The Technology Behind Encryption File System
Windows 2000 expert Bill Boswell examines the encryption technologies used by EFS, including the use of public keys and private keys.
In my first article, I gave a brief introduction to the new Encrypting File System (EFS) in Windows 2000. Now I'm going to take a look at the encryption technologies used by EFS. You don't need to be a cryptography expert to manage EFS, but you do need to know where the cryptographic components are stored so that you don't inadvertently render yourself unable to recover encrypted files. It's like digging a trench for your sprinkler system without first finding out where the underground utilities are buried. You can get wet, smelly, or shocked very quickly.
Encryption can be thought of as locking something valuable into a strongbox. Sensitive data is encrypted using a secret key. The file can be opened only if you possess this key. Furthermore, the files are only as secure as the security applied to the key itself.
EFS uses two different encryption technologies and several different encryption keys to accomplish its functions. Use Figure 1 as a roadmap during this discussion.
File encryption roadmap
When EFS encrypts a file, it generates a random number called a file encryption key, or FEK. The FEK is a symmetrical key—that is, the same key both encrypts and decrypts the file. The protocol used to encrypt the file is called DESX. This is a variant of the standard Data Encryption Standard (DES) protocol. DESX uses a three-step process incorporating several different encryption keys to make the file more resistant to brute-force decryption than standard DES. DESX is attractive because it is fast and fully exportable.