Encryption Driver

Hi all,

I am planning to write an File / Encryption driver. What all points i have to keep in Mind.

This is 3rd time i am posting the same Message. But i think No Luck :frowning:

Thanks in Advance,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

The question is a bit too general which is probably why you haven’t
got an answer - until now 8*)

I would start by looking at the SFILTER sample in the IFS kit. That will
get you intercepting requests on all local file systems. You will then
need to monitor create requests and watch for your encrypted files being
opened and store away the file object. During read/writes you will need
to look for your encrypted file objects and crypt as appropriate. You
will probably also need to monitor the set/get information calls to
adjust file sizes (e.g. if you add a header) and watch for file
size changes etc.

You will need to understand how the file system driver interacts with
the cache manager and implement some scheme in your read/write hooks
to only crypt data once. Personally I think it is easier to only crypt
on the non-cached calls (this includes the paging calls) and assume that
the file system driver will always use the cache manager for the cached
calls. This also means you can totally ignore fast io since that goes
via the cache manager too.

Give it a go and if you have a more specific problem, then post it here
and you may find you get a better response.

Shaun

Satish wrote:
> Hi all,
>
> I am planning to write an File / Encryption driver. What all points
> i have to keep in Mind.
>
> This is 3rd time i am posting the same Message. But i think No Luck
> :frowning:
>
> Thanks in Advance,
> Satish K.S

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thank u Shaun.

Yea fine, I have to Trap Create, Read, Write, SetFilenfo and GetFileInfo. So
that we can Encrypt and Decrypt Data.

I have Another doubts :

I cant encrpyt complete OS Files. Coz it requires for Booting process. How
to Encrypt only User Files Completly.

Regards,
Satish K.S

----- Original Message -----
From: “Shaun”
To: “File Systems Developers”
Sent: Wednesday, April 25, 2001 2:37 PM
Subject: [ntfsd] Re: Encryption Driver

> The question is a bit too general which is probably why you haven’t
> got an answer - until now 8*)
>
> I would start by looking at the SFILTER sample in the IFS kit. That will
> get you intercepting requests on all local file systems. You will then
> need to monitor create requests and watch for your encrypted files being
> opened and store away the file object. During read/writes you will need
> to look for your encrypted file objects and crypt as appropriate. You
> will probably also need to monitor the set/get information calls to
> adjust file sizes (e.g. if you add a header) and watch for file
> size changes etc.
>
> You will need to understand how the file system driver interacts with
> the cache manager and implement some scheme in your read/write hooks
> to only crypt data once. Personally I think it is easier to only crypt
> on the non-cached calls (this includes the paging calls) and assume that
> the file system driver will always use the cache manager for the cached
> calls. This also means you can totally ignore fast io since that goes
> via the cache manager too.
>
> Give it a go and if you have a more specific problem, then post it here
> and you may find you get a better response.
>
> Shaun
>
> Satish wrote:
> > Hi all,
> >
> > I am planning to write an File / Encryption driver. What all points
> > i have to keep in Mind.
> >
> > This is 3rd time i am posting the same Message. But i think No Luck
> > :frowning:
> >
> > Thanks in Advance,
> > Satish K.S
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Satish,
Before discussing that it is necessary to know what kind of encryption
driver you are planning to write. Whether it is a driver that will encrypt
a full disk or a file or a folder. Also, whether it will use background
decryption technique or OTFE technique, although many OTFE techniques
actually do a background decryption.

One point you do have to keep in mind is that it is a messy affair, and
success may not be guaranteed within a given time interval.

Good luck!
Basudeb

At 01:57 PM 4/25/01 +0530, you wrote:

Hi all, I am planning to write an File / Encryption driver. What all
points i have to keep in Mind. This is 3rd time i am posting the same
Message. But i think No Luck :frowning: Thanks in Advance, Satish K.S —
You are currently subscribed to ntfsd as: xxxxx@giascl01.vsnl.net.in
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Basudeb ,

On Access File Encryption( No Folder ).

