=====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ========================== ---------- Forwarded message ---------- Date: Sun, 12 Oct 1997 16:44:38 -0000 From: Peter Fey <fey@nue.et-inf.uni-siegen.de> To: ntsecurity@iss.net Subject: Re: [NTSEC] NT 5 questions Hi Matt, first - the last 2-3 days I've been 'BEHIND' the list - had to read some 200 mails to get by. ;-)() So maybe someone else did anser just your first question.

One of the addition to NT is disk encryption w/escrow. Is this the Kerberos aspect of it?

Right, one of the new features of NT 5 is the EFS (Encryption File System) including a feature called data-recovery. The EFS is an additional layer above good-old NTFS to allow users to encrypt single files, directories and whats below or whole drives. One reason Microsoft added EFS was to nihilate tools like NTFSDOS --- reading an NTFS-volume just by booting it on a DOS-disk in the NTbox. Another is protection of -lost- notebooks and the like ... As the whitepaper on the M$ site shows, the made up a pretty easy to handle and ?? pretty secure ?? to deal with system. Using asymmetric cryptography - i.e. private and public keys - they are up2date in technology and supporting weak and strong encryption 40/56 bit DES they confirm with the US export restrictions on cry. An migration path from 40 to 56 bit is mentioned too - if restrictions will lower down. (Hope so !) The second aspect of EFS ist the ?option? to data-recovery (not key recovery or key escrow). There is one/more Security Agents -the Admin or delegated persons- whose public key will be used in an additional encrypted-block to give companies the possibility to restore the !! DATA !!! encrypted with the public key of that Sec-Agent. NOTE: The private key of the user will not be used or made public to anyone at anytime !! (Replace anyone by Company, Manager, Hacker, Government, FBI or the like) By this it seems to be true data-recovery as should be. The open question states itself - what backdoors did/had to M$ implement to cope with US. --- Kerberos v5 is something completely different ! It is build up to replace the silly plaintext and the clever (but broken) challenge/response protocols of older versions of NT. [Call for Hackers] On the one hand you will loose lots of compatibility but gain lots of security. It is strongly used in the authentication of the new directory structure of NT 5 (another withepaper to read). Kerb v5 also points in the direction of DCE / *NIX compatibility. --- IMHO the effort of M$ is quite good but not nearly completed as there are several needed features not implemented yet and announced for NT 5.x or 6. And its a BETA if you have it ! As you can think I'm really hot to get the NT5 beta to test those new features. --- Discuss it : ) Peter simply a german student (and nearly MCSE)