IE. By default, IE 5.5 uses high encryption. To verify your version number, select About Internet Explorer from IE's Help menu. The high-encryption update file for IE 5.0 and IE 4.0, ie5dom.inf, lists one unique file that doesn't appear in the high-encryption version of NT. To verify that you're running the high-encryption version of IE 5.1 or IE 5.0, look for the sch128c.dll file in the \system32 directory. As Figure 2 shows, the Original Filename description on the Version tab of sch128c.dll's Properties sheet shows that this file replaces schannel.dll.
IE 128-bit updates also create a registry entry in the Add/Remove Programs list so that you can uninstall the 128-bit version. Start a registry editor, and navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\128PATCH subkey. If this subkey exists, your system is running the high-encryption version of IE.
Using Syskey to Encrypt SAM Passwords
NT never stores a password in clear text. For security purposes, the OS first hashes the password, then modifies the hash value with another function and stores the result, a password derivative, in the SAM database. NT performs a similar operation before caching logon credentials on the local system. Because password protection depends on hashing rather than encryption, the 128-bit version doesn't provide additional password protection.
However, you can introduce a second level of password protection by activating the Syskey feature. This utility, which ships with every post-SP3 system, strongly encrypts all derivative passwords that NT stores in the SAM database. This feature prevents a user with valid or illegally obtained administrative rights from accessing password derivatives.
When you enable Syskey encryption, the utility prompts you to select one of three options for defining and storing the system key that encrypts password derivatives. First, you can use a machine-generated random key and use a complex obfuscation algorithm to store the key on the local system. This option is the only option that permits an unattended system restart. Second, you can select a machine-generated random key and store the system encryption key on a disk. When you shut down the system, NT won't restart until you insert the disk that contains the stored system key. Third, you can enter a password to generate the system key, and NT won't restart until you enter the password during system startup.
If you want to experiment with system-key encryption, I recommend that you read the Microsoft article "Windows NT System Key Permits Strong Encryption of the SAM" (http://support.microsoft.com/support/kb/articles/q143/4/75.asp). Start on a test system, do a full backup, and update the emergency repair disk (ERD) and the security databases (i.e., with the /s option) before you activate Syskey. If you lose the encryption key, the only way you can return the system to its previous state is to repair it with the ERD, which contains the unencrypted password database. Also, restoring a system to the pre-Syskey version is difficult, if not impossible, so be sure to make your decision carefully.
Security Is Never Absolute
The high-encryption version of NT significantly increases the work that an intruder must perform to decrypt intercepted data on a LAN or remote connection. However, security is never absolute. In 2000, RSA Laboratories issued a public challenge to crack its 140-bit RSA encryption key. Someone cracked the key within a month. RSA Laboratories subsequently issued another challenge to crack its 512-bit RSA key. Someone cracked that key in just over 7 months. In response to the results of these challenges, RSA Laboratories currently advocates a minimum key length of 768 bits.
As CPU power increases, so does the ability to crack keys more quickly. To address ever-increasing raw computing power, new encryption algorithms and longer keys will soon raise the bar on data security.
End of Article
Prev. page
1
2
[3]
next page -->
