RE: How to get my encrypted files back.

From: Colin Stefani (cstefani@tideworks.com)
Date: 01/22/02


From: Colin Stefani <cstefani@tideworks.com>
To: focus-ms@securityfocus.com
Date: Tue, 22 Jan 2002 08:23:20 -0800

In the end, the files are lost. You pretty much just need your private key
and cert from your old install, without it you're screwed because most
likely you don't have a farm of crypto-analysis machines handy to brute
force it.

I thought EFS was a nice feature MS included in XP, too bad they didn't make
it obvious (or clear) to the user that if your machine dies, you can't get
your data back unless you made a backup of your Cert and private key or had
created some type of recovery key for that purpose.

That's the catch-22 of crypto, it needs to be so strong that it can't be
broken even when you mess-up, otherwise what's the point if you can easily
get around it. Most of my users don't realize that and I've had similar
experiences with people using PGP and then losing their keys when their
system dies.

Creating a recovery key that's stored somewhere else offline is a really
good idea.

Here are some interesting links at MS about the subject of EFS and recovery:

Win2k/XP EFS (also applies to XP):

Best Practices for Encrypting File System:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q223316

Back Up Your Encrypting File System Private Key:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241201

Restore an Encrypting File System Private Key for Encrypted Data Recovery:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q242296

-colin

-----Original Message-----
From: Eli Allen [mailto:eallen@mail.bcpl.lib.md.us]
Sent: Monday, January 21, 2002 2:42 PM
To: David Klotz; focus-ms@securityfocus.com
Subject: RE: How to get my encrypted files back.

Some small errors: (since the files are still basically lost)

You don't need any unencrypted versions of the files. Lots of files already
have well known structures that can be used when attacking the cipher text
like known headers and just statistics of the value of the characters being
used.

EFS uses DESX by default not 3DES. 3DES is used if you change the config
and make the computer FIPS compliant.

You don't need any cryptanalysts. DES is pretty well understood so all you
need is a cracking program that works on one of the types of files
encrypted. Still need a hell of alot of computer power.

BTW with the state of the Russian economy it may be cheaper to hire the KGB
:)

--
Eli Allen
eallen@bcpl.net

> -----Original Message----- > Well there is one significant difference: if you (Buba) have any > unencrypted > versions of the files and the the corresponding encrypted > versions, then you > might be able to launch a known plaintext attack. Unfotunately, this is > probably not going to be a big help. A little research indicated that MS > is using triple-DES to encrypt files in EFS. I'm not an expert > cryptographer by any strecth, but even with a known plaintext attack I > believe 3DES is close to practically unbreakable. Unless you've > got a staff > of expert cryptanalysts and a whole lot of computing power you're probably > not goign to be able to decrypt these files. > > Basically you have two options here: use a backup copy of your encryption > key, or convince the NSA that decrypting these files is a matter > of national > security. If you have no backup, I'd start coming up with a pretty good > story to feed the spooks... > > This does a pretty good job of explaining the situation: > > http://www.8wire.com/articles/?AID=2594 > > > -DK > > ----- Original Message ----- > From: <adept@hektik.com> > To: <focus-ms@securityfocus.com> > Sent: Monday, January 21, 2002 10:39 AM > Subject: RE: How to get my encrypted files back. > > > > If you are able to retrieve these I'll be disappointed... You > are in the > > same situation as an unauthorized person who has stolen > encrypted files it > > sounds like. > > > > -----Original Message----- > > From: Buba - [mailto:bresso_k@hotmail.com] > > Sent: Saturday, January 19, 2002 9:03 AM > > To: focus-ms@securityfocus.com > > Subject: How to get my encrypted files back. > > > > > > > > > > A few weeks ago I wanted to encrypt my files. I found > > the option under file->properties->advanced- > > >'Encrypt contents to secure data', so I selected the > > files and execute this operation. > > > > But then my WinXP(prof.) crashed and I had to > > reinstall (format.., install) WinXP. > > After the installation when I opened one of my > > encrypted files, I got messages: "Don't have > > premission to open the file", etc. > > > > I searched the web and found some options: > > - That you can import a certificate in MMC, but I don't > > have it anymore. > > - That you can ask for a 'new certificate' in MMC, if > > you have a connection with the 'Active Directory'. I > > haven't one. > > - That you can make a 'Recovery Agent' in MMC (or a > > subprogram of it). But there I have to select a *.CER- > > file, which I haven't. > > > > Is it in any way possible to decrypt my (important) > > files > > > > Things I have thought of are downloading a *.CER-file > > from the internet and use it in #1 or #3 (see above) > > OR connect to the 'Active Directory' (see #2) in a > > way. > > > > Please help me because it is very important > > information that I encrypted. > > Thanks in advance. > > > > > >



Relevant Pages

  • News reader software failure. The EFS question in a nutshell.
    ... The EFS question: In numerous places, readers are told that they can recover ... What then is the minimum required to recover encrypted files? ... EFS keeps your private key in cache until you log off. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Deleting the certificate does not stop decryption!
    ... Domains have the default EFS recovery policy (a File Recovery ... EFS certificate. ... EFS keeps your private key in cache until you log off. ... As for moving encrypted files between standalone machines, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Giving a device access to EFS (Encrypting File System)
    ... Clarify what you mean by "the device API"? ... I am developing an application that uses encrypted files which are ... encrypted under EFS. ... certificate and private key inorder to read the contents of EFS ...
    (microsoft.public.windows.server.security)
  • Re: EFS: Move User+WKS to other forest
    ... Want to move Workstation to another forest. ... User1@domain1 has encrypted files on D: ... Issue the user a new EFS certificate and have them encryption a new file (establishing the ... export the user's current EFS private key ...
    (microsoft.public.security)
  • Re: A New Twist On Copyright Infringement?
    ... CPU-years of time to find the private key of a customer. ... In my proposed scheme, there is no "receiver." ... There are encrypted files ... that are owned by a user and "devices" (possibly software devices) that ...
    (rec.audio.pro)