Regards,
Satish K.S

----- Original Message -----
From: “Basudeb Gupta”
To: “File Systems Developers”
Sent: Wednesday, April 25, 2001 3:35 PM
Subject: [ntfsd] Re: Encryption Driver

>
> Satish,
> Before discussing that it is necessary to know what kind of encryption
> driver you are planning to write. Whether it is a driver that will encrypt
> a full disk or a file or a folder. Also, whether it will use background
> decryption technique or OTFE technique, although many OTFE techniques
> actually do a background decryption.
>
> One point you do have to keep in mind is that it is a messy affair, and
> success may not be guaranteed within a given time interval.
>
> Good luck!
> Basudeb
>
>
>
>
> At 01:57 PM 4/25/01 +0530, you wrote:
> > Hi all, I am planning to write an File / Encryption driver. What
all
> >points i have to keep in Mind. This is 3rd time i am posting the same
> >Message. But i think No Luck :frowning: Thanks in Advance, Satish K.S —
> > You are currently subscribed to ntfsd as: xxxxx@giascl01.vsnl.net.in
> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Satish,

I think Shaun’s reply is a good one for starting your work.

Basudeb

At 03:27 PM 4/25/01 +0530, you wrote:

Basudeb ,

On Access File Encryption( No Folder ).

Regards,
Satish K.S

----- Original Message -----
From: “Basudeb Gupta”
>To: “File Systems Developers”
>Sent: Wednesday, April 25, 2001 3:35 PM
>Subject: [ntfsd] Re: Encryption Driver
>
>
>>
>> Satish,
>> Before discussing that it is necessary to know what kind of encryption
>> driver you are planning to write. Whether it is a driver that will encrypt
>> a full disk or a file or a folder. Also, whether it will use background
>> decryption technique or OTFE technique, although many OTFE techniques
>> actually do a background decryption.
>>
>> One point you do have to keep in mind is that it is a messy affair, and
>> success may not be guaranteed within a given time interval.
>>
>> Good luck!
>> Basudeb
>>
>>
>>
>>
>> At 01:57 PM 4/25/01 +0530, you wrote:
>> > Hi all, I am planning to write an File / Encryption driver. What
>all
>> >points i have to keep in Mind. This is 3rd time i am posting the same
>> >Message. But i think No Luck :frowning: Thanks in Advance, Satish K.S —
>> > You are currently subscribed to ntfsd as: xxxxx@giascl01.vsnl.net.in
>> > To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>>
>>
>> —
>> You are currently subscribed to ntfsd as: xxxxx@aalayance.com
>> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>—
>You are currently subscribed to ntfsd as: xxxxx@giascl01.vsnl.net.in
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Satish wrote:
>Thank u Shaun.
>
>Yea fine, I have to Trap Create, Read, Write, SetFilenfo and GetFileInfo. So
>that we can Encrypt and Decrypt Data.
>
>I have Another doubts :
>
>I cant encrpyt complete OS Files. Coz it requires for Booting process. How
>to Encrypt only User Files Completly.
>

In theory you could encrypt any file that is loaded after your
file system filter driver. So if the filter driver is made a
to load early on, then you could get a lot of the os files,
but not all. In practice I wouldn’t do this at file level. If
you want to encrypt the whole disk then do the encryption
at sector level.

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> >

>I have Another doubts :
>
>I cant encrpyt complete OS Files. Coz it requires for Booting process.
How
>to Encrypt only User Files Completly.
>

In theory you could encrypt any file that is loaded after your
file system filter driver. So if the filter driver is made a
to load early on, then you could get a lot of the os files,
but not all. In practice I wouldn’t do this at file level. If
you want to encrypt the whole disk then do the encryption
at sector level.

If i Encrypt Whole HardDisk. How does Os will boot? How does Os will access
the System file while Booting ?

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>>

> In theory you could encrypt any file that is loaded after your
> file system filter driver. So if the filter driver is made a
> to load early on, then you could get a lot of the os files,
> but not all. In practice I wouldn’t do this at file level. If
> you want to encrypt the whole disk then do the encryption
> at sector level.

If i Encrypt Whole HardDisk. How does Os will boot? How does Os will access
the System file while Booting ?

Well that’s the clever bit ;->

You would need to write something that collects the encryption key
from the user *before* the operating system starts to load. You would
then need to install a INT13 (i.e. BIOS sector level) disk hook to do
the decryption until the NT drivers have been loaded and initialised.
You would also need some way to pass the key from real mode to your NT
driver.

All-in-all very complicated, but it definitely can be done.

Shaun


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> >>

>> In theory you could encrypt any file that is loaded after your
>> file system filter driver. So if the filter driver is made a
>> to load early on, then you could get a lot of the os files,
>> but not all. In practice I wouldn’t do this at file level. If
>> you want to encrypt the whole disk then do the encryption
>> at sector level.
>
>If i Encrypt Whole HardDisk. How does Os will boot? How does Os will
access
>the System file while Booting ?
>

Well that’s the clever bit ;->

You would need to write something that collects the encryption key
from the user *before* the operating system starts to load. You would
then need to install a INT13 (i.e. BIOS sector level) disk hook to do
the decryption until the NT drivers have been loaded and initialised.
You would also need some way to pass the key from real mode to your NT
driver.

All-in-all very complicated, but it definitely can be done.

Then I have to Patch MBR of my code and then i have to hook int 13h in Real
Mode.

But if i done this All Kids will crack my Real mode Programm

I have to do Maximum in Driver only. So that I hope Kids dont crack my
Driver :slight_smile:

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

On 04/25/01, ““Satish” ” wrote:
> > >>
> > >> In theory you could encrypt any file that is loaded after your
> > >> file system filter driver. So if the filter driver is made a
> > >> to load early on, then you could get a lot of the os files,
> > >> but not all. In practice I wouldn’t do this at file level. If
> > >> you want to encrypt the whole disk then do the encryption
> > >> at sector level.
> > >
> > >If i Encrypt Whole HardDisk. How does Os will boot? How does Os will
> access
> > >the System file while Booting ?
> > >
> >
> > Well that’s the clever bit ;->
> >
> > You would need to write something that collects the encryption key
> > from the user before the operating system starts to load. You would
> > then need to install a INT13 (i.e. BIOS sector level) disk hook to do
> > the decryption until the NT drivers have been loaded and initialised.
> > You would also need some way to pass the key from real mode to your NT
> > driver.
> >
> > All-in-all very complicated, but it definitely can be done.
> >
>
> Then I have to Patch MBR of my code and then i have to hook int 13h in Real
> Mode.
>
> But if i done this All Kids will crack my Real mode Programm
>
>
> I have to do Maximum in Driver only. So that I hope Kids dont crack my
> Driver :slight_smile:
>
> Regards,
> Satish K.S
>
Of course all this ignores machines without int13 (such as IA64) and
systems that uses a SCSI driver as part of the boot i.e. bootdd.sys.
You will not get this type of solution blessed by WHQL.

You are probably better off doing a filesystem filer driver and not
protecting the system files. Of course this is far from trivial. The
SFilter example mentioned only monitors actions, and does not modify
them, it is when you start modifying actions to filesystems that
challenges mount.

If you want a quick and dirty solution require a seperate partition for
encrypted data, and do a disk filter for that partion.

Don Burn
Windows 2000 Filesystem and Device Driver Consulting

—
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>Then I have to Patch MBR of my code and then i have to hook int 13h in Real

Mode.

Yep that’s the right sort of thing.

But if i done this All Kids will crack my Real mode Programm

I have to do Maximum in Driver only. So that I hope Kids dont crack my
Driver :slight_smile:

Well, the encryption should stand up on it’s own regardless of
where you do it. Replacing, intercepting or disassembling a
driver is just as easy as real mode code if you know what your
doing. Don’t rely on NT security to stop access to your driver,
you can just boot on a floppy and access the driver outside
of NT (even NTFS by using NTFSDOS). Encrypting all the sectors
and doing the logon outside the os has the advantage that
nothing in the os can be accessed or modified without the
key.

Shaun


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> ----------

From: Shaun[SMTP:xxxxx@sdlabs.demon.co.uk]
Reply To: File Systems Developers
Sent: Wednesday, April 25, 2001 5:10 PM
To: File Systems Developers
Subject: [ntfsd] Re: Encryption Driver

Replacing, intercepting or disassembling a
driver is just as easy as real mode code if you know what your
doing.

No, it is much easier :slight_smile: Drivers use API with known parameters, use
parameters on stack and new IDA automates these parameters resolution. Also,
with some experience it is easier to understand compiled C code which
follows some rules than ad hoc assembly with ‘nice’ tricks.

