Presentation on Black Hat Europe 2003 Conference Security Analysis of Microsoft Encrypting File System (EFS)
Microsoft Encrypting File System Encrypting File File System System (EFS) (EFS) is is a a new new feature feature in in Microsoft Windows 2000. 2000. EFS EFS lets lets to to protect protect sensitive data data in in files files that that are are stored stored on on disk disk using using the the NTFS NTFS file file system. system. It It uses uses symmetric key key encryption in in conjunction with with public public key key technology to to provide provide confidentiality for for files. files. It It runs runs as as integrated system system service, service, which which makes makes EFS EFS easy easy to to manage, difficult difficult to to attack, attack, and and transparent to to the the file file owner owner and and to to applications. Even Even if if the the file file can can be be stolen, stolen, over over the the network network or or physically, it it cannot cannot be be decrypted without without first first logging logging on on the the network network as as the the appropriate user. user. Since Since it it cannot cannot be be read, read, it it cannot cannot be be surreptitiously modified. The The file file encryption key key (FEK) (FEK) Ñ a a symmetric bulk bulk encryption key key Ñ is is used used to to encrypt encrypt the the file file and and is is then then itself itself encrypted by by using using the the public public key key taken taken from from the the user's user's certificate, which which is is located located in in the the user's user's profile. profile. The The encrypted FEK FEK is is stored stored with with the the encrypted file file and and is is unique unique to to it. it. To To decrypt decrypt the the FEK, FEK, EFS EFS uses uses the the encryptor's private private key, key, which which only only the the file file encryptor has. has.
Structure of Encrypted File Header File Encryption Key Encrypted with file ownerõs public key. File Encryption Key Encrypted with public key of recovery agent 1. File Encryption Key Encrypted with public key of recovery agent 2 (optional). Encrypted Data... Data Decryption Field Data Recovery Fields
How EFS files are recovered If If the the owner's owner's private private key key is is unavailable (for (for example, because because it it is is damaged), aa recovery agent agent account account can can open open the the file file by by using using the the private private key key for for recovery, which which is is applied applied to to the the DRF DRF to to unlock unlock the the FEK. FEK. The The mechanism for for file file recovery works works essentially the the same same way way as as decrypting a a file, file, by by using using the the user's user's private private key. key. A private private key key for for recovery cannot cannot decrypt decrypt the the DDF. DDF. If If there there are are multiple multiple recovery agent agent accounts, each each private private key key for for recovery decrypts only only its its own own DRF DRF and and no no other. other. Thus, Thus, there there is is no no danger danger that that an an unauthorized recovery agent agent account account can can access access information from from the the file file that that enables enables access access to to other other files. files.
File decryption process The The following steps steps are are needed needed to to be be accomplished to to decrypt decrypt a a file file encrypted encrypted by by Windows Windows 2000: 2000: 1. Get the System Key from Registry, floppy disk or password. 2. Decrypt userõs password hash stored in SAM Registry record. 3. Decrypt userõs Master Key. 4. Decrypt userõs Private Key. 5. Decrypt File Encryption Key of the file. 6. Decrypt file data.
System Key A System System Key Key is is used used to to protect protect the the SAM SAM (System (System Account Manager) record record in in the the Registry. There There are are three three ways ways to to store store a a System System Key: Key: 1. System Key is stored in the Registry in obfuscated form. ItÕs loading automatically when Windows starts. 2. System Key is stored on a floppy disk. This disk is needed to be inserted when Windows starts to unlock the SAM. 3. System Key is derived from a password entered by user on Windows startup. In this case System Key is not stored somewhere.
