Remote Decryption on File Shares in C#.NET

Encoder QR Code JIS X 0510 in C#.NET Remote Decryption on File Shares

To decrypt a file, EFS must first obtain the user s private key. More specifically, EFS needs the private key associated with the public key used to encrypt the file s FEK. EFS uses the private key to decrypt the FEK and then uses the FEK to decrypt the file. The private key is stored in the user s profile. Before decrypting the file, EFS must: 1. Locate the user s profile. The user is not currently logged on at the remote computer where the decrypting is taking place, so EFS impersonates the user. The user might have a local profile or a roaming profile. 2. Find the appropriate private key. When a profile is located, EFS checks any private keys contained in the profile for a match with the public key that encrypted the FEK. Note

3. Decrypt the FEK. If the user profile contains the correct private key, EFS uses it to decrypt the FEK. When EFS decrypts a file on the computer at which the user is logged on, the user is already accessing his or her user profile. When the user attempts to decrypt a remote file, however, EFS needs to impersonate the user to get access to the user s profile, in which the user s private keys are stored. This requires the computer to be trusted for delegation. In a remote decryption scenario, then, EFS determines whether the computer has been trusted for delegation. If not, the decryption process fails.

Part III:

The user account must also not be designated as a sensitive account that cannot be delegated. Domain administrator accounts, for example, are flagged as nonforwardable (identity cannot be delegated). Any account that cannot be delegated cannot use EFS remotely. If the computer is trusted for delegation and the user account that EFS needs to impersonate can be delegated, EFS can next locate the user s profile. The process is similar to that used after a new key pair has been generated and the private key needs storage. EFS looks for a local profile and a roaming profile, and it uses the roaming profile if it exists. If the user does not have a local or a roaming profile, the decryption process fails. EFS cannot create a user profile in this situation because it needs the existing private key (and thus the profile in which it is stored) to decrypt the FEK. If a user profile is located, EFS looks for a private key to match the public key used to encrypt the FEK. If found, the private key is used to decrypt the FEK and file decryption can begin. If the private key is not found, the decryption process fails. When the FEK is decrypted and used to decrypt the file, the data is ready to be transmitted in plaintext across the network. Note that an attacker can use network monitoring software to access the plaintext data as it is transmitted over the network. You can prevent this by using IP Security with ESP and encryption to secure data as it is transmitted, or by storing encrypted files on Web folders.

Encrypted files and folders can be renamed, copied, or moved. Renaming an encrypted file or folder either locally or remotely does not cause decryption. However, moving or copying a file or folder can result in decryption. The effects of moving or copying encrypted files and folders vary according to whether the files or folders are moved or copied locally or remotely. For more information about renaming, copying, or moving encrypted files and folders, see Windows XP Professional Help and Support Center. Local file operations and encrypted files Encrypted files or folders retain their encryption after being either copied or moved, either by using My Computer or by using commandline tools, to local volumes, provided that the target volume uses the version of NTFS used in Windows 2000 or later. Otherwise, encrypted files are stored as plaintext and encrypted folders lose the encryption attribute. Note

Most floppy disk drives are FAT volumes, so encryption is lost when files are copied to disk unless the files are backed up by using the Backup tool before they are copied. Encrypted files that are copied or moved to servers or workstations running Microsoft Windows NT 4.0 also lose their encryption.

18: