Re: EFS - Please help to unsecure data

From: Richard Urban (richardurbanREMOVETHIS_at_hotmail.com)
Date: 02/07/05 

Date: Mon, 7 Feb 2005 11:01:21 -0500

When 64 bit encryption was introduced there were world wide contests
offering a great amount of money for anyone who could crack the code. I
believe, but am not certain, it took almost a year before anyone was
successful. They had many hundreds of linked computers (similar to
seti@Home) applying a brute force attack.

There was another contest when 128 encryption was introduced. I don't
believe the prize was ever claimed! 

-- 
Regards,
Richard Urban
aka   Crusty (-: Old B@stard :-)
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!
"Galen" <galennews@gmail.com> wrote in message 
news:uvAyXJLDFHA.1836@tk2msftngp13.phx.gbl...
> In news:egbnOOIDFHA.2232@TK2MSFTNGP14.phx.gbl,
> Torgeir Bakken (MVP) <Torgeir.Bakken-spam@hydro.com> had this to say:
>
>> Take a look at this site for more details:
>>
>> http://www.beginningtoseethelight.org/efsrecovery/
>
> I want to thank you for the link. I've never encountered this problem, as
> I'd mentioned, because the only time(s) I've encrypted any data were just 
> to
> educate myself on the process. At that time, with recommendations made in
> the DTS group if I recall though it might have been during or after one of
> the expert chats, I believe I went through the key backup process as well.
> However, the files were simply plain text files or a couple of 
> non-important
> executables and were eventually deleted. No loss of data and it never
> occured that I might lose the keys to open them as I had no intention of
> keeping the files.
>
> I'm generally one that believes that there's no such thing as something 
> that
> can't really be done if one tries enough. It is my theory at this time 
> that
> there's some chance at getting these files open with minimal expenditure.
> Each attempt, I'm afraid, is going to be unique and the results will vary
> based on the amount of data over-written during any fresh installations of
> the operating system, file deletion, and any normal disk activity.
>
> My guess, and I'm wanting to emphasise that this is a guess at this point,
> is that data recovery software (there's actually a decent freeware version
> kicking about which I can dig up if anyone else is interested but I have
> some paid software here that will be what I'm working with) could be used 
> to
> recover some or all of the keys from the profile data. I'm not sure if I
> understand correctly but:
>
> "The program can decrypt protected files only if encryption keys (at 
> least,
> some of them) are still exist in the system and have not been tampered."
>
>         -Jupiter Jones (from the readme.txt file)
>
> Which makes me believe that only a portion of the key(s) would be 
> required?
> While it's unlikely that all the keys would be recovered with forensic 
> tools
> available after a re-installation of the OS and various usage of the hard
> drive it's possible that some of them would be recovered.
>
> This leads to my next question which is how about a brute force? I took a
> look at Microsoft's position on this and though the information is
> specifically for 2k I'm guessing that it's still very much valid for XP.
>
> Their response to this is:
>
> "Syskey thwarts this attack by encrypting the SAM database using strong
> encryption. Even if an attacker did manage to obtain a copy of the
> Syskey-protected SAM, he would first need to conduct a brute-force attack 
> to
> determine the Syskey, then conduct a brute-force attack against the hashes
> themselves. This dramatically increases the work factor associated with 
> the
> attack, to the point where it's considered to be computationally
> infeasible."
>                                      From:
> http://www.microsoft.com/technet/archive/security/news/efs.mspx
>
> My idea at this point is to install XP Pro as an NTFS install and create a
> few encrypted files on a partitioned drive (just to make sure that I don't
> need to try to recover those as well.) Using a second operating system
> (perhaps a *NIX on CD) I'll delete various system files and folders to
> insure that the OS no longer functions. The next step would be to format 
> the
> drive, complete as opposed to quick just to make it the 'worst case
> scenario' that I can think of. Then I'll probably do it a second time to
> insure that I've given the drive a good chance at writting over any 
> sectors
> that it wants to though I may just copy over a couple of large files and
> delete them and delete them from the recycle bin to futher perform 'disk
> writting' in hopes of mimiking typical activity. The next step would be to
> try for data recovery and if required to use a variety of tools. Perhaps
> from outside of the OS? Following that the next step would be to try one 
> of
> the various tools to recover the file.
>
> Here's another example of an EFS recovery tool in which they claim that 
> only
> the password must be known (or a SAM database present) that MAY be of
> interest? I haven't downloaded this yet but I've read the information that
> they have available on the site.
>
> http://www.lostpassword.com/efs.htm
>
> Anyhow, on with the subject... What are the opinions of the testing 
> methods?
> Do you see any steps that I should add to this testing? Has anyone given
> this a shot? Perhaps I should do it with something important as it would
> increase my incentive to succeed... On second thought... No... But it's an
> interesting idea :)
>
> Galen
> -- 
>
> "My mind rebels at stagnation. Give me problems, give me work, give me
> the most abstruse cryptogram or the most intricate analysis, and I am
> in my own proper atmosphere. I can dispense then with artificial
> stimulants. But I abhor the dull routine of existence. I crave for
> mental exaltation." -- Sherlock Holmes
>
>

Relevant Pages

  • Re: EFS - Please help to unsecure data
    ... recover some or all of the keys from the profile data. ... "The program can decrypt protected files only if encryption keys (at least, ... he would first need to conduct a brute-force attack to ... try for data recovery and if required to use a variety of tools. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: EFS - Please help to unsecure data
    ... recover some or all of the keys from the profile data. ... "The program can decrypt protected files only if encryption keys (at least, ... he would first need to conduct a brute-force attack to ... try for data recovery and if required to use a variety of tools. ...
    (microsoft.public.windowsxp.general)
  • Re: EFS - Please help to unsecure data
    ... recover some or all of the keys from the profile data. ... "The program can decrypt protected files only if encryption keys (at least, ... he would first need to conduct a brute-force attack to ... try for data recovery and if required to use a variety of tools. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS - Please help to unsecure data
    ... seti@Home) applying a brute force attack. ... There was another contest when 128 encryption was introduced. ... > recover some or all of the keys from the profile data. ... > try for data recovery and if required to use a variety of tools. ...
    (microsoft.public.windowsxp.general)
  • Re: EFS - Please help to unsecure data
    ... seti@Home) applying a brute force attack. ... There was another contest when 128 encryption was introduced. ... > recover some or all of the keys from the profile data. ... > try for data recovery and if required to use a variety of tools. ...
    (microsoft.public.windowsxp.help_and_support)