C
chuckles_2004
i did a clean sweep on my laptop and now i cannot access
encrypted files on my ext hdd what can i do
encrypted files on my ext hdd what can i do
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
J
Jupiter Jones [MVP]
Did you back-up the necessary files BEFORE formatting?
If not, your data may effectively be gone for good:
http://www3.telus.net/dandemar/encrypt.htm
If not, your data may effectively be gone for good:
http://www3.telus.net/dandemar/encrypt.htm
T
Tom H
If you know what the pw was, you stand a good chance ...
J
Jupiter Jones [MVP]
The password will not do any good without the necessary files if EFS was
used.
used.
T
Tom H
With the correct pw the files can be regnerated.
Jupiter Jones said:The password will not do any good without the necessary files if EFS was
used.
J
Jupiter Jones [MVP]
Tom;
Not if the files are encrypted.
Otherwise EFS would be worthless.
EFS is very secure when use properly.
Do not confuse EFS with NTFS Permissions.
Not if the files are encrypted.
Otherwise EFS would be worthless.
EFS is very secure when use properly.
Do not confuse EFS with NTFS Permissions.
T
Tom H
Straight from the horses' mouth boys,
"http://www.microsoft.com/resources/...windows/xp/all/reskit/en-us/prnb_efs_uizt.asp"
"If the certificate is not available, the private key will not be available,
and the user will not be able to decrypt the file."
So, at first blush you would appear to be correct, Jupiter. I've looked and
I can't find details on the algorithm that creates the key pairs. However,
if (BIG if, mind you) the only input to this algorithm is a pw, does it not
stand to reason that if one had the same, original pw, and the same exact
tool, one could re-create the same exact public/private key pair?
Does anyone know the secret of the creation of the key pairs?
"http://www.microsoft.com/resources/...windows/xp/all/reskit/en-us/prnb_efs_uizt.asp"
"If the certificate is not available, the private key will not be available,
and the user will not be able to decrypt the file."
So, at first blush you would appear to be correct, Jupiter. I've looked and
I can't find details on the algorithm that creates the key pairs. However,
if (BIG if, mind you) the only input to this algorithm is a pw, does it not
stand to reason that if one had the same, original pw, and the same exact
tool, one could re-create the same exact public/private key pair?
Does anyone know the secret of the creation of the key pairs?
M
Mike Brannigan [MSFT]
Tom H said:Straight from the horses' mouth boys,
"http://www.microsoft.com/resources/...windows/xp/all/reskit/en-us/prnb_efs_uizt.asp"
"If the certificate is not available, the private key will not be
available, and the user will not be able to decrypt the file."
So, at first blush you would appear to be correct, Jupiter. I've looked
and I can't find details on the algorithm that creates the key pairs.
However, if (BIG if, mind you) the only input to this algorithm is a pw,
does it not stand to reason that if one had the same, original pw, and the
same exact tool, one could re-create the same exact public/private key
pair?
Does anyone know the secret of the creation of the key pairs?
Yes, and it has nothing to do with a users password.
If you do not have the certificate and you do not have a key recovery agent
(and its certificate available) then you will not be able to recover the
files.
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
S
Steve Riley [MSFT]
EFS uses DPAPI (data protection API) to generate the keys.
Here is how a user's password relates to DPAPI. For every user on a computer,
DPAPI generates a strong master key. To protect this key, DPAPI uses PKCS
#5 to generate a key from the user's password and encrypts the master key
with this password-derived key. DPAPI then stores the encrypted master key
in the user's profile.
This master key is used to protect every other key generated by DPAPI, including
the symmetric file encryption key (FEK) and the keys used to protect the FEK.
Steve Riley
(e-mail address removed)
Here is how a user's password relates to DPAPI. For every user on a computer,
DPAPI generates a strong master key. To protect this key, DPAPI uses PKCS
#5 to generate a key from the user's password and encrypts the master key
with this password-derived key. DPAPI then stores the encrypted master key
in the user's profile.
This master key is used to protect every other key generated by DPAPI, including
the symmetric file encryption key (FEK) and the keys used to protect the FEK.
Steve Riley
(e-mail address removed)
T
Tom H
Just out of curiosity, when the microsoft cryptography API wants to create a
'random' number --- ie for the purpose of creating un-recreatable key pairs,
how does it do it?
If not solely by using a text pw as input, what does it do to make a set of
bits that are different-by-design? It's an interesting conundrum because
digital computing devices don't do that kind of thing well, they are
marvelously good at arriving at exactly the same outputs, not good at
creating unpredictable, different each time outputs. Or is it a secret? I
promise not to tell ANYONE!
According to a book I read about how spy agencies generated their one-time
pads during the cold war, the KGB had a microphone outside of their HQ that
picked up random traffic noise and the signal from that was processed into
a random bitstream, while the CIA had a radio reciever (HF) tuned to a
static laden portion of the RF spectra and processed the random clicks and
pops into a secure, unreproducable bitstream.
'random' number --- ie for the purpose of creating un-recreatable key pairs,
how does it do it?
If not solely by using a text pw as input, what does it do to make a set of
bits that are different-by-design? It's an interesting conundrum because
digital computing devices don't do that kind of thing well, they are
marvelously good at arriving at exactly the same outputs, not good at
creating unpredictable, different each time outputs. Or is it a secret? I
promise not to tell ANYONE!
According to a book I read about how spy agencies generated their one-time
pads during the cold war, the KGB had a microphone outside of their HQ that
picked up random traffic noise and the signal from that was processed into
a random bitstream, while the CIA had a radio reciever (HF) tuned to a
static laden portion of the RF spectra and processed the random clicks and
pops into a secure, unreproducable bitstream.
S
Steve Riley [MSFT]
DPAPI (which is part of CryptoAPI) doesn't use the password when it generates
keys. Let me draw a simple picture of what I wrote below.
create new account on computer
|
put password on account
|
generate new master key for this account
|
generate PKCS #5 key-from-password
|
encrypt master key with key-from-password; discard key-from-password
|
store master key in user profile
Now say you encrypt a file. This happens:
retrieve master key from profile
|
generate PKCS #5 key-from-password
|
decrypt master key
|
open key store and retrieve EFS private key
|
decrypt EFS private key using master key
|
generate symmetric FEK
|
encrypt file with FEK
|
encrypt FEK with EFS private key
You're right that there's a lot of "random" number generation going on here.
CryptoAPI includes a function called CryptGenRandom() that generates cryptographically
random numbers but alas I don't know how it does it. These numbers are much
more random than what you'd get with the functions in typical compilers.
CryptGenKey(), the function that generates keys, follows similar logic.
Steve Riley
(e-mail address removed)
keys. Let me draw a simple picture of what I wrote below.
create new account on computer
|
put password on account
|
generate new master key for this account
|
generate PKCS #5 key-from-password
|
encrypt master key with key-from-password; discard key-from-password
|
store master key in user profile
Now say you encrypt a file. This happens:
retrieve master key from profile
|
generate PKCS #5 key-from-password
|
decrypt master key
|
open key store and retrieve EFS private key
|
decrypt EFS private key using master key
|
generate symmetric FEK
|
encrypt file with FEK
|
encrypt FEK with EFS private key
You're right that there's a lot of "random" number generation going on here.
CryptoAPI includes a function called CryptGenRandom() that generates cryptographically
random numbers but alas I don't know how it does it. These numbers are much
more random than what you'd get with the functions in typical compilers.
CryptGenKey(), the function that generates keys, follows similar logic.
Steve Riley
(e-mail address removed)
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.