What kind of brute force decrypting tools are there out there? I just did the reinstall during december and now can't access some old PDF files I had encrypted.
If you have a tool that can brute force 256-bit AES, the NSA will be contacting you. Let's crunch some numbers, shall we?
XP SP1 and higher uses 256-bit AES keys for encryption. There are 1.1 x 10^77 possible 256 bit keys. Now a few years back, some specialized machines were developed to crack DES keys. DES keys are 56 bits long, so there are appoximately 7.2 x 10^16 possible keys. These DES crackers could crack a single key in a few hours. Now suppose for the sake of arugment, you had a super-duper DES cracker that could crack a single key in one second. This would mean it would have to try 2^55 keys every second
So if you take this imaginary DES cracker on steriods and apply it toward AES. It would take that machine about 149 TRILLION years to crack a single 128-bit AES key. I'm not even going to get into a 256-bit key. So if you are wondering how long 149 trillion years is, the universe is estimated to be less than 20 billion years old.
Now there is some speculation that AES may have some flaw that could be exploited at some point (like what we're seeing with SHA1 now). But nobody has been successful, so the only possible method available is brute force. DES lasted 20 years before machines were developed to brute force keys. Given the vast exponential difference between 56-bit DES and 256-bit AES, you can be pretty sure it would take at least 20 years to get your files back (and that is obscenely optimistic).
/edit: the current version of EFS is no joke. 256-bit AES (and 192-bit) are certified by the NSA to protect Top Secret information. This is the only encryption publicly available that is rated up to Top Secret.
XP SP1 and higher uses 256-bit AES keys for encryption. There are 1.1 x 10^77 possible 256 bit keys. Now a few years back, some specialized machines were developed to crack DES keys. DES keys are 56 bits long, so there are appoximately 7.2 x 10^16 possible keys. These DES crackers could crack a single key in a few hours. Now suppose for the sake of arugment, you had a super-duper DES cracker that could crack a single key in one second. This would mean it would have to try 2^55 keys every second
So if you take this imaginary DES cracker on steriods and apply it toward AES. It would take that machine about 149 TRILLION years to crack a single 128-bit AES key. I'm not even going to get into a 256-bit key. So if you are wondering how long 149 trillion years is, the universe is estimated to be less than 20 billion years old.
Now there is some speculation that AES may have some flaw that could be exploited at some point (like what we're seeing with SHA1 now). But nobody has been successful, so the only possible method available is brute force. DES lasted 20 years before machines were developed to brute force keys. Given the vast exponential difference between 56-bit DES and 256-bit AES, you can be pretty sure it would take at least 20 years to get your files back (and that is obscenely optimistic).
/edit: the current version of EFS is no joke. 256-bit AES (and 192-bit) are certified by the NSA to protect Top Secret information. This is the only encryption publicly available that is rated up to Top Secret.
Same thing happened to me - a bunch of WinXP SP1 EFS encrypted files on a separate partition. Formatted / reinstalled WinXP, and realized that I can't decrypt my encrypted files.
I've tried Passware and Advanced EFS Data Recovery - both failed.
However, I just downloaded Active@ UNDELETE, and it found a whole bunch of stuff on the disk. What is the name of the file that I would need to restore my old private key? And what I should do once I get it? (if I'm so lucky...)
EDIT: Using efsinfo.exe, I determined the thumbprint of the certificate used to encrypt the files. I searched for this with Active@ UNDELETE, and was able to restore an 838-byte file whose name exactly matches the certificate's thumbprint, although it seems as if its modified/created/accessed dates don't really make sense (they are further in the past than plausible).
I haven't figured out yet what to do (or attempt to do) with this file. Any help would be greatly appreciated.
EDIT #2: Using the creation date of the 838-byte file, I recovered another file created at the very same instant - it is 1.27 KB. The format of its name (32 characters - underscore - 8 - dash - 4 - dash - 4 - dash - 4 - dash - 12) exactly matches one of the "private keys" that Advanced EFS Data Recovery found.
I have also discovered how to import certificates using the certificates snap-in of mmc. However, I have been unable to import any of these recovered files ("The file type is not recognizable"). Also, for some reason Advanced EFS Data Recovery does not recognize either of these two files as keys during scans.
Maybe I'm just chasing a wild goose, but it seems like I'm on the right track.
EDIT #3: I have also figured out the original machine number of the previous Windows XP installation (it starts out with S-1-5-21-....). This is apparently important according to this site: http://www.beginningtoseethelight.org/efsrecovery/index.php
I feel like I have all the pieces to the puzzle - I just need to figure out how to put them together.
EDIT #4: Using NewSID (link below), I have changed the machine number and name of the computer back to its original values..
http://www.sysinternals.com/ntw2k/source/newsid.shtml
At this point, I'm starting to run out of options. Passware and Advanced EFS Data Recovery keep failing. I'm going to cut my losses in about a week.
I've tried Passware and Advanced EFS Data Recovery - both failed.
However, I just downloaded Active@ UNDELETE, and it found a whole bunch of stuff on the disk. What is the name of the file that I would need to restore my old private key? And what I should do once I get it? (if I'm so lucky...)
EDIT: Using efsinfo.exe, I determined the thumbprint of the certificate used to encrypt the files. I searched for this with Active@ UNDELETE, and was able to restore an 838-byte file whose name exactly matches the certificate's thumbprint, although it seems as if its modified/created/accessed dates don't really make sense (they are further in the past than plausible).
