3.1.1 Abstract Data Model

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to explain how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

EFSRPC assumes the existence of an underlying storage encryption system on the server that defines the following conceptual entities:

  • A set of data objects, each of which is encrypted independently and can be managed independently.

  • A set of access control subjects, each of which is represented by a key pair generated by a public key cryptographic algorithm. The public key of this key pair is embedded in a certificate and can be widely distributed in that form. The private key is known only to the user or users who represent that access control subject. Access control subjects are of two types:

    • Unprivileged user subjects are used by ordinary users to perform routine operations, including managing files with the EFSRPC methods. For convenience, this specification refers to such subjects as user certificates.

    • Data Recovery Agents (DRAs) are used by system administrators to perform data recovery tasks. The storage system ensures that all active DRAs for the system are automatically authorized to access all encrypted objects on the system. If a user loses his or her private key, an administrator can use the DRA private key to recover the contents of their encrypted objects.

    • As an alternative to user certificates, access control subjects can be represented by DPAPI-NG descriptors or RMS. 

The storage encryption system is also assumed to provide certain primitive operations:

  • Methods for reading, writing, creating, and destroying encrypted objects. The methods for reading and writing objects must ensure that only a user who possesses the private key corresponding to an authorized user certificate or DRA for that object can perform these operations.

  • An operation to convert an existing unencrypted object to encrypted form. This causes the original object to be replaced by its ciphertext, along with some metadata that is essential for decrypting the ciphertext.

  • An operation to convert an existing encrypted object to unencrypted form. This replaces the ciphertext of the object with the plaintext, and destroys the encryption-related metadata.

  • An operation to extract the EFSRPC Metadata of an existing encrypted object without modifying the object itself in any other way.

  • Operations to parse and manipulate the metadata obtained in this way, and in particular to add or remove access to specific user certificates for users who pass certain authorization checks.

  • An operation to replace the EFSRPC Metadata of an existing encrypted object without modifying the object in any way, which ensures that a user cannot modify the set of DRAs having access to the object.

  • An operation to read the ciphertext and metadata of an encrypted object without decrypting it.

  • An operation to create an encrypted object directly by writing its ciphertext and metadata to the store.

In addition, the following are assumed to be accessible to the server:

  • A logical credential store for each user of the system. Each user's credential store contains the private keys to which that user has access. The credential store also provides a method of locating the private key associated with a given certificate, RMS template GUID, or DPAPI-NG protection rule.<32> The server is assumed to have some implementation-specific method of maintaining this credential store.

  • A logical store that contains certificates belonging to various users of the system and provides a means of retrieving individual certificates from this set.

  • A logical cache for each user that contains all the sensitive information associated with that user necessary for performing EFSRPC operations on behalf of the user.

  • A method of ascertaining the DRAs desired by an appropriate administrator at any time.