RE: EFS symmetric algorithm

From: Marco van Nieuwenhoven (Mvnieuw_at_community.nospam)
Date: 06/16/05


Date: Thu, 16 Jun 2005 10:02:01 -0700

The symmetric algorithms used are: AES and DESX

Maybe the following link will give even more insight on the structure used
for the
FEK:
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp

Maybe you can exchange knowledge with the makers of
http://www.elcomsoft.com/aefsdr.html

Best regards,
Marco van Nieuwenhoven.

"Levy" wrote:
> Hello,
>
> Does anybody know what symmetric algorithm is used by EFS to encrypt files on NTFS volumes? I have to manually decrypt such a file and so far I am successful in recovering and decrypting a FEK (file encryption key, stored in a LOGGED_UTILITY_STREAM attribute of the MFT entry).
>
> Supposedly, the decrypted FEK should be a cryptographic key that I should be able to use with a symmetric encryption engine. The actual data is like this (in hex):
>
> 20 00 00 00 00 01 00 00 10 66 00 00
> 00 00 00 00 13 ab 11 82 52 d7 46 e2
> d1 3d 60 40 e7 3a 9f e2 6f 9f 61 86
> 2d a1 1e d5 e8
>
> I expected to be able to create a CAPI context using CryptAcquireContext() and then import this key with CryptImportKey() but it does not work. It seems to be a structure, and I suspect that in it the type and flag and key size of the symmetric algorithm are specified. The first WORD or DWORD is the size of the actual key material (highlighted in blue).
>
> Does anybody know how to get a HCRYPTKEY from this data, so that I can decrypt the actual content of the file?
>
> Thanks,
> Levente
>