Broadband Tech > Security > Security > Securing my Certificates

reply to jansson_mark

Re: OK, now I know whats the problem...

said by jansson_mark:

---

When you enable FIPS, you cant use SSL2/SSL3, since they use not-FIPS algorithms like MD5 and RC2. When you enable FIPS, only TLS is available with 3DES and SHA-1. If you have FIPS enabled and are going to www-site that uses SSL2/SSL3 and does not support TLS with 3DES and SHA-1, you will end up in blank page or "page not found".

In IE options, you can still enable SSL2/SSL3 but IE doesnt use them. If M$ was logical, they would have "greyed out" those options from IE if IE cant use them, but since they arent, users can still "enable" them from IE options but nomatter are they enabled or disabled from there, they ARE disabled if FIPS is enabled.

MS support just told me this...

SO...I would suggest that you would contact that bank of yours so that they would upgrade to TLS for better security for their customers. I will notify www.nordea.fi about their site...
--
My computer security & privacy related homepage
»www.markusjansson.net
[text was edited by author 2003-03-02 21:28:43]

---

said by Tablet:

---

Before that could you Markus or anyone else pls explain to me what in fact does FIPS compliance guarantee.

---

quote:

---

Until now I thought that SSL is very secure, now I see that it might not me.

---

quote:

---

I thought 128 bit encryption was used in SSL.

---

quote:

---

I have read you site Markus but I didn't get all the stuff about encryption, so sorry if I am completely wrong.

---

Now I read that Windows XP with SP1 uses AES 256 bit symmetric key encryption for EFS. The document says, that if I enable "Use FIPS compliant Algorithms" in Group Policy, the EFS will start using 3DES.
But based on what I have read AES is better and newer symmetric encryption algorithm and also it is already FIPS compliant.
This seems to me that by enabling "Use FIPS Algorithms" I actually downgrade my security settings

You can get the document here:
»www.microsoft.com/windowsxp/pro/···stem.doc

said by Tablet:

---

Now I read that Windows XP with SP1 uses AES 256 bit symmetric key encryption for EFS. The document says, that if I enable "Use FIPS compliant Algorithms" in Group Policy, the EFS will start using 3DES.
But based on what I have read AES is better and newer symmetric encryption algorithm and also it is already FIPS compliant.This seems to me that by enabling "Use FIPS Algorithms" I actually downgrade my security settings

---

said by jansson_mark:

---

I refer to this that I found on that document:
"Note If a user needs to access an encrypted file from both Windows 2000 and Windows XP, the AES 256 nor the 3DES algorithm should not be enabled." ...so WHAT is enabled then and HOW it is enabled?!?!?!?

---

This I find weird too, but the only explanation that comes to me is that the above quote from the document only applies to Win 2000 and WinXP without SP1. So to summarise, I think it is as follows:

Win 2000 and XP without Servicepack use DES as default crypto. In XP 3DES may be enabled by enabling "FIPS".

Win XP with SP1 use AES-256 as default and may use 3DES by enabling "FIPS".

It would be nice, if someone from M$ would make it more clear. It doesn't make sense still why with "FIPS" the crypto should be weaker since AES is already FIPS compliant too. May be next the servicepack will patch it.