Transparent file encryption. Transparent encryption with CyberSafe

Facebook

For encryption physical disks and creating virtual encrypted disks. However, such encryption is not always convenient.
Firstly, it is not always possible to encrypt an entire physical disk. Secondly, if you use virtual disks, then container files typically take up hundreds of megabytes disk space and they are very easy to detect by an attacker. Yes, there is data, but human laziness wins. Thirdly, the encrypted folder can constantly grow, and the size of the crypto disk is limited by the size specified when it was created.
Everyone wants to work with files conveniently, and at the same time, the files are reliably protected. There is such a compromise - this is transparent file encryption, when files are encrypted and decrypted “on the fly” - while working with them. The files remain encrypted, and you work with them as with regular files. For example, if you encrypted the C:\Documents folder and placed your documents in it, then when you open a document from this folder, Word or Excel starts and they do not even suspect that they are encrypted. You work with encrypted files as with ordinary ones, without thinking at all about encryption, mounting, virtual disks etc.
In addition to ease of use, transparent encryption has another significant advantage. As a rule, virtual encrypted disks store a large number of files. To work with even one of them, you need to connect the entire crypto disk. As a result, all other files become vulnerable. Of course, you can create many small crypto disks, assign each separate password, but this is not very convenient.
In the case of transparent encryption, you can create as many encrypted folders as you need and place different groups of files in each of them - documents, personal photos, etc. In this case, only those files that are accessed are decrypted, and not all files on the crypto disk at once.

Advantages and Disadvantages of EFS

In Windows (starting with Windows 2000 and except for Home editions), the encrypted file system - EFS (Encrypting File System).
EFS is designed to prevent one user from accessing another user's (encrypted) files. Why was it necessary to create EFS if NTFS supports access rights? Although NTFS is quite secure file system, but over time, various utilities appeared (one of the first was NTFSDOS, which allows you to read files located on an NTFS partition from a DOS environment) that ignore NTFS access rights. There was a need for additional protection. EFS was supposed to be such protection.
Essentially, EFS is an add-on to NTFS. EFS is convenient because it is included in Windows composition and you don't need any additional software to encrypt files - everything you need is already in Windows. To start encrypting files, you don’t need to do anything. preliminary actions because the first time a file is encrypted, an encryption certificate and private key are automatically generated for the user.
Another advantage of EFS is that when you move a file from an encrypted folder to any other, it remains encrypted, and when you copy a file to an encrypted folder, it is automatically encrypted. There is no need to perform any additional actions.
This approach, of course, is very convenient, and the user seems to have only one benefit from EFS. But that's not true. On the one hand, under unfavorable circumstances, the user may lose access to encrypted files altogether. This may happen in the following cases:

Hardware problems, for example, the motherboard is faulty, the bootloader is damaged, the system files due to failure hard drive(bad sectors). Eventually HDD You can connect to another computer to copy files from it, but if they are encrypted with EFS, you will not succeed.
The system has been reinstalled. Windows can be reinstalled for a variety of reasons. In this case, access to the encrypted data will, of course, be lost.
User profile deleted. Even if you create a user with the same name, he will be assigned a different ID, and the data will still not be decryptable.
The system administrator or the user himself reset the password. After this, access to EFS data will also be lost.
Incorrect user transfer to another domain. If a user's transfer is not done correctly, they will not be able to access their encrypted files.

When users (especially beginners) start using EFS, few people think about it. But, on the other hand, there is special software (and it will be demonstrated later) that allows you to access the data even if the system has been reinstalled and some keys have been lost. And I don’t even know whether this fact can be considered an advantage or disadvantage - this software allows you to restore access to data, but at the same time it can be used by an attacker to gain unauthorized access to encrypted files.
It would seem that data encrypted using EFS is very secure. After all, files on disk are encrypted using the FEK (File Encryption Key), which is stored in the file attributes. The FEK itself is encrypted with the master key, which, in turn, is encrypted with the keys of system users who have access to this file. User keys are encrypted with the password hashes of these users, and the password hashes are also encrypted with SYSKEY.
It would seem that such an encryption chain should provide reliable protection data, but it all simply comes down to a login and password. Once the user resets the password or reinstalls the system, it will no longer be possible to gain access to the encrypted data.
The EFS developers played it safe and implemented recovery agents (EFS Recovery Agent), that is, users who can decrypt data encrypted by other users. However, using the EFS RA concept is not very convenient and even difficult, especially for novice users. As a result, these very novice users know how to encrypt files using EFS, but do not know what to do in emergency situation. It's good that there is special software that can help in this situation, but the same software can also be used for unauthorized access to data, as already noted.
Disadvantages of EFS also include the inability to provide network encryption (if you need it, you must use other data encryption protocols, such as IPSec) and the lack of support for other file systems. If you copy an encrypted file to a file system that does not support encryption, such as FAT/FAT32, the file will be decrypted and can be viewed by anyone. There is nothing surprising in this, EFS is just an add-on over NTFS.
It turns out that EFS does more harm than good. But, in order not to be unfounded, I will give an example of using the Advanced EFS Data Recovery program to gain access to encrypted data. The scenario will be very simple: first I will log in as a different user and try to access an encrypted file that another user has encrypted. Then I will simulate a real situation where the certificate of the user who encrypted the file was deleted (this could happen, for example, in the case Windows reinstallation). As you will see, the program without special problems will cope with this situation.

