What is DES?
The Data Encryption Standard (DES) is a published federal encryption standard
created to protect unclassified computer data and communications. DES has
been incorporated into numerous industry and international standards since
the Secretary of Commerce first approved DES as a Federal Information Processing
Standard during the height of the Cold War in the late 1970s. The encryption
algorithm specified by DES is a symmetric, secret-key algorithm. Thus it
uses one key to encrypt and decrypt messages, on which both the sending
and receiving parties must agree before communicating. It uses a 56-bit
key, which means that a user must correctly employ 56 binary numbers, or
bits, to produce the key to decode information encrypted with DES.
Who uses DES?
Promulgation of DES as a stable and certified technology stimulated supply
and demand, and DES is now generally believed to be the most widely used
general-purpose cryptosystem in the world. Although the initial selection
of the algorithm was controversial since the NSA was involved in its design,
DES has gained wide acceptance and has been the basis for several industry
standards, mainly because it is a public standard and can be freely evaluated
and implemented. DES technology is readily available worldwide, and several
international standards have adopted the algorithm. The process by which
DES was developed and evaluated also stimulated private sector interest
in cryptographic research, ultimately increasing the variety of commercial
security technologies. By 1993, 40 manufacturers were producing about 50
implementations of DES in hardware and firmware that the National Institute
for Standards (NIST) had validated for federal use. Another estimated 60
companies were producing software implementations of DES. A 1993 industry
estimate of U.S. sales of DES hardware and software products was between
$75 million and $125 million annually (OTA, 1994). In April 1994, a survey
of products using cryptography in the United States and abroad conducted
by the Software Publishers Association identified 245 domestic encryption
products using DES. Trusted Information Systems reported that DES was found
in 281 foreign and 466 domestic encryption products -- between a third and
half of the market -- as of December 1997.
What is Blowfish?
Blowfish is a symmetric
block cipher that can be used as a drop-in replacement for DES or IDEA.
It takes a variable-length key, from 32 bits to 448 bits, making it ideal
for both domestic and exportable use. Blowfish was designed in 1993 by Bruce
Schneier as a fast, free alternative to existing encryption algorithms.
Since then it has been analyzed considerably, and it is slowly gaining acceptance
as a strong encryption algorithm. Blowfish is unpatented and license-free,
and is available free for all uses.
What is Square?
Square is a 128-bit block cipher, designed by Joan Daemen and Vincent Rijmen
. The original design of Square concentrated on the resistance against differential
and linear cryptanalysis. Lars Knudsen did an additional cryptanalysis.
Square is not patented.
What is Cast?
The CAST algorithm
supports variable key lengths, anywhere from 40 bits to 128 bits in length.
This ensures that an appropriate security level is given to data for the
intended purpose and enables seamless interoperation with exportable versions
of products, where necessary. CAST uses a 64-bit block size which is the
same as the Data Encryption Standard (DES), making it a suitable drop-in
replacement. CAST has been shown to be two to three times faster than a
typical implementation of DES and six to nine times faster than a typical
implementation of triple-DES.
What key size is strong?
It is instructive to compare this recommendation with both Federal Information
Processing Standard 46, The Data Encryption Standard(DES), and Federal Information
Processing Standard 185, The Escrowed Encryption Standard (EES). DES was
proposed 21 years ago and used a 56-bit key. Applying Moore's Law and adding
14 bits, we see that thestrength of DES when it was proposed in 1975 was
comparable to that ofa 70-bit system today. Furthermore, it was estimated
at the time that DES was not strong enough and that keys could be recovered
at a rateof one per day for an investment of about twenty-million dollars.
Our 75-bit estimate today corresponds to 61 bits in 1975, enough to havemoved
the cost of key recovery just out of reach. The Escrowed Encryption Standard,
while unacceptable to many potential users forother reasons, embodies a
notion of appropriate key length that issimilar to our own. It uses 80-bit
keys, a number that lies betweenour figures of 75 and 90 bits.
Time and Cost Per Key
For full text please go: ftp://research.att.com/dist/mab/keylength.txt
Does Sentry 2020 Encrypt your entire drive?
Sentry 2020 does not encrypt your entire drive. Instead, virtual hard drive
volumes are created to hold your data. A virtual volume is a large file
usually located on your hard drive which can be mapped to a drive letter.
This is very similar to the way DriveSpace, Stacker or DoubleSpace works.
