Microsoft Windows and Encryption Tools

and Techniques
Modes of Learning
For this module, the following modes of learning will be used:

• Lecture Notes
• Self- Quizzes

Introduction
Welcome to this module of Operating Systems Security- Windows. In this module we will look at
securing data both when it is stored by the OS and during transmission. This will require looking at
different forms of encryption and the use of digital certificates to authenticate identity and transmit
public encryption keys.

As you begin this module, please refer to the timeline and make note of any assessments or important
dates. If you have any questions, ask your instructor.

Learning Outcomes
Upon completion of this interactive module, you will be able to:

1. Describe Microsoft Windows security certificates in relation to public key infrastructure and best
practices.
2. Explain encryption protocols used in Microsoft Windows.
3. Assess Microsoft encryption methods for file systems, BitLocker and BitLocker To Go.
4. Evaluate enabling file, folder, and volume-level encryption.

Key Terms and Concepts

Listed below are some important key terms and concepts within this module.

• Plain text
• Cypher Text
• Encryption algorithm
• Symmetrical encryption
• Asymmetrical encryption
• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• RSA encryption
• Elliptical curve cryptography
• Key exchange
• Secure Sockets Layer (SSL)
• Diffie-Hellman Key Exchange
 • Encrypting File System (EFS)
• BitLocker
• Trusted Platform Module (TPM)
• Public Key Infrastructure (PKI)
• VPN
• Certificate Revocation List (CRL)
• IPSec
• Certificate Authority (CA)

Encryption for Security

Encryption is a technique for providing privacy on data stored as files and also for data moving across
networks. Encryption has been used for thousands of years but computers provide new challenges and
opportunities. Modern encryption uses the processing power of computers and theoretically makes it
easy and secure to keep your data safe. As it turns out the power of computers also make it possible to
convert your data back to a readable format by those who wish to read your secrets.

Encryption Concepts
The encryption process takes readable data (both human and computer readable) called plaintext and
using a mathematical algorithm converts it into cypher text. The cypher text can then be converted back
to plaintext by the same algorithm. Notice that this is a two-way function because encryption works in
both directions in contrast to hashing which is a one-way function and can’t be reversed.

The encryption algorithm uses an encryption key as part of the calculation. The key is always kept secret
so that only the parties involved can access the plaintext.

There are two types of encryption algorithms that you need to be aware of: Symmetrical and
Asymmetrical.

Symmetrical Encryption
Symmetrical or shared secret encryption uses the same key to both encrypt and decrypt the plaintext.
Popular symmetrical encryption includes DES, 3DES, and AES. Symmetrical encryption is fast but it does
have one weakness. Since the decryption key must be passed onto the receiving party how do you
transmit it securely?

This is a particular challenge when the parties do not have a previous relationship which is the scenario
we find for eCommerce.

Asymmetrical Encryption
Asymmetrical encryption also called public-private key encryption solves this problem. This method
uses two different keys, one to encrypt and one to decrypt. The same key cannot do both. If you
encrypt with one you must use the other key to decrypt.

In this approach one key, called the private key, is always kept secret and the other key, called the
public key, is made available to the other party.
Let’s take a closer look to see how this works. We will use the industry standard terminology in this
discussion. The two parties who want to transmit private data are Alice and Bob. Eve, the eavesdropper,
wants to intercept the data to read it. Alice wants to receive encrypted data from Bob so Alice sends
Bob her public key. Alice doesn’t care if Eve intercepts the public key. In fact she can publish her public
key so the world can see and she doesn’t care.

Bob uses Alice’s public key to encrypt the message and sends it to Alice. Eve knows what Alice’s public
key is and intercepts the message. But she can’t decrypt it. Only the private key which Alice has can
decrypt the message. Because the public key is not a secret, it can be transmitted in email, published on
a web site or stored in a directory such as Active Directory. In fact the most common place to see a
public key is in a digital certificate which authenticates web sites.

