Encrypting File System
Encyclopedia
The Encrypting File System (EFS) on Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

 Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 is a feature introduced in version 3.0 of NTFS
NTFS
NTFS is the standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7....

 that provides filesystem-level encryption
Filesystem-level encryption
Filesystem-level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself...

. The technology enables files to be transparently encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

 to protect confidential data from attackers with physical access to the computer.

EFS is available in all versions of Windows developed for business environments from Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

 onwards. By default, no files are encrypted, but encryption can be enabled by users on a per-file, per-directory, or per-drive basis. Some EFS settings can also be mandated via Group Policy
Group Policy
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and...

 in Windows domain environments.

Cryptographic file system implementations for other operating systems are available, but generally incompatible with the Microsoft EFS. See also the list of cryptographic file systems.

Basic ideas

User authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 and access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...

s can protect files from unauthorized access while the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

 is running, but are easily circumvented if an attacker gains physical access to the computer.

The most widely accepted solution is to store the files encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...

 on the physical media (disks, USB pen drives, tapes, CDs and so on).

In the Microsoft Windows family of operating systems EFS enables this measure, although on NTFS drives only, and does so using a combination of public key cryptography and symmetric key cryptography to make decrypting the files extremely difficult without the correct key.

However, the cryptography keys for EFS are in practice protected by the user account password, and are therefore susceptible to most password attacks. In other words, encryption of files is only as strong as the password to unlock the decryption key.

Operation

EFS works by encrypting a file with a bulk symmetric key, also known as the File Encryption Key, or FEK. It uses a symmetric encryption algorithm because it takes a smaller amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric encryption algorithm used will vary depending on the version and configuration of the operating system; see Algorithms used by Windows version below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS alternate data stream of the encrypted file. To decrypt the file, the EFS component driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric key to decrypt the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is transparent to the user and all their applications.

Folders whose contents are to be encrypted by the file system are marked with an encryption attribute. The EFS component driver treats this encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder is marked for encryption, then by default all files and subfolders that are created under the folder are also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted. However, there are a number of occasions in which the file could be decrypted without the user explicitly asking Windows to do so.

Files and folders are decrypted before being copied to a volume formatted with another file system, like FAT32
File Allocation Table
File Allocation Table is a computer file system architecture now widely used on many computer systems and most memory cards, such as those used with digital cameras. FAT file systems are commonly found on floppy disks, flash memory cards, digital cameras, and many other portable devices because of...

. Finally, when encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.

The most significant way of preventing the decryption-on-copy is using backup applications that are aware of the "Raw" APIs. Backup applications that have implemented these Raw APIs will simply copy the encrypted file stream and the $EFS alternate data stream as a single file. In other words, the files are "copied" (e.g. into the backup file) in encrypted form, and are not decrypted during backup.

Starting with Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

, a user's private key can be stored on a smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...

; Data Recovery Agent (DRA) keys can also be stored on a smart card.

Vulnerabilities

Two significant security vulnerabilities existed in Windows 2000 EFS, and have been variously targeted since.

Decrypting files using the local Administrator account

In Windows 2000, the local administrator is the default Data Recovery Agent, capable of decrypting all files encrypted with EFS by any local user.
EFS in Windows 2000 cannot function without a recovery agent, so there is always someone who can decrypt encrypted files of the users. Any non-domain-joined Windows 2000 computer will be susceptible to unauthorized EFS decryption by anyone who can take over the local Administrator account, which is trivial given many tools available freely on the Internet.

In Windows XP and later, there is no default local Data Recovery Agent and no requirement to have one. Setting SYSKEY
SYSKEY
SYSKEY is a utility that encrypts the hashed password information in a SAM database in a Windows system using a 128-bit encryption key.SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks so that the SAM database would still...

 to mode 2 or 3 (syskey typed in during bootup or stored on a floppy disk) will mitigate the risk of unauthorized decryption through the local Administrator account. This is because the local user's password hashes, stored in the SAM
Security Account Manager
The Security Accounts Manager is a registry file in Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7. It stores users' passwords in a hashed format...

 file, are encrypted with the Syskey, and the Syskey value is not available to an offline attacker who does not possess the Syskey passphrase/floppy.

Accessing private key via password reset

In Windows 2000, the user's RSA private key is not only stored in a truly encrypted form, but there is also a backup of the user's RSA private key that is more weakly protected. If an attacker gains physical access to the Windows 2000 computer and resets a local user account's password, the attacker can log in as that user (or recovery agent) and gain access to the RSA private key which can decrypt all files. This is because the backup of the user's RSA private key is encrypted with an LSA secret, which is accessible to any attacker who can elevate their login to LocalSystem (again, trivial given numerous tools on the Internet).

In Windows XP and beyond, the user's RSA private key is backed up using an offline public key whose matching private key is stored in one of two places: the password reset disk (if Windows XP is not a member of a domain) or in the Active Directory (if Windows XP is a member of a domain). This means that an attacker who can authenticate to Windows XP as LocalSystem still does not have access to a decryption key stored on the PC's hard drive.