Where my encrypted data will appear after mounting volume on my HPC?
Under Windows CE 2.0 it appear under "\Storage Card#" folder.
Can Sentry 2020 encrypted data be safely backed up?
Under Windows CE 2.1 or later it will appear under "\Encrypted"
Sentry 2020 encrypted volumes can be backed up using any normal backup
utility. By backing up the large volume file, your data remains encrypted
on the backup media. The person performing the backup does not need to know
your password. On the other hand, if you map your volume to a drive letter
and then back up the data on that drive, the data saved to the backup media
will be unencrypted.
Does Sentry 2020 encrypt the Windows operating system or boot tracks?
Sentry 2020 does not encrypt the boot areas of your hard drive nor any
of your operating system files.
What happens when you lose your password?
You lost your data.
How can Sentry 2020 protect you when logged onto the Internet?
Sentry 2020 protects you from having your sensitive files sucked up across
the Internet when you unmap your encrypted volumes before logging on. Files
contained on unmapped volumes are inaccessible to you, the Internet, and
Does Sentry 2020 work with removable media such as ZIP disks?
Sentry 2020 encrypted volumes can be created on almost any kind of disk
media. This includes floppy disks, ZIP disks, MO's and others.
Does Sentry 2020 work with Windows 95/98/ME?
No, Sentry 2020 does not work with Windows 95/98/ME.
I left Sentry 2020 volume mounted, but when I came back later it had changed
Sentry 2020 has timeout option that will automatically dismount a drive
after preset period of inactivity. The default timeout is 30 minutes. You
can change it to other value or set to zero to disable timeout.
When I start Sentry 2020 I get two error messages: 'Access is denied' and 'The
system cannot find the file specified'?
This happens when Sentry.exe (and SentryDriver.sys) are located on one
computer and run from another. Windows can not start device
driver from remote disk. You should run Sentry from local hard disk.
How Sentry 2020 treats passwords and keys?
Each volume is encrypted using a randomly generated key,
which itself is encrypted using a user supplied password.
Random value generation utilizes parameters like mouse movement,
timer, performance counters, etc. which are scrambled using SHA1 hash algorithm.
The randomly generated key is stored in a KEY file,
encrypted with a user supplied password and a randomly generated "salt" value
stored in the same file. Volume encryption is performed on each 512 byte block independently.
Before encryption, the contents of each block is scrambled
using the number representing the position of the block in the volume.
This is done so that two blocks with identical contents (for example, all zeros)
will look totally different after encryption.
Can I burn Sentry volume to CD-R and use it from there?
Yes. One thing to remember is that NTFS on Windows NT/2000 does not support read-only volumes.
So if you are planning to use such Sentry volume on Windows NT/2000 you must format it using FAT or FAT32 file system.
Windows XP NTFS supports read-only volumes, so if you are planning to only use the volume on Windows XP,
you can format it using either FAT/FAT32 or NTFS.
Why not use EFS built into Windows 2000/XP file system?
Here is an (incomplete) list of EFS problems:
What is the procedure for recovering encrypted data?
1. Files are only encrypted while they reside on NTFS volume.
Every time they are moved to a FAT volume or between computers using network,
floppy, CD-R, etc. they are seamlessly decrypted and left in decrypted form.
Sentry volumes can easily be moved between computers, backed up, burned to CD-R, etc.
all in encrypted form.
2. Only file contents is encrypted, not the file system structures.
This allows everyone to see file names, sizes, dates, etc. which in many cases is a security
breach in itself. On a Sentry volume everything is encrypted including file system structures.
3. EFS is completely broken on Windows 2000. Microsoft forgot to encrypt private key using user's
logon password, which means that anyone with physical access to computer can read your encrypted files,
completely defeating the whole purpose of encryption.
This particular vulnerability appears to be fixed in Windows XP.
To be able to recover encrypted data later (in case user forgets password) you need:
1. Create encrypted volume with some password known to admin or without password at all.
2. Make a copy of volume's .key file and store it in a safe place.
3. Let the user change volume password to whatever he or she likes.
If user forgets password, use this procedure to access data:
1. Copy saved .key file over the one user has.
2. Use admin password (which could be no password at all) to mount encrypted volume.
If no .key file copy with a known password is saved, there will be no way to recover the data. The security requirements prohibit magic solutions like "super passwords" because they could easily be used to circumvent the encryption.