Using Advanced EFS Data Recovery to Decrypt EFS Encrypted Files

Let's see how you can decrypt files encrypted with EFS. The first step is to enable encryption for one of the folders. For the demonstration, I specifically created an EFS-Crypted folder. To enable EFS encryption for a folder, you simply need to enable the corresponding attribute in its properties (Fig. 1).

Rice. 1. Enable encryption for a folder

The name of the encrypted folder and all files placed in it (which will be automatically encrypted) is displayed in Explorer green. As shown in Fig. 2, I added to the encrypted folder text file config.txt, the contents of which we will try to view by logging in as a different user. For the test, another user with administrator rights was created (such rights are needed by the Advanced EFS program Data Recovery(AEFSDR) from ElcomSoft), see fig. 3.

Rice. 2. Contents of the encrypted folder

Rice. 3. New user created

Naturally, if you log in as a different user and try to read the config.txt file, nothing will work (Fig. 4).

Rice. 4. Access denied

But it doesn’t matter - we launch the Advanced EFS Data Recovery program and go straight to Expert mode (you can, of course, use the wizard that opens upon first launch (Fig. 5)), but I like the expert mode better.

Rice. 5. Wizard when launching Advanced EFS Data Recovery

Rice. 6. Expert mode Advanced EFS Data Recovery

So go to the tab Encrypted files and press the button Scan for encrypted files. In Fig. 6 already shows the scan result - our only encrypted file C:\EFS-Crypted\config.txt was found. Select it and click the button Decrypt. The program will prompt you to select the directory in which you want to decrypt the files (Fig. 7).

Rice. 7. Select the directory where the files will be decrypted

Since I have a trial version of the program, to continue I need to click Continue(Fig. 8). Decrypted files are placed in the AEFS_ subfolder<имя_диска>_DECRYPTED (Fig. 9). Please note that our config.txt file is no longer highlighted in green and we can view its contents (Fig. 10).

Rice. 8. Click the button Continue

Rice. 9. Decrypted files

Rice. 10. Contents of the config.txt file

Now let’s complicate the program’s task Advanced EFS Data Recovery, namely, we will delete the personal certificate. Log in as the user who created the encrypted folder and launch the mmc console, select the menu command File, Add or Remove Snap-in. Next, select a snap-in Certificates and press the button Add(Fig. 11). In the window that appears, select my account user(Fig. 12).

Rice. 11. Adding equipment

Rice. 12. Certificate Manager snap-in

Next, click the button OK and in the window that appears, go to Certificates, Personal, Certificates. You will see the certificates created for current user(Fig. 13). In my case the user is called test. Click on his certificate right click mouse and select the command Delete to remove the certificate. You will see a warning that it will no longer be possible to decrypt data encrypted using this certificate. Well, we'll check that out soon.

Rice. 13. Personal certificates

Rice. 14. Warning when deleting a certificate

Close the snap-in and try accessing the encrypted file. Nothing will work for you, despite the fact that you encrypted this file. After all, the certificate has been deleted.
Change user, run Advanced EFS Data Recovery program. Try decrypting the file as shown earlier. First, the program will report that the certificate was not found. Therefore, you need to go to the tab EFS related files and press the button Scan for keys. After some time, the program will tell you that it has found the keys, but probably not all of them (Fig. 15). The program recommends that you scan your keys again, but this time with the option enabled Scan by sectors(Fig. 16), but I did not do this and immediately went to the tab Encrypted files. The program successfully found and decrypted the file. In Fig. Figure 17 shows that I have already saved the decrypted file to my desktop.

