How Does Win2k's Encrypted File System Really Work? 26
cyberbrian asks: "At work, I administer Windows NT 4.0 and 2000 servers and I have been researching Win 2000's EFS (Encrypted File System) and I have detected some Very Odd Behavior. I am currently leaning towards using PGP Disk instead of EFS but I really want to know what is going on here. For instance, one of the tests I made is that I backed up an encrypted file and restored it to a FAT partition. The resulting file had zero bytes. For true encryption, shouldn't there be data in the file, but scrambled according to the encryption algorythem and key file? IMHO, Microsoft may not be using encryption at all, but instead perhaps the "encryption" is actually a hidden NTFS deny/allow permission that is tied to a certificate. Has anyone tested this by trying to decrypt a EFS file under Linux?
Also, I would be very interested in any URLs people could point me to where this is explained in detail."
Not Surprised (Score:2, Flamebait)
Thanks,
Travis
forkspoon@hotmail.com
Re:Not Surprised (Score:1, Informative)
Anyway: Here's [microsoft.com] the manual section on EFS. I don't need the karma, so someone can repost and get it.
Funny how... (Score:2, Insightful)
Loooooooooooove the moderation guys. Keep up the good work, pretty soon you'll silence all the reasonable voices.
Re:Not Surprised (Score:1, Interesting)
Re:Not Surprised (Score:1)
BTW, I don't think it's just a flag. When you use anything that can read NTFS 5.0 *besides* Win2K (the DOS NTFS drivers, etc.), the data is just junk. Even text files. I'm pretty sure. You can try it yourself if you want. You would think that they would just not honor a flag if that's all it took.
Dead Silence (Score:1, Funny)
Re:Dead Silence (Score:2, Informative)
Or it's not a front page article, you moron.
Anyway, Windows encrypted files are encrypted against a random key per file, and the a copy of that key is encrypted against each user's public key. Their private key is used to decode it.
Encryption is weak, and can be compromised overnight with the public password hash, found locally or over the net by watching domain authentication. Supposedly it's possible to turn on better encryption. (I don't know how, or how much better.) The decryption routine will accept arbitrary length keys, although I haven't determined whether the stored tags have any length limits.
Physical and logical security are still your best friends. All this does is slow a user down. Within a month or so, we'll have a patch to let the linux ntfs driver access all encrypted files if you have the administrator password, or a priveledged user's password or hash.
It ain't that great from what I've heard. (Score:2)
Justin Buist
Well.. (Score:1)
Google wasn't much more help. Admittedly I
didn't look too hard, but there were a few hits on googlge from a newsgroup discussion of "pgpdisk vs. win2k efs" might want to find those and keep an eye on 'em.
artstechnica EFS information (Score:4, Insightful)
http://www.arstechnica.com/paedia/n/ntfs/ntfs5-
To quote from the above article:
"EFS uses a public key crypto scheme, which uses a public and private key. Encrypting a file will cause EFS to assign that file a randomly generated FEK (file encryption key). The user that encrypts this file does so with their public key, but to decrypt that file requires the usage of their private key to authenticate past the file's randomly generated FEK. DDFs (Data Decryption Fields) and DRFs (Data Recovery Fields) exist as NTFS attributes, storing a list of FEKs. Public and private keys are stored separately from the FEKs. "
but also note this warning on www.sysinternals.com:
"Even when you encrypt files with Win2K's Encrypting File System (EFS), a file's original unencrypted file data is left on the disk after a new encrypted version of the file is created."
Re:artstechnica EFS information (Score:5, Interesting)
The Microsoft web page offers one answer. Triple DES is supported, if you are running Windows XP Professional, but all earlier platforms and even WXP by default use "DESX, a variation of the DES standard." In other words, absolute crap - the *only* way to know that a cipher is solid is to expose it to prolonged cryptanalysis by knowledgable people. DES is considered weak now (due to brute force attacks), 3DES is usually considered acceptable but I wouldn't use "DESX" to encrypt my grocery list since it's a total unknown. The mere fact that they choose this oddball variant, instead of any of the newer, IP-free ciphers, screams WARNING - there are unacknowledged motivations here!.
I didn't see any mention of ECB vs. CBC, changing IV vectors, etc., all basic information that you would expect to see for the buzzword factor alone. Since they never wipe the plaintext files, it sounds like someone got a copy of Krypto4Kiddies and never got past the first few chapters.
Re:artstechnica EFS information (Score:2)
Re:artstechnica EFS information (Score:2, Informative)
I think they use RSA. Any of the discrete log schemes (such as EL Gamal) would use up twice as much space as RSA for the same modulus size. Shame on anyone who uses public key moduli smaller than 768 bits. Actually, I wouldn't be surprised if they used an eliptic curve system. Personally, I don't like eliptic curve systems. They are based on getting away with smaller RSA keys because the best known attacks on RSA need a notion of smothe that nobody has been able to define on eliptic curves. It seems to me kind of like using 64-bit-key-reduced-round-AES for efficiency and space reasons.
Microsoft claims that DESX is 128 bit encryption, but they forget (more likely chose to neglect) that 8 byte DES keys ignore 1 bit per byte.
In any case, trusting M$FT for you security is like trusting you 3 year old to wash your fine china.
Personally, nowadays I would be skeptical of anything that didn't use an AES finalist (or possibly 3DES or Blowfish) in CBC, CFB, counter, or OCB mode. There really aren't any excuses for using anything else. Even the die-hard "3DES has not been broken in X-years. 3DES is the only thing I trust" people should feel safe using Serpent. The Seprent people chose security over efficiency every step of the way. Sure speed played a big part in chosing Rijndael, but the NIST did a good job of picking the best of each of several design strategies as AES finalists. There should be an AES finalist for everyone.
My understanding is this: (Score:1)
2. It is linked to your SID. Therefore no other user can read your files unless they have access to your account.
3. When you encrypt a file, the file is saved in plain text, then encrypted. Therefore, there is a chance that the data is unencrypted on disk somewhere.
I've noticed strange behaviour with this file system so I don't use it often. Most of the behaviour had to do with copying files to and from an encrypted directory. I would get frequent failures (such as "file is in use"). Also, since for some reason my temp directory ended up encrypted, some installshield based programs failed to install.
I am specifically talking about Win 2000 here. I have not yet used it on XP.
The Social Issues (Score:3, Informative)
Whatever the theoretical strengths and weaknesses of NT's encryption software, what really matters is how the software works in the real world. Are there bugs? Back doors? How hard is it for an unauthorized person to infiltrate back door code? Etc.
And of course we can't answer these questions, because we can't look at the source code. Someone in Redmond has presumably done that. I don't cop the usual cynical attitude towards MS, but I'm still sceptical of any system verified only by people with a vested interest in it.
Which isn't to say that OSS cryptography is necessarily any better. In theory, everybody who uses PGP encryption can either verify the source code or get fingerprinted executables from somebody who has. But how many people actually do that? Or make sure that the software isn't patched after it's installed?
In the end, the question "How strong is this encryption" is less important than "How much security do you need, and how much trouble are you willing to go to to get it?" I've seen banking web sites where they insist that the customers use browsers with 128-bit encryption -- and then use 4-digit PINs as the sole means of user verification! That's silly.
Here's a more relevent example. I have some files on my laptop I would not care for any random stranger to see. But they're not sensitive enough to require really extreme measures. They're just rather personal. If I were running NT on the laptop (I used to, but the system isn't really powerful enough), I'd have no qualms about uses NT encryption. So instead I use PGPdisk. Which is theoretically more secure than NT, but the way I use it (fairly weak passphrases, unverified software) it's not really any more secure than it would be under NT. But that's fine. If I ever become a CIA operative, I will certainly take stronger measures.
My experiences with the encryption (Score:2, Informative)
I didn't know that much about the algorithm (and know very little about encryption anyway_, but figured it would be better than nothing. Still, I would prefer something that works well better than something that works poorly or not at all.
Can't even make it work (Score:2)
Errr... (Score:3, Funny)
I mean, Microsoft have used 'encryption' of that quality in the past [cegadgets.com], why improve now?
There are Good resources for EFS at SANS (Score:2, Informative)
Try looking in the "Windows" section of the Reading Room [sans.org] from SANS website.
Specific articles of interest are:
Encrypting File System Primer [sans.org], from July 6, 2001
and
Windows 2000 Encrypting File System [sans.org], from July 27, 2000.
Both of these articles are heavily referenced with links to other techincal source material about Windows EFS. Most notably:
Mark Russinovich, "Inside Encrypting File System, Part 1" [win2000mag.com], June 1999, Windows 2000 Magazine
Mark Russinovich, "Inside Encrypting File System, Part 2" [win2000mag.com], July 1999, Windows 2000 Magazine.
This auto satisfy any questions about the limited protection offered by EFS in stand-alone and default modes, as well as provide direction for configuring EFS to operate with a very decent level of confidentiality and availability.
What I really want to know (Score:1)
Re:What I really want to know (Score:1)