2.8.3 EFS – Part 1
By Val Bakh
In this blog post, we’ll discuss one of those technologies: Encrypting File System, or EFS. EFS enhances the NTFS file system by providing file-level encryption.
Before we look into the inner mechanics of EFS, let’s define encryption in general. In simple terms, encryption is a method for modifying a document in such a way that other people cannot see what’s inside it. This might sound similar to what permissions do, but it’s not quite the same thing. NTFS permissions for a file do not change the file’s content; they only keep unauthorized users from opening the file in a regular manner. Someone with malicious intent — we can call that person an intruder or an attacker — can relatively easily circumvent permissions if he or she has physical access to your computer. All the attacker needs to do is connect the hard disk holding your document to another computer that the attacker can control. Or the attacker can install a new instance of an operating system (OS) on your computer. Then the attacker can change permissions and have complete access to all of your data.
But when the file is encrypted, its content is “scrambled” so that it cannot be viewed quickly or easily. An algorithm for this modification does not have to be a secret, but to run it backward (that is, to “unscramble” the data), you need to know a long and unwieldy string of binary data, or a key, that you should keep secret from others. You should not reveal it even to the people you trust. Instead, if you want a few colleagues to be able to unlock the file, you should enable them to do so with their own keys.
Here is how it works. You encrypt the file by using a key that can work both ways — to lock the file and to unlock it. This key is called a file encryption key, or FEK. The algorithm that you used to encrypt the file is designed to encrypt and decrypt large amounts of data relatively quickly. So you have locked the file with a FEK; the next step is to secure the FEK. Imagine that the FEK is a regular, physical key. To secure it, you could put it into a safe-box and lock the box with another key. This new key is of a different kind; it can either lock or unlock, but it cannot do both. This one is called the public key because you don’t have to hide it from anyone. Once you’ve locked your FEK with your public key, no one — not even you — can unlock the FEK with the same public key. You must have a separate key, the public key’s twin, of sorts. That is your private key; keep it safe at all times. The public key and the private key complement each other: what has been locked with the public key can be unlocked only with the private key. The opposite is also true: what you lock with your private key can be unlocked only with your public key. The algorithm for encrypting the FEK is much more secure than the algorithm for encrypting the file, but it is also significantly more resource-intensive and, therefore, is not well suited for encrypting large amounts of data in a reasonable time frame.
Next, you attach the encrypted FEK to the encrypted file. To continue the analogy involving a safe-box, this is similar to putting your house key into a safe-box with a combination lock and hanging it on the door handle. If you want your family or close friends to be able to get into the house in your absence, you need to tell them the combination that opens the box. With EFS, it’s not that simple, though. Revealing the combination for the box (that is, sharing your private key with others) is not really safe, because if one person knows that combination, he or she can tell it to someone else, and in a week the entire town might be in on the secret. So, instead of making a copy of your private key (the one that can open the box with the FEK inside) and giving it to a trusted coworker, you make a copy of the FEK, place it into another safe-box, and lock it with your coworker’s public key. You put the second box next to the encrypted file, together with the first box (that is, you attach the second instance of the encrypted FEK, along with the first instance, to the encrypted file). Now your colleague can open the second box, get the FEK, and open the file. Your colleague can also re-encrypt the file afterward with the same FEK and lock the FEK back into the same safe-box by using his or her public key, the same one that you used to lock it originally. It’s definitely a bit cumbersome, with all these boxes for all of your colleagues with whom you need to share the file, but it’s reasonably secure.
If an intruder gains physical access to your computer or the hard disk where your encrypted data is stored and succeeds in changing permissions for that data, the intruder still cannot open any of the encrypted files without your private key. Even though the private key might be stored on the same disk as the encrypted files, it is under strong protection and only a really savvy intruder can get it. You can deny that chance to even the most determined attacker by simply removing your private key from the computer and by storing the key on a smart card or another small storage device that you always carry with you. Then the attacker would need a supercomputer and days, or even months or years, depending on the strength of the key, to crack the code through a brute-force attack.
EFS can help us keep our data relatively secure and away from those who should not have access to it. In this blog post, we have introduced EFS and file-level encryption in common-sense and easy-to-understand terms. Next month, we’ll focus on more technical aspects of file-level encryption.