RE: EFS symmetric algorithm
From: Marco van Nieuwenhoven (Mvnieuw_at_community.nospam)
Date: Thu, 16 Jun 2005 10:02:01 -0700
The symmetric algorithms used are: AES and DESX
Maybe the following link will give even more insight on the structure used
Maybe you can exchange knowledge with the makers of
Marco van Nieuwenhoven.
> Does anybody know what symmetric algorithm is used by EFS to encrypt files on NTFS volumes? I have to manually decrypt such a file and so far I am successful in recovering and decrypting a FEK (file encryption key, stored in a LOGGED_UTILITY_STREAM attribute of the MFT entry).
> Supposedly, the decrypted FEK should be a cryptographic key that I should be able to use with a symmetric encryption engine. The actual data is like this (in hex):
> 20 00 00 00 00 01 00 00 10 66 00 00
> 00 00 00 00 13 ab 11 82 52 d7 46 e2
> d1 3d 60 40 e7 3a 9f e2 6f 9f 61 86
> 2d a1 1e d5 e8
> I expected to be able to create a CAPI context using CryptAcquireContext() and then import this key with CryptImportKey() but it does not work. It seems to be a structure, and I suspect that in it the type and flag and key size of the symmetric algorithm are specified. The first WORD or DWORD is the size of the actual key material (highlighted in blue).
> Does anybody know how to get a HCRYPTKEY from this data, so that I can decrypt the actual content of the file?