Re: Encrypted files -- would this work to get them back?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/21/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Thu, 21 Nov 2002 12:45:34 -0500

PS more information on how EFS under XP works is in technet, e.g.
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prnb_efs_ijvx.a
sp
.. as well as www.google.com

Since you asked about the location of the keys...

I'm not an EFS or XP expert, but it appears that there is a public
encryption key, a private decryption key and a symmetric FEK File Encryption
Key generated to encrypt each file. There's also a Syskey or startup key
for each machine that is used to protect all the master keys on the system.

A combination of asymmetric [public key] encryption and symmetric [one
secret key used for both encryption and decryption] is common in many
encryption schemes like EFS because symmetric keys give faster speed
performance and more security with a shorter encryption key, but the
encryption key can't be shared with anyone and is vulnerable to being
stolen. Slower, longer public encryption keys are used to protect and/or
generate and/or exchange secret symmetric keys.

The machine Syskey protects [encrypts?] the user Master keys which protect
[encrypt?] the user private key(s). If I understand correctly, the public
key is then used to generate [and maybe encrypt] the FEK which is used to
encrypt a file. During decryption, I believe the machine syskey is used to
decrypt the master key is used to decrypt the private key is used to decrypt
the FEK in the file is used to decrypt the actual file. In other words,
things just keep getting more and more obfuscated up.

According to technet, the machine syskey is split up and stored in various
parts of the registry, "on the local system by using a complex obfuscation
algorithm that scatters the startup key throughout the registry."

[You probably don't want to rely on "obfuscation" to secure your machine,
but in this case, it's probably complex enough to keep you and me out of
your files in the absence of special tools.]

The user's public and private keys are stored in the user profile folder as
you have partially discovered [though the private decryption key is
encrypted, possibly involving the use of the user's password and/or the
machine's Syskey.]

The FEK used to encrypt each file is stored as a header within each file.
[I think this too has been encrypted, by the public key.]

RE: the location of the user's master keys, "The Data Protection API
automatically encrypts the user's master key or keys. Master keys are stored
in the user profile under RootDirectory\Documents and
Settings\username\Application Data\Microsoft\Protect. For a domain user who
has a roaming profile, the master key is located in the user's profile and
is downloaded to the user's profile on the local computer until the computer
is restarted.

While the user is logged on, when a master key is not being used for a
cryptographic operation, it is encrypted and stored on disk. Before master
keys are stored, they are 3DES-encrypted using a key derived from the user's
password. When a user changes his or her logon password, master keys are
automatically unencrypted and re-encrypted using the new password.

If a logon password is forgotten or if an administrator resets a user
password, the user's master keys become inaccessible. Because the decryption
key is derived from the user's password, the system is unable to decrypt the
master keys. Without the master keys, EFS-encrypted files are also
inaccessible to the user, and can only be recovered by a data recovery
agent, if one has been configured, or through the use of a password reset
disk (PRD), if one has been created."

In other words, the machine syskey is the FIRST of several hurdles you're
going to run into, and while I would expect there to be a paper or tool out
there to crack it, I haven't found one yet on www.google.com You could
always try searching the other usual hacker and security web sites...

"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message
news:uYHzBGRkCHA.2736@tkmsftngp10...
> I'm guessing it's there because you use the public key to encrypt your
> files. It's called Public, but that doesn't mean it's necessarily for the
> public. It does however mean that it's not sensitive information, and
that
> its "capture" by someone wanting to crack the file is not a worry, because
> it is not very useful in cracking the encryption.
>
> I'm not aware of any way to retrieve the private keys once Windows will
not
> boot up. Believe me, many before you have asked and asked and asked this,
> and no one here has ever given a positive response that resulted in the
> files being cracked.
>
> You could read http://securityadmin.info/faq.htm#efs in case you haven't
> already, and in case there's something there you haven't already thought
of.
> [I'm thinking of the section about trying to use forensic tools to
retreive
> unencrypted copies of the files from the unused space on your hard drive.]
>
> <lostfiles@screwed.com> wrote in message
> news:k9cotu88csmj6ib5hb642ieed4ngdn781t@4ax.com...
> > If it were a Public Key, then why would it only appear in MY Keys
> > folder within Application Data?
> >
> > In the MMC, look at the "Local Computer" certificates. If any given
> > certificate were public, shouldn't it appear there instead of in the
> > "User Account"? If it's in the User Account, to me , that sounds like
> > a private key. Just as you though, I'm not 100% sure.
> >
> > Can anyone tell me where exactly the "Private Key" is located on the
> > hard drive? I still might be able to recover it if it's still there.
> >
> > thanks
> >
> >
> >
> > On Wed, 20 Nov 2002 16:14:46 -0500, "Karl Levinson [x y] mvp"
> > <levinson_k@excite.com> wrote:
> >
> > >Sorry, I don't think so. I'm not 100% sure, but that message sounds
like
> > >that is a public key. You need the private key to decrypt, which it
> seems
> > >is stored elsewhere. In Public Key encryption, the public key is
> available
> > >to everyone and can only be used to encrypt a file, not decrypt it. If
> you
> > >could easily use a public key to decrypt a file or get the private key,
> just
> > >about all the internet banking web sites and other public key
encryption
> in
> > >use today wouldn't protect a thing.
> > >
> > >
> > ><lostfiles@screwed.com> wrote in message
> > >news:k0nntus1ogegat1he8snkl8tuk4a0a6r94@4ax.com...
> > >> Windows version: XP Pro SP1
> > >>
> > >> Ok, call me an idiot because like so many other people in here I had
> > >> to reformat and forgot about my encrypted folder until it was too
> > >> late. I was able to restore my old certificate and key but I'm stuck
> > >> and not sure what else to do.
> > >>
> > >> After the format and new install of XP, I ran a recovery utility on
my
> > >> C drive and was able to recover ALL the files and folders in the
> > >> following directory:
> > >>
> > >> "C:\Documents and Settings\<username>\Application Data\Microsoft"
> > >>
> > >> If you notice, there is a Crypto folder and a "System Certificates"
> > >> folder in there and the files contained within them were recovered
> > >> without errors. Including the system certificate and the key.
> > >>
> > >> Note: I only had ONE certificate and key before the format. This
was
> > >> my first reload of XP pro since it's release date, so those are the
> > >> correct files. The new Crypto and certificates folders/subfolders
> > >> were blank.
> > >>
> > >> I checked the Certificates snap-in with the MMC on my new install of
> > >> XP Pro and there were none listed. The Crypto, Certificates and Keys
> > >> folders on my hard drive were empty, so I copied all the files within
> > >> the recovered folders to the appropiate places. Now when I open the
> > >> Certificates Snap-in, the certificate is listed. It has the
> > >> following properties:
> > >>
> > >> "Enable all purposes for this certificate"
> > >> "Encrypting file system" box is checked
> > >>
> > >> Before copying the recovered files, when I would try to get the
> > >> encryption details on one of my encrypted files, the user list was
> > >> blank. Now when I right-click on one of my encrypted files and go to
> > >> Properties, Advanced, Details, it shows my user name and a
certificate
> > >> thumbprint. If I click the Add button, the "Select User" box pops up
> > >> and I am able to view the certificate. It has the following
> > >> properties:
> > >>
> > >> GENERAL TAB
> > >> "This certificate is intended for the following purposes"
> > >> Allows data on disk to be encrypted.
> > >> All issuance policies.
> > >>
> > >> Issued to: username
> > >> Issued by: username
> > >>
> > >> Valid from: 11/19/2002
> > >> Valid to: 10/26/2102
> > >>
> > >> "You have a prIvate key that corresponds to this certificate"
> > >>
> > >> DETAILS TAB:
> > >> Too much info to type.
> > >>
> > >> CERTIFICATION PATH TAB
> > >> Certification Path: It shows the certificate name
> > >> Certification status: "This certificate is OK"
> > >>
> > >>
> > >> So since I have the old certificate/key and they are in the right
> > >> places, why can't I open one of the encrypted files? My user name,
> > >> login password and computer name are all the same as they were before
> > >> the reload.
> > >>
> > >> The permissions for the encrypted folder are set to "Full ControlI
> > >> (this folder, subfolders and files)". I was able to take ownership
of
> > >> the folders/files and I do have administrator rights.
> > >>
> > >> Is there anything else I can do with the recovered certifcate/key
that
> > >> might work? Any other ideas?
> > >
> >
>
>