Windows EFS question - are user private keys actually encrypted?

[Skeeedunt]

(Disclaimer: No, I didn't format my windows drive without backing up a recovery certificate )

I kind of assumed that the process went like this:

- New user is created.
- EFS certificate is created. Private key is symmetrically encrypted using the user's password, then stored on disk.
- User logs in. Their password is used to decrypt their EFS private key, key is stored in memory.
- Private key in memory is used to decrypt FEK's and whatever else.

I skimmed most of the Microsoft documentation and googled around some, but I couldn't find anything that explicitly stated that the private key is actually encrypted.

If NTFS permissions were the only barrier, anyone who stole a hard drive could just mount it on another system, take ownership of the private keys, and decrypt the rest of the files (right?).

Or am I completely misunderstanding something?

 

[nweaver]

I don't know about EFS, but RSA private keys are usually protected by a password, and worthless (I suppose you could try and brute force a password) without it

 

[stash]

Yes it is. Read up on DPAPI (espeically the section "Keys and Passwords in DPAPI": http://msdn2.microsoft.com/en-us/library/ms995355.aspx

You used to be able to do something similar to what you suggest in Windows 2000, because the local administrator account was the default EFS recovery agent. Therefore, you could use something like a Nordahl disc to change the local admin password, log in as admin and have access to any encrypted files on the system.

On XP and above, there is no default recovery agent, so that attack is useless. Also, if you were to reset a local user's password, you would essentially invalidate the Master Key and nobody would be able to decrypt the files, not even the user who originally encrypted them.

Lastly, if you use domain accounts (rather than local accounts) there are pretty much no attack vectors other than brute forcing 256-bit AES (good luck), because the user's creds are stored on a domain controller, not locally. If you are using local accounts, you can greatly increase the security of the DPAPI keys by using SysKey and storing the startup key on a floppy (see: http://support.microsoft.com/kb/310105)

EFS in XP and above is extremely well designed and virtually impossible to break if you follow best practices. Also, in Vista, enabling the GPO setting for FIPS-140 validated algorithms will force EFS to use AES (which will be FIPS validated on Vista) whereas on XP, this option would downgrade the encryption to 3DES, since the AES implementation on XP was not FIPS validated.

 

[Skeeedunt]

Perfect, thanks guys!