Shulou(Shulou.com)06/03 Report--

(1) Type of failure: EFS encrypted file cannot be opened

(2) typical characteristics:

1. Previously encrypted files cannot be opened after reinstalling the system

two。 The encrypted file cannot be opened due to the loss of the key file

(3) Star evaluation of damage degree: ★★★★

[fault principle and recovery ideas]

When encrypting a NTFS file with EFS, the system first generates a pseudo-random number FEK (File Encryption Key, file encryption key), then encrypts the data with FEK and overwrites the file in place. Then the system encrypts the FEK using the user's public key, and stores the encrypted FEK in the $EFS attribute of the encrypted file.

When accessing the encrypted file, the system first uses the current user's private key to decrypt FEK, and then uses FEK to decrypt the file. When using EFS for the first time, if the user does not already have a public / private key (collectively referred to as a key), the key is generated first, and then the data is encrypted. If the user logs in to the domain environment, the generation of the key depends on the domain controller, otherwise it depends on the local machine.

The user's private key is the key to decrypting the EFS file. The private key is stored in Documents and Settings\% UserName%\ Application Data\ Microsoft\ Crypto\ RSA\% UserSID% in the Windows partition (the user's SID is a security identifier, which is equivalent to the user's × × number. When an account is created, the system assigns it a unique SID number).

To protect the private key, Windows encrypts the private key with the master key, which is located in Documents and Settings\% UserName%\ Application Data\ Microsoft\ Protect\% UserSID%, of the Windows partition, and then encrypts the master key with the key generated by the user's password.

This forms the "user password-> Master key-> Private key-> FEK- > EFS encrypted File" encryption chain. So if you want to get the EFS encrypted data completely, you must get the user password, master key, and private key.

(IV) recovery process

1. Detection process:

(1) View the space occupied by the existing system

(2) check that the number of mft file directories now takes up space.

two。 Implementation process:

(1) find or reorganize the private key of encrypted FEK

(2) find the master key of the reconfigurable encrypted private key

(3) check and match according to the user password of the user, and decrypt the user file

(4) analyze and verify the decrypted files logically and migrate the data needed by the users.

3. Acceptance process:

(1) do attribute statistics on all the migrated data, from the number of files

And capacity to ensure that all the data required by users has been migrated successfully.

(2) verify the integrity of all migrated data to ensure that

The file is correct in directory structure and underlying logic.

(3) check the key data files specified by the user to ensure that the user

The key data was recovered successfully.

(5) Reliability analysis and time estimation of recovery:

In most cases, this kind of failure is mainly caused by the key loss caused by reinstalling the system. Because the reinstallation system will write a large number of files to the system partition, the probability of the key being overwritten is relatively high. This is also an important reason for the low success rate of this kind of failure. Generally, the success rate of this kind of failure is about 50%, and it usually takes 1-3 working days.

[tips]

(1) after encrypting files through EFS, the key should be backed up and saved properly.

(2) should stop using the computer immediately after such failure, so as to reduce the probability that the key is overwritten.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.