I haven't figured out yet what to do (or attempt to do) with this file. Any help would be greatly appreciated.
EDIT #2: Using the creation date of the 838-byte file, I recovered another file created at the very same instant - it is 1.27 KB. The format of its name (32 characters - underscore - 8 - dash - 4 - dash - 4 - dash - 4 - dash - 12) exactly matches one of the "private keys" that Advanced EFS Data Recovery found.
I have also discovered how to import certificates using the certificates snap-in of mmc. However, I have been unable to import any of these recovered files ("The file type is not recognizable"). Also, for some reason Advanced EFS Data Recovery does not recognize either of these two files as keys during scans.
Maybe I'm just chasing a wild goose, but it seems like I'm on the right track.
EDIT #3: I have also figured out the original machine number of the previous Windows XP installation (it starts out with S-1-5-21-....). This is apparently important according to this site: http://www.beginningtoseethelight.org/efsrecovery/index.php
I feel like I have all the pieces to the puzzle - I just need to figure out how to put them together.
EDIT #4: Using NewSID (link below), I have changed the machine number and name of the computer back to its original values..
http://www.sysinternals.com/ntw2k/source/newsid.shtml
At this point, I'm starting to run out of options. Passware and Advanced EFS Data Recovery keep failing. I'm going to cut my losses in about a week.
Stash,
Does Windows NTFS encryption use AES (Rijndael) encryption? If not, what type does it use?
Thanks!
Does Windows NTFS encryption use AES (Rijndael) encryption? If not, what type does it use?
Thanks!
Yes, XP SP1 and higher use 256-bit AES. Before that (XP RTM, Windows 2000), EFS used 3DES, I believe.
IF you have the profile of the user who encrypted the files and IF you know the password for that account, you can call Microsoft PSS and they may be able to help you. Without those two things, there really isn't much you can do.
What do you mean by "having a profile" of the user?
By the way, I'm the user (and so, I do know the account password).
By the way, I'm the user (and so, I do know the account password).
The original profile (%systemdrive%\documents and settings\%username%) of the user who encrypted the files. Keep in mind that if you have a new installation of Windows that has the same username, that is a different profile.
i did the same thing recently too, i scanned my hard drive(the one i installed xp over) and it found some keys, but which keys can i restore back to there place, so that i can then decrypt my backed up files.
Im definately using the same username and password(not sure about machine name), but my previous install was sp1 and now im on xpprosp2.
thanks.
Im definately using the same username and password(not sure about machine name), but my previous install was sp1 and now im on xpprosp2.
thanks.
Not sure I understand the question. Files don't just encrypt themselves when you move them. If you move them (unencrypted) from one folder to another folder and they become encrypted, then I would say encryption is enabled on the folder you moved it to.
Just cut and paste your files onto CD's/DVD's (burn and delete), take them with you and carry a .357.
assuming a folder is encrypted on a winxp pro installation that i can no longer get into (the installation is corrupted to the point i cant even get in in safe mode), if i do a soft os reinstall or a repair reinstall, will the encryption key remain the same and allow me to back it up?
At work, on the network domain, i changed my password and lost access to my encrypted files. I can only include these people at work are idiots. I can't even delete the damn files. But I can still use the folder and encrypt/decrypt any new files put into it.
It seems that when my pwd was changed so was my encryption certificate. Idiots. No I did not ask them to recover the files...
It seems that when my pwd was changed so was my encryption certificate. Idiots. No I did not ask them to recover the files...
Personaly i read that the government have anyway way around this kind of encryption, but when you loose your PC (stolen, or lost notebook) it should serve well!
Do you really believe that?
http://www.tomshardware.com/business/20040722/forensic_software-01.html
Maybe to Linux you can trust, but i am not so sure.
http://www.tomshardware.com/business/20040722/forensic_software-01.html
Maybe to Linux you can trust, but i am not so sure.
Yes, I really believe it. If you read how encase works on XP and 2003, it first must obtain the password before it can decrypt encrypted files. This is nothing special. The password is necessary to obtain the private key to decrypt the FEK. The FEK uses symmetric encryption (256-bit AES on XP SP1 and higher) to encrypt the actual data.
So if you can obtain the password, of course EFS is trivial to defeat. I'm not sure why you feel Linux is any different in that regard. You will find that all EFS "cracking" tools out there rely on two things: the user's password and the user's private key. If you don't have those two things, your only option is to brute force first the encrypted FEK and then the encrypted file. You might be able to decrypt the FEK in a lifetime, but 256-bit AES encryption can take trillions of years to brute force given current technology.
Edit: forgot link to encase, typo: http://www.guidancesoftware.com/products/modules/EnCaseEFS.shtm
So if you can obtain the password, of course EFS is trivial to defeat. I'm not sure why you feel Linux is any different in that regard. You will find that all EFS "cracking" tools out there rely on two things: the user's password and the user's private key. If you don't have those two things, your only option is to brute force first the encrypted FEK and then the encrypted file. You might be able to decrypt the FEK in a lifetime, but 256-bit AES encryption can take trillions of years to brute force given current technology.
Edit: forgot link to encase, typo: http://www.guidancesoftware.com/products/modules/EnCaseEFS.shtm
I was just thinking more about some back door there...
It would be too "unexpected" that such simple solution can really work...
Thank You for learning me.
It would be too "unexpected" that such simple solution can really work...
Thank You for learning me.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter