FAQ

What is DES?

The Data Encryption Standard (DES) is a published federal encryption standard created to protect unclassified computer data and communications. DES has been incorporated into numerous industry and international standards since the Secretary of Commerce first approved DES as a Federal Information Processing Standard during the height of the Cold War in the late 1970s. The encryption algorithm specified by DES is a symmetric, secret-key algorithm. Thus it uses one key to encrypt and decrypt messages, on which both the sending and receiving parties must agree before communicating. It uses a 56-bit key, which means that a user must correctly employ 56 binary numbers, or bits, to produce the key to decode information encrypted with DES.

Promulgation of DES as a stable and certified technology stimulated supply and demand, and DES is now generally believed to be the most widely used general-purpose cryptosystem in the world. Although the initial selection of the algorithm was controversial since the NSA was involved in its design, DES has gained wide acceptance and has been the basis for several industry standards, mainly because it is a public standard and can be freely evaluated and implemented. DES technology is readily available worldwide, and several international standards have adopted the algorithm. The process by which DES was developed and evaluated also stimulated private sector interest in cryptographic research, ultimately increasing the variety of commercial security technologies. By 1993, 40 manufacturers were producing about 50 implementations of DES in hardware and firmware that the National Institute for Standards (NIST) had validated for federal use. Another estimated 60 companies were producing software implementations of DES. A 1993 industry estimate of U.S. sales of DES hardware and software products was between $75 million and $125 million annually (OTA, 1994). In April 1994, a survey of products using cryptography in the United States and abroad conducted by the Software Publishers Association identified 245 domestic encryption products using DES. Trusted Information Systems reported that DES was found in 281 foreign and 466 domestic encryption products -- between a third and half of the market -- as of December 1997.

Blowfish is a symmetric block cipher that can be used as a drop-in replacement for DES or IDEA. It takes a variable-length key, from 32 bits to 448 bits, making it ideal for both domestic and exportable use. Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses.

Square is a 128-bit block cipher, designed by Joan Daemen and Vincent Rijmen . The original design of Square concentrated on the resistance against differential and linear cryptanalysis. Lars Knudsen did an additional cryptanalysis. Square is not patented.

The CAST algorithm supports variable key lengths, anywhere from 40 bits to 128 bits in length. This ensures that an appropriate security level is given to data for the intended purpose and enables seamless interoperation with exportable versions of products, where necessary. CAST uses a 64-bit block size which is the same as the Data Encryption Standard (DES), making it a suitable drop-in replacement. CAST has been shown to be two to three times faster than a typical implementation of DES and six to nine times faster than a typical implementation of triple-DES.

It is instructive to compare this recommendation with both Federal Information Processing Standard 46, The Data Encryption Standard(DES), and Federal Information Processing Standard 185, The Escrowed Encryption Standard (EES). DES was proposed 21 years ago and used a 56-bit key. Applying Moore's Law and adding 14 bits, we see that thestrength of DES when it was proposed in 1975 was comparable to that ofa 70-bit system today. Furthermore, it was estimated at the time that DES was not strong enough and that keys could be recovered at a rateof one per day for an investment of about twenty-million dollars. Our 75-bit estimate today corresponds to 61 bits in 1975, enough to havemoved the cost of key recovery just out of reach. The Escrowed Encryption Standard, while unacceptable to many potential users forother reasons, embodies a notion of appropriate key length that issimilar to our own. It uses 80-bit keys, a number that lies betweenour figures of 75 and 90 bits.

For full text please go: ftp://research.att.com/dist/mab/keylength.txt

Sentry 2020 does not encrypt your entire drive. Instead, virtual hard drive volumes are created to hold your data. A virtual volume is a large file usually located on your hard drive which can be mapped to a drive letter. This is very similar to the way DriveSpace, Stacker or DoubleSpace works.

Under Windows CE 2.0 it appear under "\Storage Card#" folder.
Under Windows CE 2.1 or later it will appear under "\Encrypted" folder.

Sentry 2020 encrypted volumes can be backed up using any normal backup utility. By backing up the large volume file, your data remains encrypted on the backup media. The person performing the backup does not need to know your password. On the other hand, if you map your volume to a drive letter and then back up the data on that drive, the data saved to the backup media will be unencrypted.

Sentry 2020 does not encrypt the boot areas of your hard drive nor any of your operating system files.

You lost your data.

Sentry 2020 protects you from having your sensitive files sucked up across the Internet when you unmap your encrypted volumes before logging on. Files contained on unmapped volumes are inaccessible to you, the Internet, and anyone else.

Sentry 2020 encrypted volumes can be created on almost any kind of disk media. This includes floppy disks, ZIP disks, MO's and others.

No, Sentry 2020 does not work with Windows 95/98/ME.

Sentry 2020 has timeout option that will automatically dismount a drive after preset period of inactivity. The default timeout is 30 minutes. You can change it to other value or set to zero to disable timeout.

This happens when Sentry.exe (and SentryDriver.sys) are located on one computer and run from another. Windows can not start device driver from remote disk. You should run Sentry from local hard disk.

Each volume is encrypted using a randomly generated key, which itself is encrypted using a user supplied password. Random value generation utilizes parameters like mouse movement, timer, performance counters, etc. which are scrambled using SHA1 hash algorithm. The randomly generated key is stored in a KEY file, encrypted with a user supplied password and a randomly generated "salt" value stored in the same file. Volume encryption is performed on each 512 byte block independently. Before encryption, the contents of each block is scrambled using the number representing the position of the block in the volume. This is done so that two blocks with identical contents (for example, all zeros) will look totally different after encryption.

Yes. One thing to remember is that NTFS on Windows NT/2000 does not support read-only volumes. So if you are planning to use such Sentry volume on Windows NT/2000 you must format it using FAT or FAT32 file system. Windows XP NTFS supports read-only volumes, so if you are planning to only use the volume on Windows XP, you can format it using either FAT/FAT32 or NTFS.

Here is an (incomplete) list of EFS problems:

1. Files are only encrypted while they reside on NTFS volume. Every time they are moved to a FAT volume or between computers using network, floppy, CD-R, etc. they are seamlessly decrypted and left in decrypted form. Sentry volumes can easily be moved between computers, backed up, burned to CD-R, etc. all in encrypted form.

2. Only file contents is encrypted, not the file system structures. This allows everyone to see file names, sizes, dates, etc. which in many cases is a security breach in itself. On a Sentry volume everything is encrypted including file system structures.

3. EFS is completely broken on Windows 2000. Microsoft forgot to encrypt private key using user's logon password, which means that anyone with physical access to computer can read your encrypted files, completely defeating the whole purpose of encryption. This particular vulnerability appears to be fixed in Windows XP.

To be able to recover encrypted data later (in case user forgets password) you need:

1. Create encrypted volume with some password known to admin or without password at all.
2. Make a copy of volume's .key file and store it in a safe place.
3. Let the user change volume password to whatever he or she likes.

If user forgets password, use this procedure to access data:

1. Copy saved .key file over the one user has.
2. Use admin password (which could be no password at all) to mount encrypted volume.

If no .key file copy with a known password is saved, there will be no way to recover the data. The security requirements prohibit magic solutions like "super passwords" because they could easily be used to circumvent the encryption.