This article provides information about symmetric key algorithms supported by EFS. This information is required to successfully decrypt a file once the FEK is obtained.
EFS supports the use of AES-256 and 3DES symmetric key algorithms for encrypting the DATA attribute (Openspecs-office, 2018). In Windows 10, EFS defaults to using AES-256. The symmetric key algorithm is also set using the registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID. Valid values are 0x6610 for AES-256 and 0x6603 for 3DES. There doesn’t appear to be a way to change the symmetric key algorithm directly through Group Policy.
Both AES and 3DES are block ciphers and need the input to be provided in blocks of 16 bytes and 8 bytes respectively. If the input is not a multiple of 16 or 8, then the input needs to be padded with a padding scheme (Ireland D., 2020). In case of EFS, the DATA attribute is encrypted at the cluster level by taking 512 bytes at a time (Microsoft Support, 2020). This ensures the input data is always a multiple of 16 or 8 and obviates the need to use a cryptographic padding scheme during encryption/decryption.
Lastly, EFS uses the Cipher Block Chaining (CBC) mode of operation when encrypting the data (Microsoft Support, 2020b). This means that for every block getting encrypted a unique value called the initialization vector (IV) is applied. The size of the IV is equal to the block size, i.e., 16 bytes for AES-256 and 8 bytes for 3DES. In the case of EFS, all versions of Windows appear to use the same IV. This has been reverse-engineered as part of the ntfsprogs, an open-source implementation of NTFS for Linux (Fossies, n.d.). For 3DES the IV is calculated as the LittleEndian(0x169119629891ad13 + block_offset), where block_offset starts at 0 and is incremented by 1 for every 512 bytes encrypted by EFS. For AES-256 the IV is calculated by appending two values: LittleEndian(0x5816657be9161312 + block_offset) and LittleEndian(0x1989adbe44918961 + block_offset).
A walkthrough of manually decrypting an EFS encrypted file is available on the author’s Github page (diyinfosec, 2020c).
Lastnameholiu, drewbatgit, DCtheGeek, mijacobs, msatranjr (2018, May 31) Asymmetric Keys. Developer tools, technical documentation and coding examples | Microsoft Docs. https://docs.microsoft.com/en-us/windows/win32/seccrypto/public-private-key-pairs
diyinfosec (2020c, March 27). YT_Exercises. GitHub. https://github.com/diyinfosec/YT_Exercises/tree/master/NTFS_EFS_Decryption
Fossies (n.d.). ntfsdecrypt.c. Fossies — The Fresh Open Source Software Archive. https://fossies.org/linux/ntfs/ntfsprogs/ntfsdecrypt.c
Microsoft Support (2020, April 10). Files are corrupted after you encrypt them with ECC certificates by using the EFS feature in Windows 7 or in Windows Server 2008 R2. https://support.microsoft.com/en-gb/help/2739159/files-are-corrupted-after-you-encrypt-them-with-ecc-certificates-by-us