mon, 13 Oct 1997 02:09:06 +0800
To: cypherpunks <cypherpunks@toad.com
Subject: Re: [NTSEC] NT 5 questions (fwd)
Message-ID: <Pine.SUN.3.96.971012140727.6520D-100000@beast.brainlink.com>
MIME-Version: 1.0
Content-Type: text/plain





=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    |Prying open my 3rd eye.  So good to see |./|\.
..\|/..|sunder@sundernet.com|you once again. I thought you were      |/\|/\
<--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
======================= http://www.sundernet.com ==========================

---------- Forwarded message ----------
Date: Sun, 12 Oct 1997 16:44:38 -0000
From: Peter Fey <fey@nue.et-inf.uni-siegen.de>
To: ntsecurity@iss.net
Subject: Re: [NTSEC] NT 5 questions

Hi Matt,

first - the last 2-3 days I've been 'BEHIND' the list - had to read some 200
mails to get by.  ;-)()
So maybe someone else did anser just your first question.

> One of the addition to NT is disk encryption w/escrow.  Is this the
> Kerberos aspect of it?

Right, one of the new features of NT 5 is the EFS (Encryption File System)
including a feature called data-recovery.

The EFS is an additional layer above good-old NTFS to allow users to encrypt
single files, directories and whats below or whole drives. One reason
Microsoft added EFS was to nihilate tools like NTFSDOS --- reading an
NTFS-volume just by booting it on a DOS-disk in the NTbox. Another is
protection of -lost- notebooks and the like ...

As the whitepaper on the M$ site shows, the made up a pretty easy to handle
and ?? pretty secure ?? to deal with system. Using asymmetric cryptography -
i.e. private and public keys - they are up2date in technology and supporting
weak and strong encryption 40/56 bit DES they confirm with the US export
restrictions on cry. An migration path from 40 to 56 bit is mentioned too -
if restrictions will lower down. (Hope so !)

The second aspect of EFS ist the ?option? to data-recovery (not key recovery
or key escrow). There is one/more Security Agents -the Admin or delegated
persons- whose public key will be used in an additional encrypted-block to
give companies the possibility to restore the !! DATA !!! encrypted with the
public key of that Sec-Agent.

NOTE: The private key of the user will not be used or made public to anyone
at anytime !!  (Replace anyone by Company, Manager, Hacker, Government, FBI
or the like) By this it seems to be true data-recovery as should be. The
open question states itself - what backdoors did/had to M$ implement to cope
with US.

---

Kerberos v5 is something completely different ! It is build up to replace
the silly plaintext and the clever (but broken) challenge/response protocols
of older versions of NT. [Call for Hackers]

On the one hand you will loose lots of compatibility but gain lots of
security. It is strongly used in the authentication of the new directory
structure of NT 5 (another withepaper to read). Kerb v5 also points in the
direction of DCE / *NIX compatibility.

---

IMHO the effort of M$ is quite good but not nearly completed as there are
several needed features not implemented yet and announced for NT 5.x or 6.
And its a BETA if you have it !
As you can think I'm really hot to get the NT5 beta to test those new
features.

---

Discuss it   : )

Peter
simply a german student (and nearly MCSE)









Thread