In Windows 2000, XP or later, the user's RSA private key is encrypted using a hash of the user's NTLM password hash plus the user name - use of a salted
Salt (cryptography)
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...

 hash makes it extremely difficult to reverse the process and recover the private key without knowing the user's passphrase. Also, again, setting Syskey to mode 2 or 3 (Syskey typed in during bootup or stored on a floppy disk) will mitigate this attack, since the local user's password hash will be stored encrypted in the SAM file.

Other issues

Windows can store versions of user account passphrases with reversible encryption, though this is no longer default behaviour; it can also be configured to store (and will by default on the original version of Windows XP and lower) Lan Manager hashes of the local user account passphrases, which can be attacked and broken easily. It also stores local user account passphrases as NTLM
NTLM
In a Windows network, NTLM is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users....

 hashes, which can be fairly easily attacked using "rainbow table
Rainbow table
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters. It is a form of time-memory tradeoff, using less...

s" if the passwords are weak (Windows Vista and later versions don't allow weak passwords by default). To mitigate the threat of trivial brute-force attacks on local passphrases, older versions of Windows need to be configured (using the Security Settings portion of Group Policy) to never store LM hashes, and of course, to not enable Autologon (which stores plaintext passphrases in the registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

). Further, using local user account passphrases over 14 characters long prevents Windows from storing an LM hash in the SAM - and has the added benefit of making brute-force attacks against the NTLM hash harder.

When encrypting files with EFS - when converting plaintext files to encrypted files - the plaintext files are not wiped, but simply deleted. This means that they can be easily recovered unless they are overwritten. To fully mitigate known, non-challenging technical attacks against EFS, you should configure encryption at the folder level (so that all temporary files like Word document backups which are created in these directories are also encrypted). When you wish to encrypt individual files, copy them to an encrypted folder or encrypt the file "in place", and then securely wipe the disk volume. You can use the Windows Cipher utility (with the /W option) to wipe free space including that which still contains deleted plaintext files; various third-party utilities may work as well.

Anyone who can gain Administrators access can overwrite, override or change the Data Recovery Agent configuration. This is a very serious issue, since an attacker can for example hack the Administrator account (using third-party tools), set whatever DRA certificate they want as the Data Recovery Agent and wait. This is sometimes referred to as a two-stage attack, which is a significantly different scenario than the risk due to a lost or stolen PC, but which highlights the risk due to malicious insiders.

When the user encrypts files after the first stage of such an attack, the FEKs are automatically encrypted with the designated DRA's public key. The attacker only needs to access the computer once more as Administrator to gain full access to all those subsequently EFS-encrypted files. Even using Syskey mode 2 or 3 does not protect against this attack, because the attacker could back up the encrypted files offline, restore them elsewhere and use the DRA's private key to decrypt the files. Of course, if such a malicious insider can gain physical access to the computer, you might consider all security features to be irrelevant, because he could also install rootkits, software or even hardware keyloggers
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...

 etc. on the computer - which is potentially much more interesting and effective than overwriting DRA policy.

Recovery

Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously-used public key(s). The stored copy of the user's private key is ultimately protected by the user's logon password. Accessing encrypted files from outside Windows with other operating systems (Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

, for example) is not possible — not least of which because there is currently no third party EFS component driver. Further, using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files. The significance of this is occasionally lost on users, resulting in data loss if a user forgets his or her password, or fails to back up the encryption key. This led to coining of the term "delayed recycle bin", to describe the seeming inevitability of data loss if an inexperienced user encrypts his or her files.

If EFS is configured to use keys issued by a Public Key Infrastructure and the PKI is configured to enable Key Archival and Recovery, encrypted files can be recovered by recovering the private key first.

Keys

  • user password (or smart card private key): used to generate a decryption key to decrypt the user's DPAPI Master Key
  • DPAPI Master Key: used to decrypt the user's RSA private key(s)
  • RSA private key: used to decrypt each file's FEK
  • File Encryption Key (FEK): used to decrypt/encrypt each file's data (in the primary NTFS stream)
  • SYSKEY: used to encrypt the cached domain verifier and the password hashes stored in the SAM

Windows

  • Windows 2000
    Windows 2000
    Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

     Professional, Server, Advanced Server and Datacenter editions
  • Windows XP
    Windows XP
    Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...

     Professional, also in Tablet PC Edition, Media Center Edition and x64 Edition
  • Windows Server 2003
    Windows Server 2003
    Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...

     and Windows Server 2003 R2, in both x86 and x64 editions
  • Windows Vista
    Windows Vista
    Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...

     Business, Enterprise and Ultimate editions
  • Windows 7 Professional, Enterprise and Ultimate editions
  • Windows Server 2008 and Windows Server 2008 R2
    Windows Server 2008 R2
    Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...


Other operating systems (e.g. Linux)

It is possible to store EFS files on other OSes (such as Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...

) using other disk formats (such as ext3
Ext3
The ext3 or third extended filesystem is a journaled file system that is commonly used by the Linux kernel. It is the default file system for many popular Linux distributions, including Debian...

) through the use of iSCSI
ISCSI
In computing, iSCSI , is an abbreviation of Internet Small Computer System Interface, an Internet Protocol -based storage networking standard for linking data storage facilities. By carrying SCSI commands over IP networks, iSCSI is used to facilitate data transfers over intranets and to manage...

. Whilst the APIs used to control and implement EFS are bespoke to Microsoft's Windows OSs (and EFS is restricted to NTFS) using iSCSI you can create a virtual NTFS volume on a networked drive (e.g. an ext3 drive in a Linux device). By using an iSCSI client on a Windows OS (Microsoft has free iSCSI clients for their OS's) and a Linux device with iSCSI support, you can create an iSCSI virtual drive (hosted on a remote networked device), format it as NTFS, and then store EFS folders and data on it. When using RAW API aware applications (as mention previously) because Windows views the iSCSI virtual drive as a local NTFS formatted drive all data is transferred over the LAN/WAN without being decrypted and is stored encrypted on the Linux device. The use of iSCSI enables EFS files to be stored natively on Linux based devices.

New features available by Windows version

Windows XP:
  • Encryption of the Client-Side Cache (Offline Files database)
  • Protection of DPAPI Master Key backup using domain-wide public key
  • Autoenrollment of user certificates (including EFS certificates)
  • Multiple-user (shared) access to encrypted files (on a file-by-file basis) and revocation checking on certificates used when sharing encrypted files
  • Encrypted files can be shown in an alternate color (green by default)
  • No requirement for mandatory Recovery Agent
  • Warning when files may be getting silently decrypted when moving to an unsupported file system
  • Password reset disk
  • EFS over WebDAV and remote encryption for servers delegated in Active Directory
    Active Directory
    Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....


Windows XP SP1
  • Support for and default use of AES-256 symmetric encryption algorithm for all EFS-encrypted files

Windows XP SP2 + KB 912761:
  • Prevent enrollment of self-signed EFS certificates

Windows Server 2003:
  • Digital Identity Management Service
  • Enforcement of RSAKeyLength setting for enforcing a minimum key length when enrolling self-signed EFS certificates

Windows Vista and Windows Server 2008:
  • Per-user encryption of Client-Side Cache (Offline Files)
  • Support for storing (user or DRA) RSA private keys on a PC/SC smart card
  • EFS Re-Key Wizard
  • EFS Key backup prompts
  • Support for deriving DPAPI Master Key from PC/SC smart card
  • Support for encryption of pagefile.sys
  • Protection of EFS-related secrets using BitLocker (Enterprise or Ultimate edition of Windows Vista)
  • Group Policy controls to enforce:
    • Encryption of Documents folder
    • Offline files encryption
    • Indexing of encrypted files
    • Requiring smart card for EFS
    • Creating a caching-capable user key from smart card
    • Displaying a key backup notification when a user key is created or changed
    • Specifying the certificate template used for enrolling EFS certificates automatically

Windows Server 2008:
  • EFS self-signed certificates enrolled on the Windows Server 2008 server will default to 2048-bit RSA key length
  • All EFS templates (user and data recovery agent certificates) default to 2048-bit RSA key length

Windows 7 and Windows Server 2008 R2
  • Elliptic-curve cryptographic algorithm
    Elliptic curve cryptography
    Elliptic curve cryptography is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S...

    s (ECC). Windows 7 supports a mixed mode operation of ECC and RSA algorithms for backward compatibility
  • EFS self-signed certificates, when using ECC, will use 256-bit key by default.
  • EFS can be configured to use 1K/2k/4k/8k/16k-bit keys when using self-signed RSA certificates, or 256/384/512-bit keys when using ECC certificates.

Algorithms used by Windows version

Windows EFS supports a range of symmetric encryption algorithms, depending on the version of Windows in use when the files are encrypted:
Operating system Default algorithm Other algorithms
Windows 2000 DESX (none)
Windows XP RTM DESX Triple DES
Triple DES
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....

Windows XP SP1 AES Triple DES, DESX
Windows Server 2003 AES
AES
AES may refer to:Standards, systems, and methods* Application Environment Services, a component of Digital Research's GEM windowing system* The Advanced Encryption Standard...

Triple DES, DESX
Windows Vista AES Triple DES, DESX
Windows Server 2008 AES Triple DES, DESX (?)
Windows 7
Windows Server 2008 R2
Mixed (AES, SHA, and ECC) Triple DES, DESX

See also

  • Encrypting File System in Windows 2000
  • Encrypting File System in Windows XP and Microsoft Windows Server 2003
  • Filesystem-level encryption
    Filesystem-level encryption
    Filesystem-level encryption, often called file or folder encryption, is a form of disk encryption where individual files or directories are encrypted by the file system itself...

  • Disk encryption software
    Disk encryption software
    To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software that is used to implement the technique...

  • Full disk encryption
    Full disk encryption
    Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term "full disk encryption" is often used to signify that everything on a disk is encrypted, including the...

  • Data Protection API

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK