Adding an authentication phase

Hi all,

thank you for the previous solution. Now the filter driver works
perfectly and there are no corruptions in the filesystem.

I’m planning to introduce an authentication phase before the xp boots.
Now is harcoded in the two-sector-code and the filter driver.

With the adequate password, my int 13h will decrypt the sectors read but
how can I pass the password to the filter driver? I cannot write it to
the disk. Using a special service when calling the int 13h seems valid
but I suppose that when my driver is loaded, it cannot call this interrupt.

So, anyone knows a good method to pass the password to the filter driver?

Thanks in advance,

Rafa.

Ask it from the console using int 16h and int 10h

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Rafa”
To: “Windows System Software Devs Interest List”
Sent: Monday, August 23, 2004 6:50 PM
Subject: [ntdev] Adding an authentication phase

> Hi all,
>
> thank you for the previous solution. Now the filter driver works
> perfectly and there are no corruptions in the filesystem.
>
> I’m planning to introduce an authentication phase before the xp boots.
> Now is harcoded in the two-sector-code and the filter driver.
>
> With the adequate password, my int 13h will decrypt the sectors read but
> how can I pass the password to the filter driver? I cannot write it to
> the disk. Using a special service when calling the int 13h seems valid
> but I suppose that when my driver is loaded, it cannot call this interrupt.
>
> So, anyone knows a good method to pass the password to the filter driver?
>
> Thanks in advance,
>
> Rafa.
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Have you ever done any study about security? A ‘password’ is useless. If
the code knows the encryption key, then your protection is non-existent.
You must find a way to pass the encryption key from the user input to the
code so disk access can only be obtained if the user provides the key. Once
upon a time in MS-DOS, I wrote a disk drive encryptor. The user password
was used to generate the encryption key. The key was not present and could
not be derived from studying the code. This did mean the ‘user password’
was really a ‘system password’ that had to be shared by all users of that
computer. Today I would consider using SmartCards to store the encryption
key so it would only boot when the card was present and its pin number
properly entered. This is a two factor access method which means a user
must ‘have’ something and ‘know’ something before access is granted.

“Rafa” wrote in message news:xxxxx@ntdev…
> Hi all,
>
> thank you for the previous solution. Now the filter driver works perfectly
> and there are no corruptions in the filesystem.
>
> I’m planning to introduce an authentication phase before the xp boots. Now
> is harcoded in the two-sector-code and the filter driver.
>
> With the adequate password, my int 13h will decrypt the sectors read but
> how can I pass the password to the filter driver? I cannot write it to the
> disk. Using a special service when calling the int 13h seems valid but I
> suppose that when my driver is loaded, it cannot call this interrupt.
>
> So, anyone knows a good method to pass the password to the filter driver?
>
> Thanks in advance,
>
> Rafa.
>

I personally consider any all-boot-disk encryption products as useless.

What is the need in encrypting kernel32.dll? shell32.dll? winword.exe?
outlook.exe?

Only some sensitive files - or whole subdirectories with them - are needed
to be encrypted. For this, products like PGPDISK, or like numerous crypto FS
filters, suit fine.

Such products are also lesser issues-rich, since the system files IO is not
passed via additional code.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “David J. Craig”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Monday, August 23, 2004 8:22 PM
Subject: Re:[ntdev] Adding an authentication phase

> Have you ever done any study about security? A ‘password’ is useless. If
> the code knows the encryption key, then your protection is non-existent.
> You must find a way to pass the encryption key from the user input to the
> code so disk access can only be obtained if the user provides the key. Once
> upon a time in MS-DOS, I wrote a disk drive encryptor. The user password
> was used to generate the encryption key. The key was not present and could
> not be derived from studying the code. This did mean the ‘user password’
> was really a ‘system password’ that had to be shared by all users of that
> computer. Today I would consider using SmartCards to store the encryption
> key so it would only boot when the card was present and its pin number
> properly entered. This is a two factor access method which means a user
> must ‘have’ something and ‘know’ something before access is granted.
>
> “Rafa” wrote in message news:xxxxx@ntdev…
> > Hi all,
> >
> > thank you for the previous solution. Now the filter driver works perfectly
> > and there are no corruptions in the filesystem.
> >
> > I’m planning to introduce an authentication phase before the xp boots. Now
> > is harcoded in the two-sector-code and the filter driver.
> >
> > With the adequate password, my int 13h will decrypt the sectors read but
> > how can I pass the password to the filter driver? I cannot write it to the
> > disk. Using a special service when calling the int 13h seems valid but I
> > suppose that when my driver is loaded, it cannot call this interrupt.
> >
> > So, anyone knows a good method to pass the password to the filter driver?
> >
> > Thanks in advance,
> >
> > Rafa.
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

I do agree that using file system filter based encryption is the best
solution for most needs. The whole drive encryption is easier to do than
writing a file system filter. They are not useless, just a little
excessive, but it also means that you don’t need to track what and where and
when to encrypt. If you do everything, it can simpler in some ways. This
also protects any data in the page and hibernation files. You can’t do
encryption of those files with a file system filter.

“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
> I personally consider any all-boot-disk encryption products as useless.
>
> What is the need in encrypting kernel32.dll? shell32.dll? winword.exe?
> outlook.exe?
>
> Only some sensitive files - or whole subdirectories with them - are
> needed
> to be encrypted. For this, products like PGPDISK, or like numerous crypto
> FS
> filters, suit fine.
>
> Such products are also lesser issues-rich, since the system files IO is
> not
> passed via additional code.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Monday, August 23, 2004 8:22 PM
> Subject: Re:[ntdev] Adding an authentication phase
>
>
>> Have you ever done any study about security? A ‘password’ is useless.
>> If
>> the code knows the encryption key, then your protection is non-existent.
>> You must find a way to pass the encryption key from the user input to the
>> code so disk access can only be obtained if the user provides the key.
>> Once
>> upon a time in MS-DOS, I wrote a disk drive encryptor. The user password
>> was used to generate the encryption key. The key was not present and
>> could
>> not be derived from studying the code. This did mean the ‘user password’
>> was really a ‘system password’ that had to be shared by all users of that
>> computer. Today I would consider using SmartCards to store the
>> encryption
>> key so it would only boot when the card was present and its pin number
>> properly entered. This is a two factor access method which means a user
>> must ‘have’ something and ‘know’ something before access is granted.
>>
>> “Rafa” wrote in message news:xxxxx@ntdev…
>> > Hi all,
>> >
>> > thank you for the previous solution. Now the filter driver works
>> > perfectly
>> > and there are no corruptions in the filesystem.
>> >
>> > I’m planning to introduce an authentication phase before the xp boots.
>> > Now
>> > is harcoded in the two-sector-code and the filter driver.
>> >
>> > With the adequate password, my int 13h will decrypt the sectors read
>> > but
>> > how can I pass the password to the filter driver? I cannot write it to
>> > the
>> > disk. Using a special service when calling the int 13h seems valid but
>> > I
>> > suppose that when my driver is loaded, it cannot call this interrupt.
>> >
>> > So, anyone knows a good method to pass the password to the filter
>> > driver?
>> >
>> > Thanks in advance,
>> >
>> > Rafa.
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

On Mon, 23 Aug 2004 20:44:07 +0400, you wrote:

I personally consider any all-boot-disk encryption products as useless.

What is the need in encrypting kernel32.dll? shell32.dll? winword.exe?
outlook.exe?

Only some sensitive files - or whole subdirectories with them - are needed
to be encrypted. For this, products like PGPDISK, or like numerous crypto FS
filters, suit fine.

Such products are also lesser issues-rich, since the system files IO is not
passed via additional code.

On a related note, encrypting system files gives any attacker
substantial known plaintext with which to attack your system. Even if
the driver is perfectly bug-free, you’re weakening the security that
way.

James.

How are they going to find which sector contains which file if the entire
drive/partition is encrypted? Also using a chaining algorithm so identical
blocks don’t create the same cyphertext is a good idea for strength.

“James” wrote in message news:xxxxx@ntdev…
On Mon, 23 Aug 2004 20:44:07 +0400, you wrote:

> I personally consider any all-boot-disk encryption products as useless.
>
> What is the need in encrypting kernel32.dll? shell32.dll? winword.exe?
>outlook.exe?
>
> Only some sensitive files - or whole subdirectories with them - are
> needed
>to be encrypted. For this, products like PGPDISK, or like numerous crypto
>FS
>filters, suit fine.
>
> Such products are also lesser issues-rich, since the system files IO is
> not
>passed via additional code.

On a related note, encrypting system files gives any attacker
substantial known plaintext with which to attack your system. Even if
the driver is perfectly bug-free, you’re weakening the security that
way.

James.

Hi David,

Yes, I have studied something about security. The problem is that I
cannot express correctly in english (it’s not my native language) what I
want to say.

The filter driver and the two-sector-code were working with a hardcoded
key, because I wanted to obviate the authentication phase.

Now, the filter driver works. My next goal is to remove the harcoded
key from the code (from filter and boot) and to add the authentication.

When the user logs in, his password will be converted to the key. The
code that hooks int 13h will use that key to process the accesses to the
disk.

But, when xp loads my driver (this driver has now no hardcoded key) I
need to send the key (from the authentication) in the int 13h code to
the loading driver. How can I do this?

Thanks,

Rafa.

P.S.: Thank you to everyone that helped me with the corruption problem.
Now I see that was a foolish question but I can assure you, David, that
I reviewed the database list and I didn’t find something useful for my
problem. Possibly I was looking for in the wrong way. I’m sorry.

Oh, Peter, I didn’t think about those cases, hibernation and similar.
Thank you, I will reactivate that code. It was disabled when I was
investigating the filesystem corruption. When the filter was corrected,
I left the code disabled because I thought that was better keeping it so.

David J. Craig wrote:

Have you ever done any study about security? A ‘password’ is useless. If
the code knows the encryption key, then your protection is non-existent.
You must find a way to pass the encryption key from the user input to the
code so disk access can only be obtained if the user provides the key. Once
upon a time in MS-DOS, I wrote a disk drive encryptor. The user password
was used to generate the encryption key. The key was not present and could
not be derived from studying the code. This did mean the ‘user password’
was really a ‘system password’ that had to be shared by all users of that
computer. Today I would consider using SmartCards to store the encryption
key so it would only boot when the card was present and its pin number
properly entered. This is a two factor access method which means a user
must ‘have’ something and ‘know’ something before access is granted.

“Rafa” wrote in message news:xxxxx@ntdev…
>
>>Hi all,
>>
>>thank you for the previous solution. Now the filter driver works perfectly
>>and there are no corruptions in the filesystem.
>>
>>I’m planning to introduce an authentication phase before the xp boots. Now
>>is harcoded in the two-sector-code and the filter driver.
>>
>>With the adequate password, my int 13h will decrypt the sectors read but
>>how can I pass the password to the filter driver? I cannot write it to the
>>disk. Using a special service when calling the int 13h seems valid but I
>>suppose that when my driver is loaded, it cannot call this interrupt.
>>
>>So, anyone knows a good method to pass the password to the filter driver?
>>
>>Thanks in advance,
>>
>>Rafa.
>>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@dilmun.ls.fi.upm.es
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of James[SMTP:xxxxx@spamcop.net]
Reply To: Windows System Software Devs Interest List
Sent: Monday, August 23, 2004 8:40 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Adding an authentication phase

On a related note, encrypting system files gives any attacker
substantial known plaintext with which to attack your system. Even if
the driver is perfectly bug-free, you’re weakening the security that
way.

This isn’t an issue. First, as David mentioned, it would be hard to find the files on encrypted disk. Second, good encryption algorithm has to be resistant even against known plaintext attack. Security scheme has to count with the possibility attacker knows both algorithm and plain + encrypted data examples. Otherwise it is security through obscurity.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]

On Mon, 23 Aug 2004 16:02:41 -0400, you wrote:

How are they going to find which sector contains which file if the entire
drive/partition is encrypted?

You begin with knowledge of the contents of blocks: you know that,
with clusters of size n bytes, one of the blocks contains the first n
bytes of each known OS file. That in itself is a small piece of
knowledge - a bad thing to be handing to an attacker. Then you start
making deductions and guesses.

Also using a chaining algorithm so identical
blocks don’t create the same cyphertext is a good idea for strength.

Except a disk which doesn’t allow random access isn’t a very useful
disk: for random access, you need to be able to (en|de)crypt block N
without accessing blocks N-1 or N+1.

James.

As someone else mentioned you also pick an encryption algorithm that is
resistant to known text analysis. The chaining algorithm can use the sector
address or some hash of that address as a seed for each block. Stream
ciphers can be stronger since you can force sequential access, but there are
good algorithms that won’t reveal the keys even if you encrypt known text,
know the algorithm being used, and are able to access the encrypted data. A
bad encryption algorithm or one that is being used in the wrong environment
can’t be improved by using obscurity.

“James” wrote in message news:xxxxx@ntdev…
On Mon, 23 Aug 2004 16:02:41 -0400, you wrote:

>How are they going to find which sector contains which file if the entire
>drive/partition is encrypted?

You begin with knowledge of the contents of blocks: you know that,
with clusters of size n bytes, one of the blocks contains the first n
bytes of each known OS file. That in itself is a small piece of
knowledge - a bad thing to be handing to an attacker. Then you start
making deductions and guesses.

> Also using a chaining algorithm so identical
>blocks don’t create the same cyphertext is a good idea for strength.

Except a disk which doesn’t allow random access isn’t a very useful
disk: for random access, you need to be able to (en|de)crypt block N
without accessing blocks N-1 or N+1.

James.

Didn’t we at one time call that a “tape” drive?

–
The personal opinion of
Gary G. Little

> Also using a chaining algorithm so identical
>blocks don’t create the same cyphertext is a good idea for strength.

Except a disk which doesn’t allow random access isn’t a very useful
disk: for random access, you need to be able to (en|de)crypt block N
without accessing blocks N-1 or N+1.

James.