| <<< EFS Recovery for Lost Private Key | Index | NTFS Volume Shadow Copy >>> |
EFS uses symmetric key encryption (DESX with 128bit key) in conjunction with public key technology (RSA).
Users of EFS are issued a digital certificate with a public key and a private key pair.
This key pair is used to decrypt a File Encryption Key (FEK) file that holds the key to decrypting the data. Each encrypted file has an associated FEK encrypted with the public key of each user allowed to use the file.
With the FIPS-compliant algorithms usage turned on in LSA policy, the encryption is with 3DES using a 168-bit key. The process is completely transparent to the user.
Key management is handled by the Local Security Authority Subsystem, lsass.exe without the user's intervention.
The data is encrypted/decrypted as it passes to/from the drive. To turn EFS on, the user sets the encryption attribute in the file or folder's properties.
In addition to the individual user's public key information, each FEK also contains a recovery key. An entity, usually a domain administrator, is assigned as a Recovery Agent.
The recovery agent can decrypt ANY file, so an attacker who hijacks the recovery agent account has also hijacked the ability to read all encrypted data.
This requires that the user/administrator authenticate with the same password they normally do, so most attacks on privilege escalation render the data unrecoverable. There is an attack on the cached login credentials that an attacker can use.
Windows systems not on a network domain do not create a recovery agent.
References:
http://www.ntfs.com/ntfs-encrypted.htm
http://www.microsoft.com/windows2000/docs/encrypt.doc
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
| <<< EFS Recovery for Lost Private Key | Index | NTFS Volume Shadow Copy >>> |