The Encrypting File System in Windows/NTFS is very nice, protecting user files with a key derived from the user's password. That means that if the user's password is forcibly reset (as opposed to changed), the user will lose access to EFS-encrypted files. That could be a problem.
Fortunately, Windows allows the registration of Data Recovery Agents for EFS. DRA certificates are also derived from a user's password. When an EFS file is created or touched, Windows encrypts the file's symmetric key with each DRA's public key in addition to that of the user. Therefore, even if access to one key is lost, a DRA can recover the file.
Note that EFS does not necessarily prevent malicious programs running as a user from accessing encrypted data. Malware could simply wait for the target file to be opened; it could also register a DRA certificate for a new user, wait for the user to touch some files, and read them with the DRA's account.
No comments:
Post a Comment