2.2.2.1 EFSRPC Metadata Version 1
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Length |
|||||||||||||||||||||||||||||||
|
Reserved1 |
|||||||||||||||||||||||||||||||
|
EFS_Version |
|||||||||||||||||||||||||||||||
|
Reserved2 |
|||||||||||||||||||||||||||||||
|
EFS_ID (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
EFS_Hash (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Reserved3 (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
DDF_Offset |
|||||||||||||||||||||||||||||||
|
DRF_Offset |
|||||||||||||||||||||||||||||||
|
Reserved4 |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Data_Fields (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Length (4 bytes): This field MUST contain a 32-bit unsigned integer equal to the length, in bytes, of the EFSRPC Metadata.<7>
Reserved1 (4 bytes): MUST be set to zero and ignored upon receipt.
EFS_Version (4 bytes): This field represents the highest EFS version supported by the implementation that created this metadata. It MUST be a 32-bit unsigned integer in little-endian format. It MUST be set to one of the following values.
-
Value
Meaning
Version_1
0x00000001
The file encryption key (FEK) will be a DESX key, and encrypted with RSA only. The Flags field in all key list entries will be zero.
Version_2
0x00000002
The FEK will use DESX, 3DES, or AES-256. The FEK will be encrypted with RSA only. The Flags field in all key list entries will be zero.
Version_3
0x00000003
The FEK will use DESX, 3DES, or AES-256. The FEK will be encrypted with either RSA or AES-256.
A server that supports a given version number MUST also support all lower numbered versions. A server SHOULD support all versions listed.<8>
Reserved2 (4 bytes): MUST be set to zero and ignored upon receipt.
EFS_ID (16 bytes): A 16-byte GUID value that MUST be unique for the computer that created this metadata.
EFS_Hash (16 bytes): This field SHOULD be set to zero and ignored by the server.<9>
Reserved3 (16 bytes): MUST be set to zero and ignored upon receipt.
DDF_Offset (4 bytes): This field MUST contain the offset, in bytes, of the data decryption field (DDF) key list from the start of the EFSRPC Metadata. It MUST be a 32-bit unsigned integer in little-endian format. The DDF key list lies completely within the Data Fields and does not overlap the data recovery field (DRF) key list (if present).
DRF_Offset (4 bytes): This field MUST contain the offset, in bytes, of the DRF key list from the start of the EFSRPC Metadata. It MUST be a 32-bit unsigned integer in little-endian format. A zero value in this field indicates that the DRF key list is absent and no DRAs have been applied to the file. If present, the DRF key list MUST lie completely within Data Fields and MUST NOT overlap the DDF key list.
Reserved4 (12 bytes): MUST be set to zero and ignored upon receipt.
Data_Fields (variable): This field MUST contain the following two items in any order at the locations indicated by the respective Offset fields previously listed. Both items MUST conform to the key list format specified in section 2.2.2.1.1. The DDF key list MUST NOT overlap with the DRF key list (if present). There MUST NOT be any unused areas within this field spanning more than 8 contiguous bytes. Any unused areas within this field MUST be set to zero bytes and ignored by the server.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1DDF_key_list (variable)
...
DRF_key_list (variable)
...
-
DDF_key_list (variable): This field MUST contain one or more entries. Each entry consists of the file's FEK, encrypted with the public key of a user authorized to access the file.
-
DRF_key_list (variable): This MUST contain one or more entries. Each entry consists of the file’s FEK, encrypted with the public key of a DRA authorized to access the file. This MUST only be present if the value in the DRF offset field is nonzero.