Security Basics mailing list archives

Re: password protect encrypted directory

From: "Kelly D. Lucas" <lucaskeli () fastmail fm>
Date: Mon, 16 Aug 2004 17:06:15 -0500

Windows XP support the Encrypted File System [EFS], as you probablyalready know. I think once someone has physical access, most securitymechanisms will fail. I use OpenSSL to encrypt files, and when used withthe 3DES algorithm, I think it will provide good security, and require apassword to decrypt the file.

The problem, is that once the file is decrypted, if it is altered itwould need to be encrypted again, and the decypted file deleted. Thiswould need to happen every time, and by the user of the file.

If a user has physical access, and you cannot assume that theauthenticated user is actually that user, this becomes a much moredifficult problem to solve. It breaks the MicroSoft security model, andunless the password is of sufficient length, a brute-force attack wouldbreak into it soon enough.


Lucas

K.D. Lucas
lucaskeli () fastmail fm

-----Original Message-----
From: Dana Rawson [mailto:absolutezero273c () nzoomail com]Sent: Thursday, August 12, 2004 12:38 PM
To: security-basics () securityfocus com
Subject: password protect encrypted directory



G'Day, all.



Hope this isn't too basic of an issue but I wanted to ask for your direction
if possible.



Preface: I have directory which contains sensitive data on a w2k/xp laptop.
I have the directory and files residing within encrypted.
Issue: I would like to password protect this directory so even the user who
is logged into this profile is prompted for a password prior to gaining
access to this data.



Desired outcome: By accomplishing this (if possible) I wish to deny access
to this data via remote entry/being hacked, and also protect the data should
the laptop be stolen, or someone walks away from their computer without
locking it (i.e. ctrl-alt-del) leaving it wide open for someone to sit down
and start playing.



Is this something that can be accomplished?  Is there commercial or
opensource software available?



I have found software on the web that states it can password protect a
directory, but with out installing and testing all of them how can I know if
it most secure? Has anyone tested or reviewed this type of software?
Is anyone familiar with this that might make a recommendation?



Thanks again in advance for your time.



Regards,

Dana

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master theskillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 offany course! All of our class sizes are guaranteed to be 10 students or lessto facilitate one-on-one interaction with one of our expert instructors.Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization.Visit us at:http://www.infosecinstitute.com/courses/ethical_hacking_training.html

----------------------------------------------------------------------------

Current thread:

password protect encrypted directory Dana Rawson (Aug 13)
- Re: password protect encrypted directory fiber (Aug 16)
- RE: password protect encrypted directory Thomas T. Evans, III (Aug 16)
  - Re: password protect encrypted directory Kelly D. Lucas (Aug 17)
  - Re: password protect encrypted directory Danny T. Puckett (Aug 17)
  - RE: password protect encrypted directory Hugo Deckx (Aug 17)
    - Re: password protect encrypted directory fiber (Aug 23)
- Re: password protect encrypted directory Gethin Jones (Aug 16)
- Re: password protect encrypted directory Dave Dearinger (Aug 16)
- Re: password protect encrypted directory Nelson Santos (Aug 16)
- <Possible follow-ups>
- RE: password protect encrypted directory adisegna (Aug 16)
  - Re: password protect encrypted directory - secure Alvin Oga (Aug 17)
- RE: password protect encrypted directory CHRIS GRABENSTEIN (Aug 16)
- RE: password protect encrypted directory Robinson, Sonja (Aug 17)

(Thread continues...)