Unit OS8: File System Unit OS8: File System

Unit OS8: File System Unit OS8: File System

8.3. Encrypting File System Security in Windows

8.3. Encrypting File System Security in Windows

Copyright Notice Copyright Notice

© 2000-2005 David A. Solomon and Mark Russinovich

© 2000-2005 David A. Solomon and Mark Russinovich

These materials are part of the

These materials are part of the Windows Operating Windows Operating System Internals Curriculum Development Kit,

System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E.

developed by David A. Solomon and Mark E.

Russinovich with Andreas Polze Russinovich with Andreas Polze

Microsoft has licensed these materials from David Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic academic organizations solely for use in academic environments (and not for commercial use)

environments (and not for commercial use)

Roadmap for Section 8.3 Roadmap for Section 8.3

Encrypting File System (EFS) Terminology Encrypting File System (EFS) Terminology

EFS Operation EFS Operation

Data Encryption and Decryption Data Encryption and Decryption

Windows EFS Architecture

Windows EFS Architecture

Encryption Process Details

Encryption Process Details

Encrypting File System Security Encrypting File System Security

EFS relies on Windows cryptography support EFS relies on Windows cryptography support

Transparent encryption through Windows Explorer or cipher-utility Transparent encryption through Windows Explorer or cipher-utility

EFS operation EFS operation

When a file is encrypted...

When a file is encrypted...

EFS generates random File Encryption Key (FEK) to encrypt file content EFS generates random File Encryption Key (FEK) to encrypt file content Stronger variant of Data Encryption Standard (U.S.: 128/intl.: 56 bit)

Stronger variant of Data Encryption Standard (U.S.: 128/intl.: 56 bit)

(symmetric DESX-algorithm) to encrypt file content (fast, shared secret) (symmetric DESX-algorithm) to encrypt file content (fast, shared secret) File‘s FEK is stored with file and encrypted using the file creator‘s

File‘s FEK is stored with file and encrypted using the file creator‘s RSA public key (slow)

RSA public key (slow) File can be decrypted...

File can be decrypted...

only with the user‘s private RSA key only with the user‘s private RSA key What about lost keys?

What about lost keys?

FEK can be stored in multiple encryptions...

FEK can be stored in multiple encryptions...

Users can share an encrypted file Users can share an encrypted file

Can store a recovery key to allow recovery agents access to files Can store a recovery key to allow recovery agents access to files Secure public/private key pairs are essential

Secure public/private key pairs are essential

Stored on computer harddisk... (but soon on smartcards) Stored on computer harddisk... (but soon on smartcards)

Basic Terminology Basic Terminology

Plaintext Plaintext

The stuff you want to secure, typically readable by humans (email) or The stuff you want to secure, typically readable by humans (email) or computers (software, order)

computers (software, order)

Ciphertext Ciphertext

Unreadable, secure data that must be decrypted before it can be Unreadable, secure data that must be decrypted before it can be used used

Key Key

You must have it to encrypt or decrypt (or do both) You must have it to encrypt or decrypt (or do both)

Cryptoanalysis Cryptoanalysis

Hacking it by using science Hacking it by using science

Complexity Theory Complexity Theory

How hard is it and how long will it take to run a program

How hard is it and how long will it take to run a program

Symmetric Key Cryptography Symmetric Key Cryptography

Encryption

“The quick brown fox jumps over the lazy dog”

“AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8R\s@!

q3%”

“The quick brown fox jumps over the lazy dog”

Decryption

Plain-text input Cipher-text Plain-text output

Same key

(shared secret)

Symmetric Pros and Cons Symmetric Pros and Cons

Weakness:

Weakness:

Agree the key beforehand Agree the key beforehand

Securely pass the key to the other party Securely pass the key to the other party

Strength:

Strength:

Simple and really very fast (order of 1000 to 10000 Simple and really very fast (order of 1000 to 10000

faster than asymmetric mechanisms) faster than asymmetric mechanisms)

Super-fast if done in hardware (DES) Super-fast if done in hardware (DES)

Hardware is more secure than software, so DES makes it Hardware is more secure than software, so DES makes it really hard to be done in software, as a prevention

really hard to be done in software, as a prevention

Public Key Cryptography Public Key Cryptography

Knowledge of the encryption key doesn’t give Knowledge of the encryption key doesn’t give

you knowledge of the decryption key you knowledge of the decryption key

Receiver of information generates a pair of keys Receiver of information generates a pair of keys

Publish the public key in directory Publish the public key in directory

Then anyone can send him messages Then anyone can send him messages

that only she can read

that only she can read

Public Key Encryption Public Key Encryption

Encryption

“The quick brown fox jumps over the lazy dog”

“Py75c%bn&*)9|

fDe^bDFaq#xzjFr@g 5=&nmdFg$5knvMd’r kvegMs”

“The quick brown fox jumps over the lazy dog”

Decryption

Clear-text Input Cipher-text Clear-text Output

Different keys

Recipient’s Recipient’s

private public

Problem of Key Recovery Problem of Key Recovery

What if you lose the private key?

