Overview of Windows Encryption technology

Windows encryption is an important foundation and component of the security architecture. The modern CPU protection mode is the hardware cornerstone of the system security, based on the CPU hardware privilege grading, Windows allows its own key system code to run in the High processor privilege level kernel mode, the various applications run at the low processor privilege level user state, guarantees the system level basic security control logic (such as memory, Access control mechanisms for system resources such as files, etc.) are effective. The combination of encryption technology and system security control logic can keep the user information in a certain degree of unreliable storage and transmission environment, such as computer theft, the existence of network sniffing situation, still maintain its privacy, non-tamper integrity and other security attributes.

Windows encryption technology can be discussed from two levels. One is the basic cryptographic algorithm service, which is the basic level, at this level, abstract, symmetric encryption, asymmetric encryption and other basic cryptographic algorithms can be used by CryptoAPI and other operating system API interfaces for applications. The second is the Windows system encryption function, this level of content including EFS, user information protection, SSL and other network encryption protocol and so on. Based on its basic cryptographic algorithm service, Windows establishes a more perfect encryption system. This encryption system protects Windows systems (standalone and domain) on the one hand, and provides system-level cryptographic protection services that can be used directly by applications.

Windows cryptographic algorithms are organized in a service delivery package (CSP) mechanism. Windows defines the schema and its APIs for the CSP. Through these API functions, an application can enumerate the CSPs present in the system, select the CSP that meets its needs, and encrypt operations using the algorithms implemented by the CSP. Each CSP contains a set of cryptographic algorithms and key protection mechanisms from a vendor implementation, and different CSPs can contain different implementations of the same algorithm. Some CSPs are combined with hardware, and algorithmic logic and key protection are implemented on separate hardware, which is an interface adaptation that separates the application software from these cryptographic hardware. Microsoft has pre-provisioned several CSPs in Windows that contain cryptographic algorithms that are immediately available on all Windows computers. With the CSP framework, the application software can implement cryptographic operations using the unified API defined by Windows. In this way, applications can easily adapt to different implementations of cryptographic algorithms. It looks like a very different way of implementing encryption, and for applications, it's just the difference between CSP names. The choice of CSP is easy to configure, with centralized control of the application system or the choice of the end user.

The Windows encryption system is targeted to protect Windows computers and Windows networks themselves, user account security, and user data security. The Windows System release media contains Microsoft's public key and uses a code signing mechanism based on digital signature technology to verify the integrity of the system components. This integrity guarantees that the system code does come from Microsoft official and will not be tampered with by a third party.

When Windows is installed on a computer, the security identification (SID) and device master keys for that computer are randomly generated. The device master key is used to protect data within the boundaries of the local computer, verifying that the device is a member of the Windows domain.

When you create a user account in Windows, a user SID and a user master key are generated. The User master key key is protected by user password encryption. The Windows system encrypts important security data for the user, such as the digital certificate private key, the network login password saved by the system tools, and so on, which are protected by the user master key. Because the user's master key encrypts the store with the user's password, it is not possible to decrypt the original master key when the administrator forces the user password to be reset. At this point, we will see the prompt: "You are resetting the password for XXXX." If you do this, XXXX will lose all personal certificates and stored passwords for the site or network resources. " This also means that even the administrator cannot reset the password to read the user's encrypted information. It is important to note that the user password itself uses the digest algorithm encryption, in order to counter the dictionary attack, Windows only saved the digest value half bit in the registry. Because restoring the master key requires all bits, this allows the attacker to "touch" the half-bit of the registry and not decrypt the user's primary key.

The Windows Encrypting File System (EFS) provides protection for user data. The Encrypting File system uses a hybrid encryption scheme to protect the file contents. Each EFS-encrypted file is protected with a randomly generated, different symmetric key (FEK). FEK is protected by the user's digital certificate public key encryption, the restore FEK needs to be able to access the user's file encryption certificate private key. This private key is also protected by the user master key, and the user master key is protected by the user password. Because resetting the user's password loses the original master key and loses access to EFS, it can no longer open files that were previously encrypted with EFS. In this case, the only way is to use the EFS file encryption certificate private key when encrypting the file for the first time. The difference between EFS encryption and non-encryption is that for unencrypted files, an account with administrator privileges can open these files without logging in to the user account. When a device or a hard drive is stolen, the information thief can easily get such a permission and hang the hard disk on their computer. EFS prevents the occurrence of this condition with strong encryption. If the crown chose the encryption attribute of the folder to open EFS, and with a hard-to-guess Windows boot login password, he will not be sent to repair the computer and was so early in the news headlines.

On the basis of protecting the security of various local encryption features, Windows implements a series of network encryption protocols, some of which are specific to Windows networks, such as the RDP protocol, and some are common to the Internet, such as SSL, IPSec, and so on. Applications can use cryptographic protocols implemented in these systems to encrypt the information that the application transmits on the network through the relevant cryptographic APIs.

Overview of Windows Encryption technology