Offline private key protocol

Transcription

Hello, welcome back to your free training series for Windows 7. In this video I will look at the encrypted file system or EFS. EFS is supported only in Windows 7 Professional or above. The encrypted file system is a system in Windows that allows you to encrypt any file or folder on your hard disk. This help to ensure only the people who are allow to read the file have access and also prevents what is called an offline attack. An offline attack is when you boot off a boot disk or remove the hard disk from the computer and place it in anther computer. This kind of attack by passes the security of the operating system. By using EFS to encrypt your files, the attacker will not be able to make sense of any of the files even when reading them using an offline attack. To make EFS fast it uses a symmetric algorithm. This essentially means it uses the same key to encrypt the file as to decrypt the file. You may be wondering where is this key is stored? Well it is stored in the file that you want encrypted. This may seem like a security risk, but the way Windows get around this is attached to your user account is a certificate. This certificate is used to encrypt the key stored in the file so it can’t be read without your certificate. This essentially means the following. If you delete your user account with it goes the certificate needed to access the encrypted file. Even if you create a new user with the same user name it will have a different certificate and not be able to access any files encrypted with the other user certifcate. To get around this problem, Microsoft allows you to do one of two things. Firstly you can backup up your certificates. Backing up the certificates allows you to access the file if the originally certificate is lost. For example if the user account is deleted. The second thing you can do is create what is called a data recovery agent. A data recovery agent is a second user that has access to the file. To make this work, EFS places a second copy of the symmetric key in the file and this is encrypted with the data recovery agent certificate. Now you have two users who can get access to the key when required. If more users need to access the file, you can again add more keys to the file and these will be encrypted using the user’s certificate. This makes EFS very expandable but does also mean that you have to start managing certificates. If you are using a domain environment, you can install a certificate authority in your domain to manage all these certificates. Doing this is beyond the scope of this course and the exam. In this video I will look at how to manage certificates locally. I now switch to my Windows 7 computer and start encrypting some files. First of all I will open mmc from the start menu. From here I will add the certificates snap in. When you encrypt your first file a EFS certificate is created automatically. Since no files has ever been encrypted on this computer, when I open the folder personal under certificates there are no certificates present. To encrypt some files, I will open Windows explorer and go into a folder in the documents library I created called personal. To encrypt a file, right click the file and select properties. From here select the button advanced. To encrypt the file it is simple matter of ticking the tick box encrypt contents to secure data. Notice that if I tick the box compress contents to save disk space the encrypt tick box is cleared. With Windows, you have the choice of one or the other, not both. Once I tick the encryption tick box, all I need to do is press o.k. and exit out of the properties for the file. Notice that I now get a dialog message asking me if I want to encrypt the file and folder or just the file. It is recommended that you encrypt the folder because software like Microsoft Word creates temporary files. If the temporary file is not encrypted then the contents of the original file may be able to be found from the temporary file. Once I press o.k. the file will be encrypted. Notice that in Windows explorer the file name has now changed to green. If now go back into the certificates snap in, you will notice that once I refresh the view by pressing F5, a EFS certificate has been created. This certificate is used to protect and read the symmetric encryption key contained in the file. If this user was deleted, the certificate shown here would be deleted with the user. If the certificate is not back up and lost then any files encrypted with this certificate will not be readable. To help prevent this from happening it is best to create a data recovery agent. I will now change to anther user on this computer called DRA. I have changed the wall paper so the DRA user is easier to tell apart from the other user. To create a data recovery agent for this user, I first need to export a certificate that can be used to encrypt files and read them. To do, open a command prompt from the start menu and enter the command cipher with the r switch followed by colon and the file name. Once I enter in a password to protect the certificate two files will be created. The CER file has the public key which will be used to encrypt files. The PFX file contains the private key which is used to decrypt files. To configure a data recovery agent for this computer, open local group policy from the start menu. From group policy expand into computer configuration, Windows settings, security settings, public key polices and encrypting file system. Currently there are not DRA’s configured, to add one, right click encrypted file system and select the option add data recovery agent. This will start the wizard, from the wizard browse to the certificate file I exported earlier. I will get a warning telling me Windows can’t tell if this certificate has been revoked. This is normal when using self-signed certificates which means the certificate was created on the computer that it is being used on. Once I finish the wizard, the certificate will be used to create a data recovery agent. Remember to configure a data recovery agent before your users start encrypting files. If you don’t, any files encrypted before the data recovery agent was set up will not be accessible by the recovery agent. If I select properties for encrypted file system, notice that I have the option to switch off encryption. On large networks it may be worth switching off encryption to prevent your users using it if you don’t have a need for it. The last thing you want is your end users flipping on encryption thinking it is a good idea without a data recovery agent first being set up on your network. Now that I have configured a data recovery agent, if I now go into the properties for the file that I encrypted earlier, select advanced and then select the option details. Notice now that data recovery user account is listed as a recovery certificate at the bottom of the screen. If I exit out of here and now attempt to open the file, notice that I get an access denied message. Since this file was encrypted before the data recovery agent was set up I will not be able to access it. If the user writes to the file or re-encrypts the file the data recovery agent will have access to the file. If I now switch back to the general user and go back into the personal directory and create a new file, this file will be able to be opened by the data recovery agent. If I go into the properties of the file, select advanced and then select details. Notice the recovery certificate is automatically added to the file. Notice also that if I select the user, I have the option back up keys. Even with a data recovery agent on your computer, you should at a minimum backup the keys to a safe location. If I now switch back to my data recovery agent user and attempt to open the file I just created I will get an error message saying access denied. I have done this on purpose to prove a point. The data recovery agent has been set up correctly, but Windows does not have a copy of the certificate installed. To show this, if I now open mmc from the start menu and then add the certificate snap in. If I now navigate to the personal folder, notice there is no certificate on this computer. Thus there is no certificate installed to decrypt files. To add the certificate I exported earlier, I can simply double click on the file. Make sure you select the PFK file as this contents the private key needed to decrypt files. If you add the CER file, this file does not have the private key and thus can’t decrypt any files. Once the wizard starts I will be asked for the password for the file. Once I have entered the password I can next my way to the end of wizard. The certificate has been imported to the local computer. When I press F5 to refresh the certificates snap in, I can now see the certificate. If I attempt to open the file again, the file will open this time without a problem. This user will now be able to open any encrypted files created on this computer from this point onwards. Encryption in Windows is a little hard to understand at first because there is so much involved to get it to work. To better understand,let’s review how it works. First of all you have a user on a system that wants to encrypt a file. When the file is encrypted a symmetric key is used to encrypt the file. A symmetric key simple means the same key is used to encrypt the file as to decrypt the file. Symmetric key encryption is used because it is quite fast. The symmetric key is then stored with the file. The problem is that anyone who can access the file could read the symmetric key. To overcome this, when you encrypt your first file, Windows automatically creates a public and private key to be used with EFS. The public key is used to encrypt the symmetric key so it can’t be read without the private key. The public key and private key are kept in the user profile, so it is recommend that you backup the users certificates and keep them in a safe place. Without the certificate you can’t decrypt the symmetric key and thus decrypt the file. On large networks, you are most likely going to want to configure a data recovery agent or DRA. The DRA has its only public key and private key. When the user encrypts a file, the symmetric key is again encrypted and combined with the file, but this time anther copy of the symmetric key is also placed with the file. The second key is encrypted with the public key of the DRA. The DRA and the user can both decrypt a copy of the symmetric key using their private keys. Notice however, the DRA can’t decrypt the first file because there is no copy of a symmetric key in the file that has been encrypted with the DRA’s public key. For the DRA to access this file, the user will need to re-encrypt the file or open and resave the file. This is why it is so important to set up DRA on your network before you start encrypting files. If you have no plans to use encryption on your network, I would recommend switching it off or changing the permissions for the end users so they can’t enable it. The last thing you want is an end user to enable encryption, leave the company, have their account deleted and then 6 month later realize you can’t access any of their files. Notice also that if you want to enable more people to access the file it is a simple matter of adding them. Windows will add a new symmetric key that has been encrypted with the user’s public key to the file allowing them to decrypt the file. Just remember that the certificate used to encrypt and decrypt files is created when you first encrypt a file. If you attempt to add a user that has never encrypted a file before you won’t be able to because no certificate exists for that user. In order to get their name to appear, you need to need to have the user encrypt a file and thus a certificate will automatically be created for them. To create the certificate, you can also have the user run the command cipher with the slash k switch. This will create the certificate without the need to encrypt any files. The encryption system in Windows is quite powerful and needs to be managed correctly. If it is not managed correctly then you risk not being able to access your files and thus losing the data in those files forever. For these reasons make sure you back up your certificates and where appropriate set up a data recovery agent. The next video in this completely free series for Windows 7 for the 70-680 exam will look at user account control. User account control helps protect your computer from having viruses and spy ware from being installed on your computer without your knowledge. I hope you have enjoyed this video and thanks for watching.