What if you lose the private key?   Data recovery by authorized agents Data recovery by authorized agents

Integrated key management Integrated key management

Windows:

Windows:

Flexible recovery policy Flexible recovery policy

Enterprise, domain, or per machine Enterprise, domain, or per machine

Encrypted backup and restore Encrypted backup and restore

Integrated with Windows backup Integrated with Windows backup

Potential weakness but you can opt not to use it!

Potential weakness but you can opt not to use it!

Data Encryption Process Data Encryption Process

Data Recovery Field generation

(e.g., RSA)

DRF Recovery agent’s Launch key

for nuclear missile

“RedHeat”

is...

Data Decryption Field generation

(e.g., RSA)

DDF

User’s

public key (in certificate)

Randomly- generated

file encryption key

File encryption (e.g., DES)

*#$fjda^j u539!3t t389E *&\@

5e%32\^kd

*#$fjda^j u539!3t t389E *&\@

5e%32\^kd

Launch key for nuclear

missile

“RedHeat”

is...

Launch key for nuclear

missile

“RedHeat”

is...

File decryption (e.g., DES)

DDF

DDF extraction (e.g., RSA)

File encryption File encryption key (FEK)

key (FEK)

DDF is decrypted

using the private key to get to the file

encryption key (FEK) DDF contains file

encryption key (FEK) encrypted under

user’s public key User’s private key

Data Decryption Process

Data Decryption Process

*#$fjda^j u539!3t t389E *&\@

5e%32\^kd

Launch key for nuclear

missile

“RedHeat”

is...

Launch key for nuclear

missile

“RedHeat”

is...

File decryption (e.g., DES)

DRF extraction (e.g., RSA) DRF contains file

encryption key (FEK) encrypted under

File encryption key (FEK)

DRF is decrypted

using the private key of recovery agent to get to the file

encryption key (FEK) Recovery agent’s

Recovery agent’s private key

private key

Data Recovery Process

Data Recovery Process

Windows

Windows EFS Architecture EFS Architecture

LSASS

LSAsrv

EFS functions

Microsoft Base Cryptographic Service Provider

1.0

Cryptographic service providers

...

Application

NTFS

EFS KSecDD

Encrypted file access EFS callouts

LPC User mode

Kernel mode

Uses impersonation to de/encrypt files in the appropriate user account

EFS Components EFS Components

Local Security Authority Subsystem Local Security Authority Subsystem

LSASS (\Winnt\System32\Lsass.exe) manages logon sessions LSASS (\Winnt\System32\Lsass.exe) manages logon sessions EFS obtains FEKs from LSASS

EFS obtains FEKs from LSASS

KSecDD device driver implements comm. with LSASS KSecDD device driver implements comm. with LSASS LSAsrv listens for LPC comm.

LSAsrv listens for LPC comm.

Passes requests to EFS functions Passes requests to EFS functions

Uses functions in MS CryptoAPI (CAPI) to decrypt FEK for EFS Uses functions in MS CryptoAPI (CAPI) to decrypt FEK for EFS Crypto API ...

Crypto API ...

is implemented by Cryptographic Service Provider (CSP) DLLs is implemented by Cryptographic Service Provider (CSP) DLLs Details of encryption/key protection are abstracted away

Details of encryption/key protection are abstracted away

Windows XP and Server 2003 have EFS support merged into NTFS driver Windows XP and Server 2003 have EFS support merged into NTFS driver

Windows 2000 had separate EFS driver - tightly connected with NTFS

Windows 2000 had separate EFS driver - tightly connected with NTFS

Format of EFS information Format of EFS information

and key entries for a file and key entries for a file

Version Checksum

Number of DDF key entries DDF key entry 1

DDF key entry 2

Number of DRF key entries DRF key entry 1

Header

Data decryption field

Data recovery field

EFS information

User SID (S-1-5-21-...) Container name

(ee341-2144-55ba...) Provider Name

(MS Base Cryptographic Provider 1.0)

EFS certificate hash (cb3e4e...)

Encrypted FEK (03fe4f3c...)

Key entry

Describes the storage position of the user‘s key Key ring

(users sharing a file)

Encrypted Data Recovery Agents Encrypted Data Recovery Agents

group policy group policy

Use Group Policy MMC snap-in to configure Use Group Policy MMC snap-in to configure

recovery agents (...list may be empty)

recovery agents (...list may be empty)

Flow of EFS Flow of EFS

Application

NTFS file system driver

EFS driver Cache manager

Volume

Application writes data Application writes data to an encrypted file to an encrypted file

11

NTFS places data in NTFS places data in file system cache file system cache

22

Cache manager lazy Cache manager lazy

writes data to disk via NTFS writes data to disk via NTFS

33

NTFS asks EFS driver NTFS asks EFS driver to encrypt file contents to encrypt file contents headed to disk headed to disk

44

NTFS writes encrypted NTFS writes encrypted file contents to disk file contents to disk

55

Note: EFS driver has been Note: EFS driver has been merged into NTFS on

merged into NTFS on

Encryption Process Details Encryption Process Details

1. 1.

User profile is loaded if necessaryUser profile is loaded if necessary

2. 2.

A log file EfsA log file Efsx.log is createdx.log is created

•

In system volume info dir; x is unique numberIn system volume info dir; x is unique number

3. 3.

Base Cryptographic Provider 1.0 generates random 128-bit FEKBase Cryptographic Provider 1.0 generates random 128-bit FEK

4. 4.

User EFS private/public key pair is generated or obtainedUser EFS private/public key pair is generated or obtained

•

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersionHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion

\EFS\CurrentKeys\CertificateHash identifies the user‘s key pairs

\EFS\CurrentKeys\CertificateHash identifies the user‘s key pairs

5. 5.

A DDF key ring is created for the file with an entry for the userA DDF key ring is created for the file with an entry for the user

•

Entry contains copy of FEK encrypted with user‘s public keyEntry contains copy of FEK encrypted with user‘s public key

6. 6.

A DRF key ring is created for the fileA DRF key ring is created for the file

•

Has an entry for each recovery agent on the systemHas an entry for each recovery agent on the system

•

Entries contain copies of FEK encrypted with agents‘ public keysEntries contain copies of FEK encrypted with agents‘ public keys

Encryption Process Details (contd.) Encryption Process Details (contd.)

7. 7.

A backup file is created (Efs0.tmp)A backup file is created (Efs0.tmp)

• Same directory as original fileSame directory as original file

8. 8.

DDF and DRF rings are added to a headerDDF and DRF rings are added to a header

• EFS attributes - $LOGGED_UTILITY_STREAMEFS attributes - $LOGGED_UTILITY_STREAM

9. 9.

Backup file is marked encrypted, original file is copied to backupBackup file is marked encrypted, original file is copied to backup

10. 10.

Original file‘s contents are destroyedOriginal file‘s contents are destroyed

• Backup is copied to originalBackup is copied to original

• This results in encrypting the file contentsThis results in encrypting the file contents

11. 11.

The backup file is deletedThe backup file is deleted

12. 12.

The log file is deletedThe log file is deleted

13. 13.

The user profile is unloaded (if it was loaded in step 1)The user profile is unloaded (if it was loaded in step 1)

In case of system crash, either original file or backup contain valid copy of the In case of system crash, either original file or backup contain valid copy of the file content.

file content.

Backing Up Encrypted Files Backing Up Encrypted Files

Data is never available in unencrypted form Data is never available in unencrypted form

Except to applications that access file via encryption facility Except to applications that access file via encryption facility

EFS provides a facility for backup programs:

EFS provides a facility for backup programs:

New EFS API:

New EFS API: OpenEncryptedFileRaw(), OpenEncryptedFileRaw(),

ReadEncryptedFileRaw(), WriteEncryptedFileRaw(), ReadEncryptedFileRaw(), WriteEncryptedFileRaw(),

CloseEncryptedFileRaw() CloseEncryptedFileRaw()

Implemented in Advapi32.dll, use LPC to invoke function in Implemented in Advapi32.dll, use LPC to invoke function in

LSAsrv LSAsrv

LSAsrv calls

LSAsrv calls EfsReadFileRaw() EfsReadFileRaw() to obtain file‘s EFS attribute to obtain file‘s EFS attribute and the encrypted contents from NTFS driver

and the encrypted contents from NTFS driver Similarly,

Similarly, EfsWriteFileRaw() EfsWriteFileRaw() is invoked to restore file‘s is invoked to restore file‘s contents

contents

Further Reading Further Reading

Mark E. Russinovich and David A. Solomon, Mark E. Russinovich and David A. Solomon,

Microsoft Windows Internals, 4th Edition, Microsoft Microsoft Windows Internals, 4th Edition, Microsoft Press, 2004.

Press, 2004.

Encrypting File System Security (from pp. 775) Encrypting File System Security (from pp. 775)

Encrypting a File for the first time (from pp. 778) Encrypting a File for the first time (from pp. 778)

The Decryption Process

The Decryption Process (from pp. 783) (from pp. 783)

Applied Cryptography

Applied Cryptography, B. Schneier, John Wiley & Sons, , B. Schneier, John Wiley & Sons, ISBN 0-471-12845-7

ISBN 0-471-12845-7

Handbook of Applied Cryptography

Handbook of Applied Cryptography , A.J. Menezes, CRC , A.J. Menezes, CRC Press, ISBN 0-8493-8523-7

Press, ISBN 0-8493-8523-7

Source Code References Source Code References

Windows Research Kernel sources do not Windows Research Kernel sources do not

include NTFS include NTFS

A raw file system driver is included in A raw file system driver is included in

\base\ntos\raw

\base\ntos\raw

Also see \base\ntos\fstrl (File System Run-Time Also see \base\ntos\fstrl (File System Run-Time

Library)

Library)