Get documents about "FEATURE - DOC
Document Sample
FEATURE can encrypt and decrypt files on demand. File
encryption is easier to implement than encryption
Windows 2000 EFS and works well in environments in which several
Keep your data confidential users share a computer. However, this technique’s
decryption process creates a plain text copy of a
Unauthorized access to confidential data is a file, which you must delete in a secure manner. In
serious concern for individuals and corporations. addition, some applications (e.g., Word) store
Some OSs (e.g., Windows 95, Windows for information in temporary files on the hard disk.
Workgroups—WFW) offer no security. Even These temporary files can leave data unprotected,
Windows NT systems are at risk when so you must delete them securely too.
administrators don’t properly implement security.
Application-level file encryption runs in NT’s user
Intruders can read files you protect with previous
mode; thus, the OS stores the encryption key in a
versions of NTFS by bypassing NT security with
pagefile. Hackers can access the pagefile, which
tools such as NTFSDOS.
gives them access to the documents that the key
UNIX and Windows NT systems rely on a encrypts.
discretionary access control (DAC) system.
Disk encryption encrypts data sector by sector and
Computers with DAC let you protect sensitive data
encrypts the entire hard disk with one key. The
by restricting access to confidential files and
user enters a password to lock the hard disk. Disk
folders. DAC capability is particularly useful when
encryption relies on the OS’ DAC. Thus, you can’t
several users have access to the same computer.
disable access to the hard disk while you’re
However, even with DAC, confidential files can be
running disk encryption.
at risk if users don’t receive proper training. DAC
might not be useful if someone steals the computer EFS
or hard disk because the OS enforces DAC. EFS has several advantages over traditional
Anyone who can bypass the OS can easily access encryption techniques. EFS’ encryption technology
the hard disk files. Unauthorized users can access integrates into the file system, so that users can’t
data secured on an NTFS volume easily if they access the hard disk without going through the file
steal the hard disk and reinstall NT on it. In certain system. Win2K’s EFS drivers run in kernel mode to
environments, computers that don’t employ DAC provide better security. EFS is easy to manage and
permit unrestricted file and folder access to users completely transparent to the user. A user can use
who can access the system. Intruders can copy a private key, which the OS generates, to encrypt
files to laptops, 3.5" disks, or home computers by only those files or folders that need protection.
dialing into the corporate network. Users can then access their data transparently.
Windows 2000 (Win2K) includes an Encrypting File Users who don’t have the private key can’t access
System (EFS) that provides file encryption the data.
capabilities on an NTFS volume. Even individuals EFS, which is based on public-key cryptography,
who steal a hard disk or computer can’t access encrypts data (e.g., local NTFS files) using a
encrypted data on Win2K’s NTFS volume. To gain randomly generated file encryption key (FEK). A
a better understanding of Win2K’s EFS, you need public key-based system uses a pair of keys: one
to understand the encryption methods in use private and one public. Only the user who owns the
today. private key knows the private key. The public key
Common Encryption Techniques is available to anyone who requests it. The user’s
public key encrypts FEKs; the private key decrypts
Encryption protects confidential data from
FEKs. NTFS stores a list of encrypted FEKs with
accidental exposure or theft. When you use
the encrypted file in special EFS attributes known
encryption, your data is secure as long as your
as Data Decryption Fields (DDFs) and Data
encryption key is safe. Safeguarding one
Recovery Fields (DRFs).
encryption key is easier than protecting a large
amount of data. However, if you lose the EFS’ key storage mechanism is based on Win2K’s
encryption key, you can no longer access the data CryptoAPI architecture, which stores users’ public
you encrypt. Some of the encryption techniques and private keys separately from the randomly
that companies currently use to protect data are generated FEK. This setup lets users store their
file encryption, disk encryption, and EFS. private keys on secure devices (e.g., NTFS
volumes, smart cards). Smart cards, which require
File encryption protects your data. Some
smart-card readers on computers, are credit-card
applications (e.g., Microsoft Word, Microsoft Excel)
size devices that let users log on to Win2K with a
37446989-9974-4e0b-9376-50360315f1bd.doc 1/5
personal identification number (PIN). Smart cards shows. The EFS service integrates with Win2K’s
make personal information (e.g., account numbers, security subsystem. In user mode, the service
passwords, digital certificates) portable. supports Win32 APIs and interfaces with
CryptoAPI to generate DDFs and DRFs. In kernel
Before you start using EFS, the systems
mode, the service uses local procedure call (LPC)
administrator must set up a data recovery policy at
to communicate with the EFS driver.
the domain level (or at the local level for
standalone machines). The EFS policy user The EFS driver runs on top of NTFS in kernel
interface lets recovery agents generate, import, mode. The driver communicates with the EFS
export, and back up recovery keys. (A recovery service, which runs in user mode, for all key
agent is the individual a systems administrator management services. The EFS driver requests
assigns to manage recovery keys for all the FEKs, DDFs, and DRFs from the EFS service and
computers in a domain.) For example, if domain transfers the information to the EFSRTL to perform
user Rose loses her private key, she can’t open file system operations. The EFSRTL is an EFS
the files she encrypted with that key. Rose emails driver component, but it doesn’t communicate
her encrypted file to Sam, the recovery agent, who directly with the driver even though the EFS
decrypts the file on a secure machine by importing architecture implements the EFSRTL and the EFS
the file using Rose’s recovery key. Sam uses the driver as one component. The EFSRTL and the
EfsRecvr command-line utility to decrypt the file EFS driver communicate using NTFS callouts,
and send it back to Rose. If necessary, Rose can which ensures NTFS security in all file operations.
open the file and encrypt it again. Rose can use a
EFS supports Win32 APIs in a system DLL file
similar process to recover an encrypted file when
(advapi32.dll) and uses these APIs to encrypt,
she’s working on a standalone workstation at
decrypt, and recover files. EFS also uses Win32
home.
APIs to import files from and export files to other
Win2K’s security subsystem enforces and locations (e.g., 3.5" disks) without decrypting the
replicates the EFS policy, so that users can use file files first.
encryption on a system that is temporarily offline.
Laptop users can encrypt files when their Encrypting Files and Folders
computers are undocked in much the same way Win2K’s NTFS file and folder properties now
that users can use cached credentials to log on to include encryption as an option. Encryption is a
a domain when the domain isn’t available for user new file attribute in NTFS 5.0. Users can open,
authentication. read, and save encrypted and nonencrypted files in
the same manner. Only the user who encrypts the
You can use EFS to encrypt files on remote file or folder, a registered recovery agent, or
servers. However, EFS encrypts files only on the anyone authorized to share the file or folder (i.e.,
hard disk; it doesn’t encrypt data users transmit users with a private key) can access an encrypted
over the wire. To encrypt data you transfer over the NTFS file or folder.
network, you must use a method that encrypts all
TCP/IP client communications (e.g., IP security) or Applying EFS is similar to applying NTFS’
offers similar protection (e.g., Secure Sockets compression attribute. When you encrypt a folder,
Layer—SSL). NTFS individually encrypts the files inside the
folder and automatically encrypts any files you add
I based this article primarily on Win2K’s beta 2 to the folder. If any subfolders exist, you can
(build 1859). Some Win2K EFS features (e.g., encrypt them too. By default, NTFS encrypts any
command-line options for importing or exporting subfolders you create in an encrypted folder.
encrypted files) weren’t available when I wrote the
article. In addition, Microsoft announced that the EFS lets you copy encrypted files across systems
initial release of EFS won’t include support for file using command-line options. Win2K’s Copy
sharing or alternate encryption algorithms (i.e., command includes extra switches to import and
EFS will support only Data Encryption Standard— export encrypted files. You can export an
DES). (For more information about DES, see "Is encrypted file to a 3.5" disk, a backup tape, or a
RAS Safe?" Windows NT Magazine, December FAT16 or FAT32 volume. (Note: Some of these
1997.) Microsoft will add these features in the features might not be available in the released
future. version.) You can also transfer the encrypted file
as an email attachment. The file remains encrypted
EFS Architecture until you decrypt it with the proper key. You export
EFS consists of a service, a driver, a runtime an encrypted file with the /E switch using the
library (EFSRTL), and Win32 APIs, as Figure 1
37446989-9974-4e0b-9376-50360315f1bd.doc 2/5
syntax Copy /E source_file destination_file. For but suspect you might have accidentally left out
example, certain files. (I don’t encourage using File Manager
instead of Explorer; however, using File Manager
Copy /E myfile.doc A:
can be helpful in certain situations.)
You import an encrypted file with the /I switch
using the syntax Copy /I source_file Decrypting Files and Folders
destination_file. For example, EFS provides transparent decryption of files and
folders for typical reads and writes. Users also can
Copy /I A:myfile.doc C:\data\myfile.doc decrypt files or folders by right-clicking a file or
Remember that if you use the Copy command folder in Explorer. To decrypt a file or folder,
without the appropriate switch, EFS copies an deselect the Encrypt contents to secure data
encrypted file as an unencrypted file, unless you option in the Data Properties’ Advanced attributes
encrypt the destination folder. You can encrypt and dialog box.
decrypt folders (and files within a folder) from a Encryption Standards
command line using the Cipher utility. For more EFS isn’t available in all OSs for two reasons. First,
information on this utility, see the sidebar "Cipher including EFS in an OS is complex and requires
Command-line Utility." According to Microsoft that you integrate it with the OS. Integrating EFS
documentation, Win2K supports encrypting and isn’t easy and requires considerable skill. Second,
decrypting individual files using the Cipher utility, national regulations and restrictions on the export
but the build I tested only supported operations at of encryption technology have made integrating
the folder level. EFS harder for vendors. EFS encryption
If a file or folder resides on a compressed FAT16 technology is based on the DES 56-bit encryption
or FAT32 volume or has a system attribute, you key. Current policy doesn’t permit the export of
can’t encrypt it. However, you can always software with stronger than 40-bit encryption.
uncompress a file or folder before you encrypt it. While Microsoft and other companies hammer out
You can activate the encryption or compression the encryption regulations with the US government,
attribute by clicking the Advanced button on the EFS will be available in North America with
General tab of a folder’s Data Properties dialog standard 56-bit DES encryption. Outside North
box. Screen 1 shows this dialog box. These America, only 40-bit DES encryption will be
attributes are mutually exclusive: When you select available. Standard 56-bit DES encryption is
one attribute, the other attribute grays out. downward compatible with 40-bit encryption;
however, 40-bit encryption isn’t compatible with 56-
Make sure you don’t encrypt any files in the system bit encryption.
folder. A user’s encryption key isn’t available
during the boot process, so that if you encrypt a A Welcome Addition
system file, you can’t boot into Win2K. If you Win2K’s new encryption feature—one of the OS’
attempt to encrypt a file with the system attribute, major enhancements—is a welcome addition.
you’ll receive an Access is denied error message. Microsoft seems very interested in making Win2K
Future versions of Win2K will let you encrypt a serious competitor for rival OSs (e.g., UNIX,
system files. AS/400) that run on minicomputers and mainframe
computers. EFS, and other Win2K features, brings
To identify encrypted files in a folder without
Microsoft a step closer to this goal.
verifying individual file properties, you can use the
Cipher utility without any switches to display the Win2K’s EFS provides users with a high level of
state of the files in a folder. However, if you want to security and transparent access to encrypted files
verify the state of files and folders at several and folders. EFS is a valuable tool for most
locations on different volumes, using the organizations, including large corporations facing
command-line tool can be tedious. In this case, I the constant challenge of protecting information
suggest you use NT’s File Manager to verify file from internal and external attacks. When
and folder encryption. File Manager isn’t available companies implement EFS wisely, EFS provides
in Win2K, but you can copy it from a previous great data security. Careless management of
version of NT. File Manager doesn’t show you encryption keys can be damaging, resulting in the
which files or folders are encrypted, but encrypted loss of valuable information and the exposure of
files and folders disappear from the File Manager confidential data. To successfully deploy EFS, you
as soon as you encrypt them. This method lets you must create proper backup and recovery plans and
confirm encrypted data easily and is particularly carefully manage encryption keys.
useful when you think you’ve encrypted subfolders
37446989-9974-4e0b-9376-50360315f1bd.doc 3/5
37446989-9974-4e0b-9376-50360315f1bd.doc 4/5
Screen 1
37446989-9974-4e0b-9376-50360315f1bd.doc 5/5