Using this figure let us re-iterate the steps involved with public-private key encryption:

1. Bob wants to send Alice some encrypted data. Therefore, Alice sends Bob her public key.
2. Bob encrypts his data with Alice’s public key and sends it to Alice.
3. Alice receives Bob’s cypher text and using her private key turns it back into plaintext and reads
it. Mission accomplished.
4. Eve intercepts Bob’s cypher text and also acquires Alice’s public key but cannot decipher it.

Encryption Algorithms
Many encryption standards are available but you need to be familiar with the popular ones, including
Symmetrical Encryption.

• Data Encryption Standard (DES) - DES was developed by IBM and made the official encryption
algorithm for use by the U.S. government in 1977. DES is a block cypher which has a 56 bit
effective key length. DES is fast and was considered secure until the mid-1990s. It is no longer
considered secure because of its short key length and should not be used.
• Advanced Encryption Standard (AES) - AES has an alternative name, Rijndael, which you may
run across. It is a block cypher which processes 128 bit blocks with keys of 128, 192 or 256 bits.
It became the U.S. Government standard for top security encryption in 2002 and is now the
recommended method to use.
• RSA encryption: This algorithm is the most popular. Three individuals, Ron Rivest, Adi Shamir,
and Leonard Adleman, published the technique in 1977 and MIT where they worked was
granted a U.S. patent in 1983. The algorithm is now in the public domain. The three academics
went on to start the RSA Security Company. The algorithm depends on factoring large prime
numbers. With a sufficiently large key size this is infeasible even on modern super-fast
computers. The key sizes used by RSA are 1024, 2048 or 4028 bits. The weakness of RSA
encryption is its very high computational requirements which make it very slow.
• Triple DES (3DES) - 3DES is an enhancement of DES in which a block of data is processed three
times with the DES algorithm. This increases the key size to 168 bits. 3DES is considered secure
but it is also slow.
• Asymmetrical Encryption - Asymmetrical encryption is a difficult concept to comprehend. It
requires two keys, the public key and the private key which have to be related to each other and
yet knowing one you can’t calculate the other. How is this possible?
 • Elliptic curve cryptography: This is another asymmetrical encryption technology. It is based on
the algebraic structure of elliptic curves over finite fields. The details are unimportant here but
the advantage of this technology is that it uses small keys for the same level of security as RSA.
This leads to less storage and transmission requirements and for mobile devices less power
requirements.

Co-ordination of Symmetrical and Asymmetrical Technology

Neither type of encryption is an all-round solution. Symmetrical encryption has the problem of
distributing its key safely while asymmetrical is slow and requires more computational resource. A
combination of the two provides a practical solution for maintaining a secure channel.

Because of its slow speed, asymmetrical encryption is usually used to encrypt only small blocks of data.
How small? How about the size of a symmetrical encryption key?

Key Exchange and Data Encryption

A number of approaches are available for exchanging the keys used in encryption.

The two most popular are as follows:

• SSL/TLS - Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are similar protocols
used by services such as secure web connections to create a secure connection and move
encrypted data across networks. The technology starts by the client connecting to a server and
asking for a connection. The server transmits its public key to the client typically in a digital
certificate.
The client uses the server’s public key to encrypt further communications between the two. The
two parties negotiate and create a session key. The session key is a one-time key which is used
only during this connection and never again. The session key is a symmetrical key and used to
encrypt all data that moves between the two machines.
• Diffie-Hellman Key Exchange - This is another method of key exchange or to be more accurate,
key generation. In this case each party computes a private number and a public number. The
public numbers are exchanged and the combination of the private number plus the other
party’s public number is used as the secret key. The Diffie-Hellman key exchange needs to be
used in conjunction with authentication otherwise it is open to a man-in-the-middle attack.

Encrypting File System

Microsoft makes available two capabilities for encryption of data on storage media: EFS and BitLocker

The Encrypting File System (EFS) allows the system to keep a file safe from prying eyes by making its
content unreadable except to the person who encrypted it. This feature is actually a feature of the NTFS
file system so if the hard drive is formatted with anything other than NTFS (FAT, FAT32) it will not be
available. Notice that this precludes use of encryption on floppy diskettes and CD/DVD ROM. Because a
USB memory stick is usually formatted with FAT32 by default, it will have to be reformatted to NTSF
before EFS can be used on it.

EFS is transparent to the user once the file has been encrypted. This means that the user can open the
file, work with it, and save it without having to explicitly decrypt it. It is all automatic and the file
remains encrypted. It is common practice and more convenient to encrypt a folder instead of individual
files. This way any file that is placed in the folder will automatically be encrypted. If the user moves the
file to another folder in the volume the file stays encrypted.

Warning: If the user moves the file to another medium that does not support EFS (floppy, USB stick,
CDROM) the file will become decrypted. Moving the file across a network will also decrypt the file. A file
cannot be compressed and encrypted at the same time. Another person who has access to the
computer will not be able to open the file or move/copy it. However, they will see it listed in a directory
listing. They can also delete it if they have the right permissions.

Because the encryption is linked to the user’s password if the administrator changes or blanks out the
user’s password, the user will lose access to the encrypted files. A recovery agent must gain access to
the files and decrypt them. This does not apply if the user changes their own password.

Encrypting files or folders is a straightforward function. As an exercise you can try this procedure on a
file on your computer now.

This is the procedure:

1. Open up Windows Explorer.

2. Select the file or folder you want to encrypt.
3. Right-click and select Properties

.
4. Click the Advanced… button.
 5. Select Encrypt contents to secure data.
Click OK.

* Note: If you are encrypting a file, you will get a warning message. You can choose to encrypt the file
only or the parent folder.

Question: What colour is the file in the listing in Windows Explorer after the file has been encrypted?
Answer: An encrypted file shows up in Windows Explorer as the colour blue.

Encrypting Files and Folders

Using an encrypted file is transparent to the user. The user simply uses it normally. There is no
additional action required. If a different person tries to open the file, access will be denied. This brings
up the question of file sharing.

Sharing Encrypted Files

Corporate files, particularly files that are stored on a file server, often need to be opened up by more
than one person. Can this be achieved if the file is encrypted?

This feature can be configured but the digital certificate identifying the additional person(s) must be
stored on the same computer. When you open up the Advanced Attributes window of an already
encrypted file or folder you will find a Details button. This will allow you to select additional users but
only if their digital certificates can be found.

The following figures illustrate setting up sharing for an encrypted file:

Recovery Agents
High value files are the ones most likely to be encrypted but what happens if the file is not shared and
the person who encrypted it becomes unavailable? You can imagine many scenarios like this such as an
employee is fired, is on vacation or becomes ill. There must be a way for the file to be recovered.

Even the person who encrypted the file may not be able to open it under one special circumstance that
you must be aware of. If the user’s password was changed for him by the administrator, say because he
forgot it, then the user will no longer be able to open encrypted files. In contrast, if the user changes his
own password then there is no problem.

There is a second person who has access to the file and it is the recovery agent. This is a safety feature
and a default of the system. If the computer is a member of a domain then the recovery agent is the
Domain Admin, actually anyone who is a member of the Domain Admins group. If the computer is not a
member of a domain the recovery agent is the administrator of the workstation.

If this arrangement is not satisfactory then additional recovery agents can be assigned or the recovery
agent can be changed. From the discussion on sharing an encrypted file it was pointed out that the
digital certificate of additional people who can open the file must be found on the computer.

Therefore, the digital certificate of the recovery agent must also be available. Typically the certificate
of the person who is a member of the Domain Admins group and needs to recover the file will be copied
over to the workstation at the time that the recovery needs to take place.

Another possibility must be addressed, that is the loss of the digital certificate if the hard drive fails. If
the files are available from backup but the digital certificate of both the person who encrypted the file
as well as the recovery agent are lost, the files cannot be recovered. This doesn’t apply if the recovery
agent is in the Domain Admins group but does if it is the local administrator. Therefore, it is highly
advisable that the digital certificates of both the user and the recovery agent are backed up with their
private keys to a removable media and stored safely.
BitLocker
While EFS can encrypt individual files and folders, BitLocker is used to encrypt the whole volume. This is
particularly important to anyone who wants to protect their whole hard drive and critical for easily
stolen laptop computers.

Let us get some caveats out of the way at the beginning. BitLocker encrypts volumes not drives. Of
course most computers only have a single drive C: but if a computer’s drive has been divided up into
multiple volumes then BitLocker can be applied selectively. Secondly, modern Windows always creates a
small system partition for boot information on the hard drive. This is never encrypted. Because no drive
letter is assigned to it, it is not available from within Windows and the user doesn’t even know it exists.

BitLocker is only available on some versions of the Windows OS. The versions of Windows that have
BitLocker available are as follows:

• Windows Vista/ Windows 7- Ultimate and Enterprise editions

• Windows 8.1/Windows 10 – Pro and Enterprise editions
• Windows Server – Any version since Windows Server 2008.

Configuring Encryption Keys for BitLocker

Similar to any other encryption system, BitLocker needs a key as part of the system. There are three
methods of providing the key. The most transparent approach is to store the key on the system. Since
the Windows operating system is stored on drive C: (usually) it is not available until the hard drive is
decrypted and therefore cannot be used to store the key.

The methods are as follows: Trusted Platform Module (TPM), USB Key, and Password/PIN.

Trusted Platform Module (TPM)

The TPM is a component of your computer, either a discrete chip or usually built into the chip set, which
is used to hold cryptographic information. For the purposes of using BitLocker it can hold the encryption
keys. Be aware that not all computers offer this feature and if BitLocker is important, you will need to
check with the manufacturer of your device. After BitLocker has been installed the encryption key is
retrieved from the TPM during initial stages of the boot process and before Windows loads.

Remember that Windows is stored on an encrypted drive and is not accessible until the files are
decrypted and loaded. The TPM module has a second security feature. It can detect if system boot files,
including the BIOS, Master Boot Record or boot files have been tampered with and will not unlock the
hard drive if they have. In this way even if a hard drive is extracted from a computer it will stay locked.

A word of caution is in order here. Once the OS has booted successfully the encryption keys are found in
memory. A cold boot attack relies on this fact. If the attacker can reboot the machine into an alternative
OS and quickly do a memory dump, he may be able to harvest the keys. To guard against this attack a
laptop must always be shutdown properly and powered down. Do not leave it in a sleep state.

USB Key

The encryption keys can also be stored on a USB key. This requires that the USB key is connected to the
computer during boot time. This method may be useful if the machine does not have a TPM module.
However, it is not convenient and there is always the risk that the USB key may fall into the wrong
hands.

Password/PIN

The final alternative is to type the password/PIN when asked during boot time. Naturally this is
inconvenient and less secure since the PIN is typically long and has to be written down. If the TPM
detects that the boot files have been tampered with the PIN will have to be typed in to recover the hard
disk.

Other Considerations with BitLocker

To increase security with BitLocker you can use multifactor authentication. For example, you can
configure the use of:

TPM + PIN, TPM + USB Key, TPM + PIN + USB Key

Recovering a BitLocker encrypted hard drive can be an issue. If the encrypted hard drive is extracted
from a failed computer how do you recover the data? For these eventualities Windows allows the
password/PIN to be saved to an alternative location such as a USB key or to be printed out and stored
safely. If the computer is a member of an Active Directory domain it is recommended that the keys be
stored in Active Directory.

BitLocker To Go
Moving files between computers on a USB memory stick is a common occurrence. The ease with which a
USB memory stick can be lost or stolen speaks to the need to encrypt the USB memory stick. BitLocker
To Go provides this capability.

If a USB key is inserted into the computer:

1. Open up Windows Explorer

2. Right-click the USB key
3. Select Turn on BitLocker…

You will need to provide a password to access the key or you can use a Smart Card instead.

An encrypted USB key will probably be moved from computer to computer and BitLocker To Go is
supported natively on Windows 7/8/10. Only the password will be required to access the files. Windows
XP is different and the BitLocker To Go reader will need to be downloaded in order to access the files.

Note the differences between the two encryption schemes. BitLocker To Go doesn’t support the TPM
for storing keys, only a password or smart card can provide access. Turning on BitLocker can only be
done by the administrator but turning on BitLocker To Go can be done by anyone.

Digital Certificates and Public Key Infrastructure

Digital Certificates

Digital certificates are used extensively in Windows, across the Internet for eCommerce and generally
whenever authentication is required.
The two functions that digital certificates are used for are: Authentication and Transmitting public
encryption keys.

A digital certificate is used for authentication, in other words it proves identity. An excellent example is
proving that the web site that you are accessing is truly the web site that you think it is. This is crucial if
you want to purchase something and you need to provide your credit card information. Think about on-
line banking. Wouldn’t it be nice to know before you input your bank password that it really is the bank
you are connected to?

So how does a digital certificate prove identity? Surprisingly the answer is trust. A certificate authority
(CA) vouches for the identity of the web site and you trust the CA.

Public Key Infrastructure (PKI)

The structure that investigates the identity of an entity, vouches for it and then provides documentation
for it is known as PKI. An example will best illustrate the concept. Imagine a large eCommerce site on
the Internet that sells books and lots of other things. Its name is Nile.com and is a competitor to that
other huge river eCommerce site. The first step is to contact a Certificate Authority, for example
VeriSign, whose business it is to vouch for the identity of entities on the Internet.

A CA’s business is to vouch for the identity of entities such as businesses, governments, even ordinary
people who want to encrypt email. In order to protect its business the CA must weed out fictitious
businesses, hackers, illegal organizations, and so on. In order to do so the CA may visit the business, get
credit reports, use a private investigator or any means that it needs to verify the identity. The CA
charges for this service naturally so the strength of the authentication determines the steps needed. A
bank would need bullet proof authentication but a user who wants a digital certificate to encrypt email
might only need an email address and a listing with a telephone company.

After a CA is satisfied with the identity it creates a digital certificate. This includes generating a
private/public key pair for asymmetrical encryption. This certificate is forwarded to the entity which
needs it. The private encryption key is kept by the entity. In our example Nile.com keeps its private key.
It makes the digital certificate with the public key available to anyone who visits its web site. Anyone
visiting the Nile.com web site will be assured that it is the bona fide web site of Nile.com and not an
imposter site. Appreciate that the client is not taking Nile.com’s word that the web site is authentic; it is
taking the CA’s word that Nile.com is authentic.

CAs are many types of organizations including commercial companies, government departments and
national post offices. However, an organization may not want to pay for this service and will set up an
internal CA just for the company. Microsoft’s Windows Server has this capability and can generate
certificates for internal use. This works perfectly well for internal communications but of course these
certificates will not be trusted on the Internet.

What happens when a CA is compromised? Basically no one will trust them anymore and they go out of
business.

Read about the sad case of DigiNotar

Digital Certificate Structure
A digital certificate is a complicated instrument. It must identify the entity it was issued for, the CA who
issued it, the public key and some proof that the digital certificate itself hasn’t been compromised.

In order to be accessible to all clients the format of a digital certificate must be standardized and that
standard is called X.509.

The fields you find in a digital certificate are as follows:

• Subject - The name of the entity that the CA issued the certificate to. For example, it could be an
organization, computer, network device, service or a user. The name is usually written in a X.500
or Lightweight Directory Access Protocol (LDAP) format.
• Issuer - This is the Certificate Authority which issued the certificate. For a self-signed certificate
the issuer is the subject.
• Public Key - The public key used to encrypt data sent to the subject.
• Serial Number - This is a unique identifier for the certificate.
• Valid From and To - This is the date and time that the certificate is valid from and when it
expires.
• Signature Algorithm - The algorithm used to encode the digital signature of the certificate.
• Signature Value - This is the actual digital signature of the certificate. In order to ensure that the
certificate has not been altered a hash is calculated for the contents of the certificate. Any
recipient of the certificate can calculate the hash and compare it to the hash included with the
certificate.
• Enhanced Key Usage - Certificates can be issued for specific usages.
• Extensions - Additional fields are available in Version 3 of the X.509 format. These are optional.
• CRL Distribution Points - Because certificates have a validity period they can time out. In
addition certificates can be withdrawn and cancelled for other security reasons such as the
subject going out of business or a security breach. Such certificates are listed on the Certificate
Revocation List (CRL) and client has a duty to check the CRL before accepting a certificate. The
CRL Distribution point is the location that the client must go to check this list.

Using Digital Certificates in Windows

Digital certificates are used to prove the identity of web sites. The protocol used in this exchange of
security information is Secure Sockets Layer (SSL). SSL was devised by Netscape in the early 1990’s as a
way to encourage more use of the newly created Word Wide Web. SSL uses a digital certificate to both
authenticate the web site and provide the public key needed to communicate with it securely.

A digital certificate is transmitted only when information needs to be secured. When the URL starts
with HTTP:// there is no security in place. When it changes to HTTPS:// then a secure connection has
been made. At this point the digital certificate from the web site has been transmitted to the client
browser and it can be viewed.

You can view the digital certificate in the web browser but the procedure is different for each browser
and indeed for each version of the same browser. As a general rule look for a small lock on the screen. It
will usually lead you to the digital certificate. The following two figures are screenshots of the same
digital certificate displayed in two browsers. The information is the same.
Managing Digital Certificates in Windows
Managing digital certificates is important for administrators but less so for standard users. Therefore
this functionality is buried deep in the Windows system.

To find the console for managing digital certificates follow these steps:

1. Windows 7: Click the start button and in the search field type in MMC.
Windows 8/10: Right-click Start > Run > type in mmc
2. In the User Account Control Window select Yes.
3. From the File drop down menu select Add/Remove Snap-in…
4. From the Available snaps select Certificates. Click Add.
5. Select My user account. Click Finish. Click OK.
6. Expand Personal/Certificates.

At this point you are looking at the certificate store. If the user has encrypted a file then one certificate
will be present, the one used for file encryption. Your computer also stores other digital certificates.
Expand Third-Party Root Certificate/Certificates. You will find the certificates from the Certificate
Authorities that are used for eCommerce.

The certificates console is used to manage certificates. Of particular interest is the ability to export a
digital certificate used for EFS for safe keeping.

The process is as follows:

1. In the middle panel select the certificate you want to export.

 2. Right-click and choose All Tasks > Export… > Next
3. The next screen requires you to decide if you want to export the private key.
If the purpose of the export is to make sure that the private key is available if the machine fails
then select Yes, export the private key. Click Next. Click Next.
4. Type In a strong password twice. Click Next.

On the File to Export screen you need to:

1. Type in a file name and location.

• If the purpose of this exercise is to keep a copy of the private key off of the computer
choose a location such as a USB key.
2. Click then finish
• Keep this file in a safe place and store the password someplace safe.

Securing Data Over an Unsecured Network

So far in this module we have explored hiding data during transmission using encryption and confirming
the authenticity of the parties involved by using digital certificates. But these techniques depend on the
functionality built into the client applications we are using.

In other words we rely on the safety of communications to eCommerce sites because this is built into
the browser we are using. Other applications may have these security features built in, such as the
secure login process using kerberos, or secure email/secure FTP. However, if there is no secure version
of the application what do we do?

IPSEC
IPSec is the solution to securing a connection when the application does not have this capability. This is
a security protocol which can provide both authentication and encryption using industry standard
protocols. It is a function of the Internet Protocol and is available with both IPv4 and IPv6 and it is
supported in all versions of Windows both server and desktop.

IPSec connections can be implemented in a domain using a GPO. It can also be implemented using
Windows Advanced Firewall. In the following example we want to encrypt the data flowing between the
file server storing the payroll files and the client Windows machine that is hosting the payroll
application. Because both machines are in the same domain, IPSec can use Kerberos for authentication.

The procedure is as follows:

1. Access Windows Firewall with Advanced Security on each machine.

2. Right-click Connection Security Rules and select New Rule …
3. For the Rule Type select Server-to-server because we are securing the communications just
between two specific machines.
4. Specify the IP addresses of the endpoints.
5. For authentication requirements select Require authentication for inbound and outbound
connections. Between the two specified machines authentication will be required but this isn’t
required if they communicate with any other machine.
6. You need to specify the authentication method. A digital certificate can be specified here.
However since we are going to use Kerberos, click on customize. For the first authentication
click on the Add button and choose Computer (Kerberos V5).
7. For the profile, keep all profiles selected.
8. Name the rule for easy identification and you are finished.

In order to function, IPSec must make a security association between the two nodes that want to
communicate. The screenshot on the right illustrates that an association has been made between two
nodes represented by their IP addresses.

The properties screen shows how the two authenticated to each other, in this case with a preshared
key, although a digital certificate or Kerberos are the common methods. The encryption algorithm (AES)
is listed and the hash (SHA-1) used for integrity and how the keys were exchanged (Diffie-Hellman).
Virtual Private Networks (VPNs)
Internal traffic can be secured by IPSec but what about external traffic? There are situations where
organizational traffic must pass over an external, unsecured network such as the Internet but must be
kept safe.

1. One scenario is an employee who has to work from home or is on the road and yet must still
access the company internal network.
2. The second scenario involves a branch office that must be connected to head office. This second
scenario can be secured if the company uses a leased line between the offices because the line
is dedicated to the company and is not shared. However, if this is an expensive solution then
using the Internet makes sense even if it is unsecured.

The solution to these situations is a Virtual Private Network or VPN. A VPN is virtual because the two
ends appear to be communicating directly between themselves when in fact they are communicating
over the Internet with many intermediaries in between. It is private because the connection is secured
through encryption even though it is traveling over the Internet.

VPN Structure
A VPN requires two endpoints that can communicate with each other securely. If the system is between
two networks, for example head office to branch office, the endpoints are usually VPN appliances which
are purchased from network vendors who make these appliances.
Microsoft Windows Server also has this functionality included with the operating system. It has to be
installed and configured but then is ready for use. If the endpoint is a client computer of the employee
than the VPN client software has to be installed and configured. A VPN client is included with Windows
or the VPN appliance vendor can make one available.

Encapsulation
It is important to appreciate that a VPN allows an external user to access servers on the internal network
just as if that user was physically on the internal network. This requires the external user to generate
packets of data that will be accepted by the internal network and these will not cross the Internet.

The solution is to place the IP packet inside another IP packet that can traverse the Internet. This
process is called encapsulation or tunneling.

The figure below illustrates the process:

Note that the original packet is encrypted when it is placed inside the new IP packet so that it cannot be
read if intercepted. The new IP header however remains unencrypted because information inside it
must be read by the routers as it traverses the Internet. At the receiving end the process is reversed. The
original packet is unencrypted and placed on the internal network and travels to its destination.

VPN Protocols
There are various protocols used for a VPN. The three most important are PPTP, L2TP/IPSec, and SSTP.

PPTP was made popular by Microsoft because it was the first VPN protocol supported by Microsoft in
Windows NT. It is a proprietary Microsoft protocol using a proprietary encryption algorithm. It is
considered weak today and shouldn’t be used although it is the easiest to use in a Windows system.

SSTP is the most recent addition to the protocols supported by Microsoft. It uses HTTPS to transport the
encrypted data. It is easy to configure on the server side because it uses port 443. Since port 443 is
already open on the firewall to let secured web traffic (HHTPS) through no further configuration on the
firewall is required.

L2TP is an open standard protocol and is the most secure of the VPN protocols when used with IPSec. It
is more complicated to use because it requires a digital certificate to authenticate the two end points.
VPN Authentication
Authentication is a requirement for a VPN just as it is for IPSec on the internal network, connecting to an
eCommerce web site or just logging into a workstation or domain. In fact for a VPN user at home when
they connect to their internal company network they are actually logging into their Active Directory
domain.

Although there are several options shown, the only options normally supported by Active Directory are
Microsoft CHAP version 2 and Extensible Authentication Protocol (EAP). EAP is used for smart cards.

Module Summary
In this module we have explored:

1. Encryption concepts through the conversion of plain text into cypher text by using an encryption
key.
2. The difference between symmetrical encryption and asymmetrical encryption.
3. Symmetrical encryption algorithms including DES, 3DES and AES and asymmetrical encryption
algorithms such as RSA and elliptical curve.
4. Key exchange systems such as SSL/TLS and Diffie-Hellman.
5. Using recovery agents to recover encrypted files when the original user cannot decrypt the files.
6. How digital certificates work and their structure.
 7. How to manage digital certificates in the Windows OS.
8. Using IPSec to secure transmission over a network when the application can’t provide
encryption.
9. Using a VPN to transmit data securely over an unsecured network.

Knowledge Check
The following questions provide an opportunity for you to see what you remember and understand so
far. Answer the questions to the best of your ability.

1. One way to securely copy the symmetrical encryption key to the other party is to
a. Send it in email.
b. Encrypt it with asymmetrical encryption.
c. Send it via fax.
d. Send it in a letter.

2. One disadvantage to asymmetrical encryption is that

a. It is very slow.
b. The private key must be relayed to the other party.
c. Its key length is too short.
d. It is not a U.S. government standard.

3. Which encryption technology is used in mobile devices because it takes less power?
a. DES.
b. AES.
c. 3DES.
d. Elliptical curve.

4. When the URL in your browser changes to HTTPS:// you are using which technology?
a. Simple HTTP.
b. Diffie-Hellman key exchange.
c. Secure Sockets Layer.
d. Elliptical curve cryptography.

5. EFS is used on which volume type on a Windows OS?

a. FAT32.
b. DVD.
c. FAT.
d. NTFS.

6. In order to share an EFS encrypted file which of the following conditions must be met?
a. The folder which holds the encrypted file must be shared.
b. The digital certificate of the other person must be found on the local machine.
c. A recovery agent must be specified for the file.
d. The second person must belong to the Administrators group.
 7. If a computer’s disk has been encrypted with BitLocker and the boot files have been tampered
with then the Windows OS will not boot if _____________.
a. The encryption keys are stored in TPM.
b. The user has to type in a PIN to unlock the system.
c. The encryption keys are stored on a USB key.
d. The encryption keys are stored on a Smart Card.

8. When a client accesses an e-commerce web site it will receive a digital certificate. Before it
accepts the digital certificate it must:
a. Contact the Certificate Authority to confirm that it issued the certificate.
b. Confirm that it has the digital certificate of the CA on file.
c. Look up the Certificate Revocation List to confirm that the certificate is still valid.
d. Confirm that the e-commerce web site has digitally signed the certificate.

9. In which situation is IPSec commonly used?

a. Communicating with an e-commerce web site.
b. Transmitting files by using Secure FTP.
c. Securing all communications between two specific machines.
d. Encrypting email.

10. Which of the following protocols can be used for authentication on a Microsoft VPN?
a. MS-CHAP v2.
b. PPTP.
c. L2TP/IPSec.
d. SSTO.

Answers:

1. B) Encrypt it with asymmetrical encryption.

2. A) It is very slow.
3. D) Elliptical curve.
4. C) Secure Sockets Layer.
5. D) NTFS.
6. B) The digital certificate of the other person must be found on the local machine.
7. A) The encryption keys are stored in TPM.
8. C) Look up the Certificate Revocation List to confirm that the certificate is still valid.
9. C) Securing all communications between two specific machines.
10. A) MS-CHAP v2.

You have completed Microsoft Windows and Encryption Tools and Techniques

Remember to check the timeline before you proceed to the next module to ensure you have completed
any assignments as required. Check with your instructor if you have any questions.