Best regards,

Michal Vodicka
Veridicom
(RKK - Skytale)
[WWW: http://www.veridicom.com , http://www.skytale.com]


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> >

Of course all this ignores machines without int13 (such as IA64) and
systems that uses a SCSI driver as part of the boot i.e. bootdd.sys.
You will not get this type of solution blessed by WHQL.

You are probably better off doing a filesystem filer driver and not
protecting the system files. Of course this is far from trivial. The
SFilter example mentioned only monitors actions, and does not modify
them, it is when you start modifying actions to filesystems that
challenges mount.

After loading my Driver i can start Encrypt/Decrypt. What if OS read/write
the Pagefile.sys ? How do i know this is system file or user file ?

If you want a quick and dirty solution require a seperate partition for
encrypted data, and do a disk filter for that partion.

No. I want better solution only.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>

Well, the encryption should stand up on it’s own regardless of
where you do it. Replacing, intercepting or disassembling a
driver is just as easy as real mode code if you know what your
doing. Don’t rely on NT security to stop access to your driver,
you can just boot on a floppy and access the driver outside
of NT (even NTFS by using NTFSDOS). Encrypting all the sectors
and doing the logon outside the os has the advantage that
nothing in the os can be accessed or modified without the
key.

What if i done to Encrypt/Decrypt only the Windows file like doc, xls,
PE-EXE, etc… If some tries to access the file.
My intension is to Encypt only User files. I dont want to protect OS. Does
this works ?

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>What if i done to Encrypt/Decrypt only the Windows file like doc, xls,

PE-EXE, etc… If some tries to access the file.
My intension is to Encypt only User files. I dont want to protect OS. Does
this works ?

Yes that can be done - it’s not trivial, but it’s not impossible either.
You will need to write a file system filter driver as you first thought.
It’s probably easier to encrypt a few directories which the user can put
their sensitive stuff in, but in theory you can encrypt whatever you
like.

Shaun


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

S

After loading my Driver i can start Encrypt/Decrypt. What if OS read/write
the Pagefile.sys ? How do i know this is system file or user file ?

For the page file you will get a flag that says it is a page file, but
in general you won’t be able to distinguish between user and system
files except by the file name. So you could exclude anything in the
windows directory for instance.

Shaun


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> >After loading my Driver i can start Encrypt/Decrypt. What if OS
read/write

>the Pagefile.sys ? How do i know this is system file or user file ?

For the page file you will get a flag that says it is a page file, but
in general you won’t be able to distinguish between user and system
files except by the file name. So you could exclude anything in the
windows directory for instance.

What If i encrypt all PE-EXE files. Does any Problem comes at any time in
Practical ? Do u have Any Idea ?

Regards,
Satish K.S


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

>

What If i encrypt all PE-EXE files. Does any Problem comes at any time in
Practical ? Do u have Any Idea ?

You can encrypt EXE files as long as they are not used during the early
phase of booting the machine. Of course you have to get all your EXE
files encrypted in the first place which can’t be done if the EXE is
in use (same goes for any other file type). If you really need to
encrypt files that would be in-use from early on, then you would
probably have to write a native mode app that runs during boot (like
CHKDSK does). Once the files are encrypted your filter driver can
happily provide the transparent decryption.

Why do you want to encrypt the EXEs? Most people want to protect their
data, not the programs.

Shaun


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> >What If i encrypt all PE-EXE files. Does any Problem comes at any time in

>Practical ? Do u have Any Idea ?
>

You can encrypt EXE files as long as they are not used during the early
phase of booting the machine. Of course you have to get all your EXE
files encrypted in the first place which can’t be done if the EXE is
in use (same goes for any other file type). If you really need to

I want to encrypt/decrypt On Access.

encrypt files that would be in-use from early on, then you would
probably have to write a native mode app that runs during boot (like
CHKDSK does). Once the files are encrypted your filter driver can
happily provide the transparent decryption.

I am not intersted to do once Encrypt.

Why do you want to encrypt the EXEs? Most people want to protect their
data, not the programs.

Yea coz we have to go according Extension as i told before. Instead of going
full HardDisk Encryption.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com