[PLUG] Windows and Cryptography

Alan Olsen alan.olsen at gmail.com
Mon Feb 12 21:52:03 UTC 2007 

On 2/12/07, Ed Sawicki <ed at alcpress.com> wrote:
>
> I wrote an article recently that needs to be scrutinized
> for accuracy, since I'm not up to speed on Windows Vista.
> It's here:
>
> http://biznix.org/articles/wincrypt.html
>
> Please let me know if anything is incorrect or it needs
> to be improved.


The biggest problem with Cryptography under Windows is that you are not
considered the owner of your machine.  (Especially Vista.)  Given the
actions the OS takes to avoid "unauthorized actions" by the user of the
system, you cannot be certain that the OS is acting in the interests of
another person.

Currently there is file level Cryptography available to business-level users
of Vista, but not home users.  Since it is closed source, it is difficult to
determine if this file system encryption scheme is backdoored for the
benefit of someone else.  If they can't trust you with being allowed to
watch the movies you buy or the music you listen to, what makes you think
they are going to trust you with non-backdoored encrypted file system?  You
might hide pirated movies there!


The other unknowns are the quality of the random number generators, the
algorythms used in the cryptography, and how the information is exposed once
you are logged on.  If the system allows system wide access once the volume
is unencrypted, then you have a problem.  (Linux and Mac have similar
issues, BTW.)  The advantage is that with open systems you can always code
around the weak parts.  With closed systems you have chunks that you
cannot.  And with the new DRM systems, there is code to prevent you from
overriding the OS.

One of the main reasons that I do not use Windows is that the OS is designed
to not allow me to do the things I need to do without getting permission
from Microsoft.  If I get a new motherboard, or need to reinstall, or change
too many bits of hardware, or want to run in a virtual system, or whatever
-- Microsoft gets to stick their nose in and allow or deny those decisions.

In the early days of NT (and it may still be true), you could get around
encrypted content by changing the region to "France".  (Where, at the time,
encryption was illegal.)

There are tools that will allow you to encrypt Windows and can actually do
it right.  I don't know if any of them will work in Vista.  I doubt if they
work now.  I expect they will be made to work by exploiting holes in the
design of Vista.  At least until Vista 2.0.

More information about the PLUG mailing list