Rice. 15. Search for keys

Rice. 16. Scan window

Rice. 17. The file is decrypted again

To the shame of EFS or to the credit of Advanced EFS Data Recovery, in both cases the file was decrypted. At the same time, as you can see, I did not need any special knowledge or skills. All you need to do is launch a program that will do all the work for you. You can read about how the program works on the developers’ website (http://www.elcomsoft.ru/); we will not discuss in detail the principle of its operation in this article, since AEFSDR is not the subject of the article.
To be fair, it must be said that specialists can configure the system so that Advanced EFS Data Recovery will be powerless. However, we have considered the most normal use EFS for the vast majority of users.

Transparent encryption system implemented in CyberSafe Top Secret

Let's look at how transparent encryption is implemented in CyberSafe. For transparent encryption, the Alfa Transparent File Encryptor driver (http://www.alfasp.com/products.html) is used, which encrypts files using the AES-256 algorithm or the GOST 28147-89 algorithm (when using Crypto-Pro).
The encryption rule (file mask, allowed/prohibited processes, etc.), as well as the encryption key, is sent to the driver. The encryption key itself is stored in the ADS folder (Alternate Data Streams, eb.by/Z598) and is encrypted using OpenSSL ( RSA algorithm) or GOST R 34.10-2001 - certificates are used for this.
The logic is as follows: add a folder, CyberSafe creates a key for the driver, encrypts it with the selected public certificates (they must be previously created or imported into CyberSafe). When any user tries to access a folder, CyberSafe opens the ADS folder and reads the encrypted key. If this user has the private key of the certificate (he may have one or more of his own certificates) that was used to encrypt the key, he can open this folder and read the files. It should be noted that the driver decrypts only what is needed, and not all files when access to the file is granted. For example, if the user opens a large Word document, then only the part that is currently loaded into the editor is decrypted, and the rest is loaded as necessary. If the file is small, then it is completely decrypted, but the remaining files remain encrypted.
If the folder is a shared network folder, then the files in it remain encrypted; the client driver decrypts only the file or part of the file in memory, although this is also true for local folder. When editing a file, the driver encrypts changes in memory and writes them to the file. In other words, even when a folder is enabled (we'll show you what that is later), the data on the disk always remains encrypted.

Using CyberSafe Top Secret to Transparently Encrypt Files and Folders

It's time to look at the practical use of CyberSafe Top Secret. To encrypt a folder, go to the program section Transparent encryption(tab File encryption), see fig. 18. Then, from Explorer, drag the folders you want to encrypt into the program's work area. You can also use the button Ext. folder. I added one folder - C:\CS-Crypted.

Rice. 18. CyberSafe Top Secret program

Click the button Apply. In the window that appears (Fig. 19), click the button Yes or Yes for everything x (if you are trying to encrypt several folders at a time). Next, you will see a window for selecting certificates, the keys of which will be used for transparent encryption of the folder (Fig. 20). As a rule, certificates are created immediately after installing the program. If you haven't done this yet, you'll have to return to the section Private keys and press the button Create.

Rice. 19. Click Yes

Rice. 20. Selecting certificates for transparent encryption

The next question from the program is whether you need to set an administrator key for this folder (Fig. 21). Without an administrator key, you will not be able to make changes to the folder, so click the button Yes.

Rice. 21. Press again Yes

After this, you will return to the main program window. Before you start working with an encrypted folder, you need to select it and click the button Turn on. The program will ask for the password of the certificate (Fig. 22) specified to encrypt this folder. After this, working with an encrypted folder will be no different from working with regular folder. In the CyberSafe window, the folder will be marked as open, and a lock icon will appear to the left of the folder icon (Fig. 23).

Rice. 22. Enter the certificate password

Rice. 23. Encrypted folder connected

In Explorer, neither the encrypted folder nor the encrypted files are marked in any way. Outwardly, they look the same as other folders and files (unlike EFS, where the names of encrypted files/folders are highlighted in green), see fig. 24.

Rice. 24. CS-Crypted encrypted folder in Explorer

It should be noted that you can encrypt a network folder in the same way. In this case, the CyberSafe program should be located only on the users’ computer, and not on file server. All encryption is carried out on the client, and already encrypted files are transferred to the server. This decision is more than justified. Firstly, already encrypted data is transmitted over the network. Secondly, even if the server administrator wants to access the files, he will not be able to do anything, since only users whose certificates were specified during encryption can decrypt the files. But the administrator, if necessary, can perform backup encrypted files.
When the encrypted folder is no longer needed, you need to go to the CyberSafe program, select the folder and click the button Switch off. This solution may not seem as convenient to you as EFS - you need to press the on/off buttons. But this is only at first glance. Firstly, the user has a clear understanding that the folder is encrypted and he will not forget about this fact when he reinstalls Windows. Secondly, with EFS, if you need to be away from your computer, you need to log out, because while you're away, anyone can walk up to your computer and access your files. All he will have to do is copy your files to a device that does not support encryption, such as a FAT32 flash drive. Then he will be able to view files outside of your computer. With CyberSafe, everything is a little more convenient. Yes, you need to do an additional action (“shut off” the folder) and all encrypted files will become inaccessible. But on the other hand, you will not need to re-launch all programs and open all documents (including unencrypted ones) - as after logging in again.
However, each product has its own characteristics. CyberSafe is no exception. Let's imagine that you encrypted the C:\CS-Crypted folder and placed the report.txt file there. When the folder is disabled, of course, you will not be able to read the file. When the folder included, you can access the file and, accordingly, copy it to any other, unencrypted folder. But after copying the file to an unencrypted folder, it continues to live its own life. On the one hand, it is not as convenient as in the case of EFS, on the other hand, knowing this feature of the program, the user will be more disciplined and will keep his secret files only in encrypted folders.

Performance

Now let's try to find out which is faster - EFS or CyberSafe Top Secret. All tests are carried out on a real machine - no virtual machines. The laptop configuration is as follows - Intel 1000M (1.8 GHz)/4 GB RAM/WD WD5000LPVT (500 GB, SATA-300, 5400 RPM, 8 MB buffer/Windows 7 64-bit). The car is not very powerful, but it is what it is.
The test will be extremely simple. We will copy files into each folder and see how long the copying takes. The following simple scenario will help us figure out which transparent encryption tool is faster:

@echo off echo "Copying 5580 files to EFS-Crypted" echo %time% robocopy c:\Joomla c:\EFS-Crypted /E > log1 echo %time% echo "Copying 5580 files to CS-Crypted" echo %time% robocopy c:\Joomla c:\CS-Crypted /E > log2 echo %time%

It doesn't take a programming guru to figure out what this script does. It's no secret that we often work with relatively small files ranging in size from several tens to several hundred kilobytes. This script copies the Joomla! 3.3.6, which contains 5580 of these small files first to a folder encrypted by EFS, and then to a folder encrypted by CyberSoft. Let's see who will be the winner.
The robocopy command is used to recursively copy files, including empty ones (the /E option), and its output is deliberately redirected to a text file (if desired, you can view what was copied and what was not) so as not to clutter the script output.
The results of the second test are shown in Fig. 25. As you can see, EFS completed this task in 74 seconds, and CyberSoft in just 32 seconds. Considering that in most cases users work with many small files, CyberSafe will be more than twice as fast as EFS.

Rice. 25. Test results

Benefits of CyberSafe Transparent Encryption

Now let's summarize a little. The advantages of CyberSafe transparent encryption include the following facts:

When you turn off a folder, files can be copied encrypted anywhere, which allows you to organize cloud encryption.
The CyberSafe program driver allows you to work over a network, which makes it possible to organize.
To decrypt a folder, you not only need to know the password, you must have the appropriate certificates. When using Crypto-Pro, the key can be transferred to the token.
The CyberSafe application supports the AES-NI instruction set, which has a positive effect on program performance (as proven by the tests above).
You can protect yourself from unauthorized access to your private keys using two-factor authentication.
Support for trusted applications

The last two advantages deserve special attention. To protect yourself from access to the user's private keys, you can protect the CyberSafe program itself. To do this, run the command Tools, Settings(Fig. 26). In the Settings window, on the tab Authentication you can enable either password authentication or two-factor authentication. For details on how to do this, see the CyberSafe manual on page 119.

Rice. 26. Protecting the CyberSafe program itself

On the tab Allowed. applications You can define trusted applications that are allowed to work with encrypted files. By default, all applications are trusted. But for greater security, you can set applications that are allowed to work with encrypted files. In Fig. 27 I specified MS Word and MS Excel as trusted applications. If any other program tries to access the encrypted folder, it will be denied access. Additional information you can find in the article “Transparently encrypt files on your local computer using CyberSafe Files Encryption” (http://site/company/cybersafe/blog/210458/). Add tags

) allows companies to organize quick and convenient exchange information on different distances. However, protecting information in a corporate environment is a task that remains relevant to this day and worries the minds of managers of small, medium and large enterprises in a wide variety of fields of activity. In addition, no matter the size of the company, management almost always needs to differentiate employee access rights to confidential information based on the degree of its importance.

In this article we will talk about transparent encryption As one of the most common methods of protecting information in a corporate environment, we will look at the general principles of encryption for multiple users (cryptography with multiple public keys), and also talk about how to set up transparent encryption of network folders using the program.

What is the advantage of transparent encryption?

The use of virtual crypto disks or the full-disk encryption function is quite justified on the user’s local computer, but in the corporate space a more appropriate approach is to use transparent encryption, since this feature provides fast and comfortable work with classified files for several users simultaneously. When creating and editing files, the processes of encryption and decryption occur automatically, “on the fly.” To work with protected documents, company employees do not need to have any skills in the field of cryptography; they do not have to perform any additional steps in order to decrypt or encrypt secret files.

Working with classified documents occurs as usual using standard system applications. All functions for setting up encryption and delineating access rights can be assigned to one person, for example system administrator.

Multiple Public Key Cryptography and Digital Envelopes

Transparent encryption works as follows. A randomly generated symmetric session key is used to encrypt the file, which in turn is protected using the user's public asymmetric key. If a user accesses a file to make some changes to it, the transparent encryption driver decrypts the symmetric key using the user's private key and then decrypts the file itself using the symmetric key. We described in detail how transparent encryption works in.

But what if there are several users and classified files are stored not on the local PC, but in a folder on a remote server? After all, the encrypted file is the same, but each user has their own unique key pair.

In this case, the so-called digital envelopes.

As you can see from the figure, the digital envelope contains a file encrypted using a randomly generated symmetric key, as well as several copies of this symmetric key, protected using each user's public asymmetric keys. There will be as many copies as users are allowed to access the protected folder.

The transparent encryption driver works according to the following scheme: when a user accesses a file, it checks whether its certificate (public key) is in the list of allowed ones. If so, the copy of the symmetric key that was encrypted using his public key is decrypted using this user’s private key. If in the certificate list given user no, access will be denied.

Encrypting network folders using CyberSafe

Using CyberSafe, the system administrator can configure transparent encryption network folder without using additional data protection protocols, such as or continue to manage user access to a particular encrypted folder.

To set up transparent encryption, each user who is going to be allowed access to confidential information must have CyberSafe installed on their computer, a personal certificate created, and a public key published on the server public keys CyberSafe.

Next, the system administrator on the remote server creates a new folder, adds it to CyberSafe and assigns keys to those users who will be able to work with files in this folder in the future. Of course, you can create as many folders as required, store confidential information of varying degrees of importance in them, and the system administrator can at any time remove a user from those who have access to the folder, or add a new one.

Let's look at a simple example:

The file server of the ABC enterprise stores 3 databases with confidential information of varying degrees of importance - DSP, Secret and Top Secret. It is required to provide access to: DB1 for users Ivanov, Petrov, Nikiforov, DB2 for Petrov and Smirnov, DB3 for Smirnov and Ivanov.

To do this, on the file server, which can be any network resource, you will need to create three separate folders for each database and assign certificates (keys) of the corresponding users to these folders:

Of course, this or another similar problem with differentiating access rights can be solved using Windows. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not provide protection of confidential information in the event of third party connection to a file server and the use of cryptography to protect data is simply necessary.

In addition, all file system security settings can be reset using the command line. In Windows, there is a special tool for this - “calcs”, which can be used to view permissions on files and folders, as well as to reset them. In Windows 7, this command is called "icacls" and is executed as follows:

1. B command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to do next command:

After this earlier set permissions on files and folders will be reset.

You can create a system based on virtual cryptodisk and ACL(more details about such a system when using crypto disks in organizations are written.). However, such a system is also vulnerable, since in order to ensure constant employee access to data on the cryptodisk, the administrator will need to keep it connected (mounted) throughout the entire working day, which jeopardizes confidential information on the cryptodisk even without knowing the password to it, if an attacker is in the middle of connecting will be able to connect to the server.

Network drives with built-in encryption also do not solve the problem, since they only protect data when no one is working with it. That is, the built-in encryption function can protect confidential data from compromise only if the disk itself is stolen.

The encryption/decryption of files is carried out not on the file server, but on the user side. Therefore, confidential files are stored on the server only in encrypted form, which eliminates the possibility of them being compromised when direct connection attacker to the file server. All files on the server, stored in a folder protected with transparent encryption, are encrypted and securely protected. At the same time, users and applications see them as regular files: Notepad, Word, Excel, HTML, etc. Applications can read and write these files directly; the fact that they are encrypted is transparent to them.

Users without access can also see these files, but they cannot read or modify them. This means that if the system administrator does not have access to documents in one of the folders, he can still back them up. Of course everything backups files are also encrypted.

However, when the user opens any of the files for work on his computer, there is a possibility that it will be accessed unwanted applications(if, of course, the computer is infected). To prevent this, CyberSafe has as an additional security measure, thanks to which the system administrator can define a list of programs that can access files from a protected folder. All other applications that are not included in the trusted list will not have access. This way we will limit access to confidential information for spyware, rootkits and other malware.

Since all work with encrypted files is carried out on the user's side, this means that CyberSafe is not installed on the file server and when working in a corporate space, the program can be used to protect information on network storage ah from the file NTFS system, such as . All confidential information is encrypted in such a storage, and CyberSafe is installed only on user computers from which they access encrypted files.

This is the advantage of CyberSafe over TrueCrypt and other encryption programs that require installation in a place where files are physically stored, and therefore can only be used as a server Personal Computer, but not network drive. Of course, the use of network storage in companies and organizations is much more convenient and justified than using a regular computer.

Thus, using CyberSafe without any additional funds can be arranged effective protection valuable files, ensure convenient work with encrypted network folders, and also differentiate user access rights to confidential information.

) allows companies to organize fast and convenient exchange of information at various distances. However, protecting information in a corporate environment is a task that remains relevant to this day and worries the minds of managers of small, medium and large enterprises in a wide variety of fields of activity. In addition, no matter the size of the company, management almost always needs to differentiate employee access rights to confidential information based on the degree of its importance.

In this article we will talk about transparent encryption As one of the most common methods of protecting information in a corporate environment, we will look at the general principles of encryption for multiple users (multiple public key cryptography), and also talk about how to set up transparent encryption of network folders using the CyberSafe Files Encryption program.

What is the advantage of transparent encryption?

The use of virtual crypto disks or the full-disk encryption function is quite justified on the user’s local computer, but in the corporate space a more appropriate approach is to use transparent encryption, since this function provides fast and convenient work with classified files for several users simultaneously. When creating and editing files, the processes of encryption and decryption occur automatically, “on the fly.” To work with protected documents, company employees do not need to have any skills in the field of cryptography; they do not have to perform any additional steps in order to decrypt or encrypt secret files.

Multiple Public Key Cryptography and Digital Envelopes

In this case, the so-called digital envelopes.

The transparent encryption driver works according to the following scheme: when a user accesses a file, it checks whether its certificate (public key) is in the list of allowed ones. If so, the copy of the symmetric key that was encrypted using his public key is decrypted using this user’s private key. If the user's certificate is not listed, access will be denied.

Encrypting network folders using CyberSafe

Using CyberSafe, the system administrator will be able to configure transparent encryption of a network folder without using additional data protection protocols, such as IPSec or WebDAV, and subsequently control user access to a particular encrypted folder.

To set up transparent encryption, each user who is going to be allowed access to confidential information must have CyberSafe installed on their computer, a personal certificate must be created, and the public key must be published on the CyberSafe public key server.

Let's look at a simple example:

Of course, this or another similar problem with differentiating access rights can be solved using Windows ACLs. But this method can only be effective when delineating access rights on employee computers within the company. By itself, it does not protect confidential information in the event of a third-party connection to a file server, and the use of cryptography to protect data is simply necessary.

1. In the command line with administrator rights, enter: cmd
2. Go to the disk or partition, for example: CD /D D:
3. To reset all permissions, enter: icacls * /T /Q /C /RESET

It is possible that icacls will not work the first time. Then before step 2 you need to run the following command:

After this, previously set permissions on files and folders will be reset.

