How Does Win2k's Encrypted File System Really Work?

cyberbrian asks: "At work, I administer Windows NT 4.0 and 2000 servers and I have been researching Win 2000's EFS (Encrypted File System) and I have detected some Very Odd Behavior. I am currently leaning towards using PGP Disk instead of EFS but I really want to know what is going on here. For instance, one of the tests I made is that I backed up an encrypted file and restored it to a FAT partition. The resulting file had zero bytes. For true encryption, shouldn't there be data in the file, but scrambled according to the encryption algorythem and key file? IMHO, Microsoft may not be using encryption at all, but instead perhaps the "encryption" is actually a hidden NTFS deny/allow permission that is tied to a certificate. Has anyone tested this by trying to decrypt a EFS file under Linux? Also, I would be very interested in any URLs people could point me to where this is explained in detail."

Re:Dead Silence

I guess that people aren't jumping in head first into this one means that you've really asked a good "Ask Slashdot" question -- one that 80% of the guys can't answer. No one's even brave enough. Congrats! Oh yeah, looks like maybe I got 1st post

Or it's not a front page article, you moron.

Anyway, Windows encrypted files are encrypted against a random key per file, and the a copy of that key is encrypted against each user's public key. Their private key is used to decode it.

Encryption is weak, and can be compromised overnight with the public password hash, found locally or over the net by watching domain authentication. Supposedly it's possible to turn on better encryption. (I don't know how, or how much better.) The decryption routine will accept arbitrary length keys, although I haven't determined whether the stored tags have any length limits.

Physical and logical security are still your best friends. All this does is slow a user down. Within a month or so, we'll have a patch to let the linux ntfs driver access all encrypted files if you have the administrator password, or a priveledged user's password or hash.

Re:Not Surprised

I get the idea that EFS isn't really all that effective unless you have the whole ActiveDirectory PKI that goes along with it

Anyway: Here's the manual section on EFS. I don't need the karma, so someone can repost and get it.

The Social Issues

[fm6]

As usual, this discussion of data security pays too much attention to mathematical cryptography to the exclusion of the social side.

Whatever the theoretical strengths and weaknesses of NT's encryption software, what really matters is how the software works in the real world. Are there bugs? Back doors? How hard is it for an unauthorized person to infiltrate back door code? Etc.

And of course we can't answer these questions, because we can't look at the source code. Someone in Redmond has presumably done that. I don't cop the usual cynical attitude towards MS, but I'm still sceptical of any system verified only by people with a vested interest in it.

Which isn't to say that OSS cryptography is necessarily any better. In theory, everybody who uses PGP encryption can either verify the source code or get fingerprinted executables from somebody who has. But how many people actually do that? Or make sure that the software isn't patched after it's installed?

In the end, the question "How strong is this encryption" is less important than "How much security do you need, and how much trouble are you willing to go to to get it?" I've seen banking web sites where they insist that the customers use browsers with 128-bit encryption -- and then use 4-digit PINs as the sole means of user verification! That's silly.

Here's a more relevent example. I have some files on my laptop I would not care for any random stranger to see. But they're not sensitive enough to require really extreme measures. They're just rather personal. If I were running NT on the laptop (I used to, but the system isn't really powerful enough), I'd have no qualms about uses NT encryption. So instead I use PGPdisk. Which is theoretically more secure than NT, but the way I use it (fairly weak passphrases, unverified software) it's not really any more secure than it would be under NT. But that's fine. If I ever become a CIA operative, I will certainly take stronger measures.

My experiences with the encryption

[Shook]

The big thing that I didn't like about the encryption (implementation-wise) is that it didn't obscure the file names. I would have preferred that each user directory would be a total black box to all other users.

I didn't know that much about the algorithm (and know very little about encryption anyway_, but figured it would be better than nothing. Still, I would prefer something that works well better than something that works poorly or not at all.

There are Good resources for EFS at SANS

[Jeremiah+Cornelius]

WARNING: KARMA WHORE ALERT!

Try looking in the "Windows" section of the Reading Room from SANS website.

Specific articles of interest are:

Encrypting File System Primer , from July 6, 2001

and

Windows 2000 Encrypting File System , from July 27, 2000.

Both of these articles are heavily referenced with links to other techincal source material about Windows EFS. Most notably:

Mark Russinovich, "Inside Encrypting File System, Part 1", June 1999, Windows 2000 Magazine

Mark Russinovich, "Inside Encrypting File System, Part 2", July 1999, Windows 2000 Magazine.

This auto satisfy any questions about the limited protection offered by EFS in stand-alone and default modes, as well as provide direction for configuring EFS to operate with a very decent level of confidentiality and availability.

Re:artstechnica EFS information

[karlm]

DESX was proposed by RSA Data Security Incorporated as standard to strengthen DES as a stop gap until AES was selected. It uses a 120 bit key. 56 of the bits are used as a des key and the other 64 bits are expanded into two 64-bit pads. The pads are used fro pre- and post- whitening of the DES block. I would assume that they use DESX in ECB or counter mode in oreder to allow random access.

I think they use RSA. Any of the discrete log schemes (such as EL Gamal) would use up twice as much space as RSA for the same modulus size. Shame on anyone who uses public key moduli smaller than 768 bits. Actually, I wouldn't be surprised if they used an eliptic curve system. Personally, I don't like eliptic curve systems. They are based on getting away with smaller RSA keys because the best known attacks on RSA need a notion of smothe that nobody has been able to define on eliptic curves. It seems to me kind of like using 64-bit-key-reduced-round-AES for efficiency and space reasons.

Microsoft claims that DESX is 128 bit encryption, but they forget (more likely chose to neglect) that 8 byte DES keys ignore 1 bit per byte.

In any case, trusting M$FT for you security is like trusting you 3 year old to wash your fine china.

Personally, nowadays I would be skeptical of anything that didn't use an AES finalist (or possibly 3DES or Blowfish) in CBC, CFB, counter, or OCB mode. There really aren't any excuses for using anything else. Even the die-hard "3DES has not been broken in X-years. 3DES is the only thing I trust" people should feel safe using Serpent. The Seprent people chose security over efficiency every step of the way. Sure speed played a big part in chosing Rijndael, but the NIST did a good job of picking the best of each of several design strategies as AES finalists. There should be an AES finalist for everyone.