Components of EFS
EFS consists primarily of the following operating system components: the EFS service, the EFS driver, the EFS File System Run-Time Library (FSRTL), and an application programming interface (API). Like many other security services, EFS uses the Microsoft Cryptographic Application Programming Interface to obtain services from a cryptographic service provider such as the RSA Base Provider that is included with WindowsXP Professional. Figure 17-1 shows the architecture of EFS.
Figure 17-1: EFS architecture
EFS Service
The EFS service is part of the security subsystem. It uses the existing local procedure call (LPC) communication port between the Local Security Authority (LSA) and the kernel-mode security reference monitor to communicate with the EFS driver. In user mode, it interfaces with CryptoAPI to obtain file encryption keys and to generate data decryption fields (DDFs) and data recovery fields (DRFs). The EFS service also provides support for Win32 APIs.
The EFS service calls CryptoAPI to acquire the file encryption key (FEK) for a data file and then to encode the FEK, thus producing the DDF. The EFS service also returns the FEK, DRF, and DDF by way of the FSRTL to the EFS driver.
EFS Driver
EFS is tightly integrated with NTFS. The EFS driver is essentially a file system filter driver logically layered on top of NTFS. It communicates with the EFS service to request file encryption keys, DDFs, DRFs, and other key management services. It passes this information to the EFS FSRTL to perform various file system operations (open, read, write, and append) transparently.
CryptoAPI
CryptoAPI provides services that enable application developers to add cryptography to their Win32 applications. CryptoAPI consists of a set of functions that allow applications to encrypt or digitally sign data in a flexible manner, while providing protection for private key data. Applications can use the functions in CryptoAPI without knowing anything about the underlying implementation.
CryptoAPI provides the underlying security services for secure channels and code signing. CryptoAPI supports public key and symmetric-key operations such as key generation, key management and secure storage, key exchange, encryption, decryption, hashing, digital signatures, and verification of signatures. Developers can use certificates with these public key operations and perform the necessary encapsulations and encoding to apply certificates within their applications.
EFS uses CryptoAPI for all of its cryptographic operations.
Cryptographic Service Provider
By default, EFS uses the DESX algorithm, a variation of the U.S. government s Data Encryption Standard (DES) algorithm, for file encryption. The public-private key pairs for EFS users and recovery agent accounts are obtained from the Microsoft base cryptographic service provider (CSP), also called the RSA base provider. This CSP is included with Windows XP Professional and is approved for general export worldwide. The Microsoft enhanced CSP can also be used for EFS.
3DES Algorithm Support
Windows XP Professional can be configured to use the triple-DES (3DES) algorithm instead of DESX. 3DES, which is compliant with Federal Information Processing Standards (FIPS 140-1 Level 1), offers significantly stronger encryption using a 128-bit or 168-bit key.
3DES is enabled through a Group Policy setting.
| Note | When 3DES is enabled, it is used as the encryption algorithm for IP Security as well as for EFS. For more information about configuring 3DES support, see Enabling 3DES later in this chapter. |
When 3DES is enabled, all new encryptions are completed by using 3DES. Note that DESX and 3DES are always available for decryption, regardless of the encryption policy.
Data Protection API
The Data Protection API (DPAPI) is a set of function calls that provide data protection services to user and system processes. Applications either pass plaintext data to DPAPI and receive protected data back, or pass the protected data to DPAPI and receive plaintext data back. For example, after a CSP generates keys for certificates, it calls CryptProtectData(), one of the primary functions of DPAPI, to protect those keys. When the keys are needed, DPAPI decrypts them.
EFS FSRTL
The EFS FSRTL is a module within the EFS driver that implements NTFS callouts to handle various file system operations such as reads, writes, and opens on encrypted files and directories, and operations to encrypt, decrypt, and recover file data when it is written to or read from disk. The EFS driver and FSRTL are implemented as a single component. However, they never communicate directly. They use the NTFS file control callout mechanism to pass messages to each other. This ensures that NTFS participates in all file operations. The operations implemented by using the file control mechanisms include writing the EFS attribute data (DDF and DRF) as file attributes and communicating the FEK computed in the EFS service to FSRTL so that it can be set up in the open file context. This file context is then used for transparent encryption and decryption on writes of file data to disk and reads of file data from disk.
Win32 API
EFS provides an API set to expose its features. This API provides a programming interface for operations such as encrypting plaintext files, decrypting or recovering ciphertext files, and importing and exporting encrypted files (without decrypting them first). The API is remoted to support remote encryption, decryption, backup, and restore operations. The API is supported in a standard system DLL, Advapi32.dll.