There are reports of hacks almost daily corporate networks attackers and industrial spies. Concerns about this issue are reflected in legal documents, for example Federal law on data protection. Quite often, concerns arise that your own network administrator may look at salary data during your lunch break. It is all the more surprising that in many companies, security measures end with the installation of a firewall.

DATA THEFT IS AN INVISIBLE CRIME

You learn from mistakes, the proverb says. However, with regard to IT security, as experience shows, clarifications should be made: “We only learn from mistakes, but not always.” Almost universal installation of firewalls and antivirus scanners at enterprises proves that most of them are ready to respond to damage caused, for example, by a virus, by taking certain countermeasures. But cryptographic solutions still drag out a miserable existence. The reason, of course, is that data theft does not leave as obvious a trace as a virus or denial-of-service attack that paralyzes a network. However, in many cases, the economic damage from data theft is many times greater.

In addition, firewalls make it difficult for outsiders to penetrate the network, but cannot protect against the growing number of internal crimes. Already in 2001, in a study by the consulting company Mummert und Partner, the total damage from data theft in German enterprises was estimated at 20 billion marks, with 60 to 80% of cases caused by the actions of employees themselves. Criminal investigation statistics indicate an increase in the level of computer crime with a decreasing detection rate. However, when this topic is mentioned, many people prefer to bury their heads in the sand.

ENCRYPTION AS A PREVENTIVE MEASURE

There is a long-proven remedy against data theft - encryption. The idea is not new, but many enterprises continue to refuse widespread encryption of their data. Along with a lack of awareness of the severity of the problem and fear of investing in IT security, the reason lies in the fact that the encryption solutions themselves often do not meet practical requirements. Instead, hardware and software manufacturers engage in a performance battle, offering the maximum number of customizable cryptographic algorithms or the maximum key length.

Of course, a good encryption method and a sufficient key length are very important. We can recommend hybrid methods from good symmetric algorithm, such as Triple DES or AES, with a key length of at least 128 bits for payload encryption, and an asymmetric method like RSA, with a key length of 1024 bits for key management. However, the level of security offered software, cannot be reduced to the choice of cryptographic parameters. For practical application In the corporate field, a number of other issues need to be resolved.

USERS PREFER TRANSPARENCY

First of all we're talking about about four requirements for an encryption solution:

no changes in usual business processes;
easy administration and integration into existing system environments;
compliance with internal safety regulations;
high fault tolerance.

Security rules should stipulate that there cannot be an omnipotent administrator who has access to all data without exception. In addition, if necessary, it should be possible to quickly block user access to encrypted data. In this context, it is mandatory to create central system administration of the security solution, since compliance with the directives would otherwise be up to each individual specific user, who, as a rule, is interested in doing only his main job. “Transparent encryption” is the magic word that users will love.

STANDARD PRODUCTS COMPARED WITH SPECIALIZED PRODUCTS

Transparent encryption means that data is encrypted and decrypted without user intervention by the user. background a filter driver that monitors all data accesses. For this purpose, some operating systems already offer standard means. Linux users Transparent Cryptographic File System (TCFS) is available, and Microsoft equips its Windows 2000 and Windows XP Professional with an Encrypted File System (EFS). As attractive as these approaches are, they have yet to prove their worth. Both TCFS on Linux and EFS on Windows are known to have a number of security holes.

During the EFS analysis, the results of which were presented in 2003 at the congress of the Federal Office of Security information technologies(BSI), it was found that "EFS is only marginally suitable for enterprise use because it does not partially or completely meet the important requirements for an enterprise data encryption solution." Among other things, the following are noted as important aspects: Windows transfer EFS data over the network in unencrypted form and the inability to encrypt data accessed by multiple users from one working group. In addition, in Windows EFS, as before, the administrator remains all-powerful. With insufficient attention from the security administrator, the Safeguard Lancrypt and Protectfile products from Eracom Technologies suffer from the same defect. In both cases, if a smart card is not used, the entire procedure is associated with registration in Windows, and the management of key information occurs decentralized on the respective clients. However, in Windows 2000, it is not at all difficult for a system administrator to bypass a domain member's password and gain access to the corresponding user's system. Once an administrator gains access to an encryption profile, all encrypted data becomes available to them. Additionally, Protectfile, like Windows EFS, is unable to encrypt compressed data.