User password hash decryption process System Key Session Key Secret Key PID Password Hash Hash
Master Key decryption process (Windows 2000) Password MD4 Hash SID User Encryption Key 16 bytes from Master Key container Master Master Key Key
Master Key decryption process (Windows XP) Password SHA1 Hash SID User Encryption Key 16 bytes from Master Key container Master Master Key Key
Private Key decryption process (the original version of Windows 2000) Master Key 16 bytes from Private Key container 5 bytes part of key 11 bytes part of key from Private Key container Private Private Key Key
Private Key decryption process (version of Windows 2000 with Service Pack) Master Key 16 bytes from Private Key container Private Private Key Key
FEK encryption/decryption process Private Key File File Encryption Key Key
Small cryptanalysis of EFS encryption Generally algorithms used used in in the the EFS EFS are are cryptographically stable stable when when the the key key length length is is enough enough to to make make a a brute-force attack attack impossible. Only Only one one exclusion is is an an RC4 RC4 algorithm used used to to encrypt encrypt the the Private Private Key Key in in the the original original version version of of Windows 2000. 2000. In In this this case case the the key key length length is is 128 128 bits bits but but only only 40 40 bits bits are are dependent from from the the Master Master Key. Key. Other Other 88 88 bits bits are are well-known and and stored stored in in the the Private Private Key Key Container. Therefore in in the the original original version version of of Windows 2000 2000 each each Private Private Key Key is is protected by by 40-bits 40-bits key key which which can can be be found found by by a a brute-force attack attack during during the the reasonable time. time. After After that that the the File File Encryption Key Key can can be be found found instantly and and therefore itõs itõs possible possible to to decrypt decrypt the the file. file. This This vulnerability is is fixed fixed in in the the Windows 2000 2000 Service Service Pack Pack 2. 2. There There is is strong strong 160-bit 160-bit Triple Triple DES DES encryption of of a a Private Private Key. Key. Windows XP XP donõt donõt have have this this vulnerability at at all all because because EFS EFS uses uses SHA1 SHA1 password hash hash instead instead of of MD4 MD4 hash hash to to decrypt decrypt a a Master Master Key. Key. SHA1 SHA1 hash hash is is not not stored stored on on the the physical physical disk disk so so it it cannot cannot be be stolen stolen by by an an unauthorized user. user.
Possible attacks to decrypt EFS-encrypted files Although Although the the algorithms algorithms used used in in the the EFS EFS are are cryptographically cryptographically stable stable there there are are several several attacks attacks which which can can be be used used to to decrypt decrypt files: files: 1. There are files which contain Private and Master Keys, SAM and System records of the Registry. Any user passwords are unknown. For example we have a hard disk with installed Windows 2000 and we donõt know user passwords as well as Administrator password. All files can be decrypted instantly. 2. There are files which contain Private and Master Keys. We need to find a user password and then decrypt the Private Key. 3. There is a Private Key container only. We can brute-force the 40-bits RC4 key to decrypt the Private Key.
Recovery possibilities Using Using Private Private and and Master Master Key Key containers as as well well as as SAM SAM and and System System Registry records records allow allow to to recover recover a a data data in in cases cases when when even even a a user user or or recovery agent agent certificate is is lost. lost. When When these these files files are are accessible we we can can decrypt decrypt any any EFS-encrypted file file of of any any user. user. EFS EFS in in Windows 2000 2000 does does not not allow allow to to secure secure the the files files when when an an intruder intruder have have an an access access to to these these files files but but at at the the same same time time there there are are good good recovery possibilities in in aa cases cases when when recovery certificates are are lost. lost.
Advanced EFS Data Recovery Advanced EFS EFS Data Data Recovery is is a a program to to recover recover (decrypt) files files encrypted on on NTFS NTFS (EFS) (EFS) partitions created created in in Windows 2000. 2000. Files Files are are being being decrypted even even in in aa case case when when the the system system is is not not bootable and and so so you you cannot cannot log log on, on, and/or and/or some some encryption keys keys (private (private or or master) master) have have been been tampered. Besides, decryption is is possible possible even even when when Windows is is protected using using SYSKEY. AEFSDR effectively (and (and instantly) decrypts the the files files protected under under all all versions versions of of Windows 2000 2000 (including Service Service Packs Packs 1, 1, 2 and and 3). 3).