CLIENT-SERVER SOLUTION AS A WAY OUT

Decentralized management of key information poses fundamental problems. The first is the mentioned administrator access, which by resetting the password can log in to the system on behalf of the user. The second is that a user who has access to all necessary information, it is far from so easy to take away this right. In addition, existing data sets are encrypted on the file server only when the user accesses it using the active filter driver. However, until this happens, the data is stored in plaintext.

An alternative with good prospects for success is to move from a client-side solution to a client-server model. On the client, you only need to install the filter driver, which will handle encryption in the background. However, the client receives key information only when necessary from the security server, which is responsible for managing the keys and enforcing security rules. This server, in addition, can carry out the initial encryption of all data that needs protection on the file server, and then they are protected from too prying eyes even before the first request from the client.

To prevent an administrator from logging in with someone else's password, it is important that authorization in the encryption system is not tied solely to registration in operating system. Using question/answer technologies, you can secure the process so that only authorized users have access to encrypted data. For those who require additional security, smart cards will be needed to store the key. If you don’t want to work with non-standard solutions, then when choosing a security solution you should pay attention to the presence of an international standardized interface for reading smart cards, for example PKCS#11. The fact that, in addition to registering in the operating system, the user must once again log in using a password or smart card, given these advantages, looks acceptable.

In such a scenario, access to an encrypted file stored on a file server is preceded by a request from the client to the server. The server then checks, based on its security directives, whether the client has the right to decrypt the requested file. If the answer is positive, the server reliably provides him with the key necessary for decryption. If access is not allowed, he does not receive the key. Thus, killing two birds with one stone. First, the security administrator can revoke a user's access rights by removing the corresponding permission attribute on the security server. Secondly, the system administrator is no longer able to impersonate an authorized user, since authorization on the security server occurs independently of registration in the operating system.

Naturally, it is necessary to ensure that the roles of system administrator and security administrator are de facto distributed between different individuals. Otherwise, the security improvements achieved through the introduction of a security server will be negated due to incorrect organizational measures. Last but not least, the advantage is that in this way it is very easy to organize user groups that have shared access to protected data. It is enough to unite all employees, for example, from the HR department, into the “HR Department” group and give all its members the same rights. After this, any actions will concern the entire group and should not be performed for each user separately.

If widely used, client-server encryption should be redundant so that, if necessary, a second security server is launched in parallel, which, if the first one is unreachable (network problems, power failure, preventative maintenance, etc.), will immediately take over its tasks. This ensures high system fault tolerance and constant data availability.

The client-server approach was implemented in the Fideas Enterprise product (“fideas” is Latin for “you must trust”) from Applied Security. It is worth noting that the client-server concept only works as long as control extends to all equipment in the entire network. As soon as a device, for example a laptop, is removed from the network, in this case it is possible to work only with local keys. This is not always a disadvantage, since on their own machine each user remains the owner of their data in any case. If similar solutions will become as widespread as virus scanners and firewalls, information espionage will disappear.

Volker Scheidemann is an IT security consultant at Apsec and an IT security lecturer at the Frankfurt Higher Vocational School. He can be contacted at: [email protected].

Identity and role

Data encryption has its place in the IT security framework, where access control with authentication and authorization is placed at the center of the security concept: separate characters they separately manage access to individual documents, and collaborative work support systems under the control of an administrator solve the problem based on roles and groups. I wonder what inexpensive systems with the support of user groups are now readily used and independently administered by enterprise departments that need to ensure confidentiality in the absence of support from the enterprise IT department.

Transparent file encryption. Transparent encryption with CyberSafe

Advantages and Disadvantages of EFS

Using Advanced EFS Data Recovery to Decrypt EFS Encrypted Files

Transparent encryption system implemented in CyberSafe Top Secret

Using CyberSafe Top Secret to Transparently Encrypt Files and Folders

Performance

Benefits of CyberSafe Transparent Encryption

What is the advantage of transparent encryption?

Multiple Public Key Cryptography and Digital Envelopes

Encrypting network folders using CyberSafe

What is the advantage of transparent encryption?

Multiple Public Key Cryptography and Digital Envelopes

Encrypting network folders using CyberSafe

DATA THEFT IS AN INVISIBLE CRIME

ENCRYPTION AS A PREVENTIVE MEASURE

USERS PREFER TRANSPARENCY

STANDARD PRODUCTS COMPARED WITH SPECIALIZED PRODUCTS

CLIENT-SERVER SOLUTION AS A WAY OUT

Identity and role

Popular articles

Latest articles

Sections

Pages

Special projects

Contacts