Encryption over a share

OSR_Community_User · April 3, 2003, 6:54am

Has anyone done an encryption filter that encrypts data over a
share? Just like on a normal volume.
I didn’t think it would work as it would for a normal volume (IIRC,
the Lanman doesn’t use the cache manager completely?).
Ideas?

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · April 3, 2003, 4:29pm

If you’re filtering LanManager, you are NOT guaranteed to see paging I/O
for all corresponding data that comes down first as non-paging I/O. I
wish Microsoft would modify this behavior, this guarantee is necessary
in order for filters to operate efficiently (i.e. for us not to go to
disk for every cached I/O we see for certain filesytems).

Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Thursday, April 03, 2003 3:52 AM
To: File Systems Developers
Subject: [ntfsd] Encryption over a share

Has anyone done an encryption filter that encrypts data
over a share? Just like on a normal volume.
I didn’t think it would work as it would for a normal
volume (IIRC, the Lanman doesn’t use the cache manager completely?).
Ideas?

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption
services. Alfa File Protector - File protection and hiding
library for Win32 developers. Alfa File Monitor - File
monitoring library for Win32 developers.

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · April 3, 2003, 8:22pm

yup, tat’s what i did, forcing all i/o to be non-cached over the redirector.

Ampsi

----- Original Message -----
From: “Nicholas Ryan”
To: “File Systems Developers”
Sent: Friday, April 04, 2003 05:29
Subject: [ntfsd] RE: Encryption over a share

If you’re filtering LanManager, you are NOT guaranteed to see paging I/O
for all corresponding data that comes down first as non-paging I/O. I
wish Microsoft would modify this behavior, this guarantee is necessary
in order for filters to operate efficiently (i.e. for us not to go to
disk for every cached I/O we see for certain filesytems).

- Nicholas Ryan

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
> Sent: Thursday, April 03, 2003 3:52 AM
> To: File Systems Developers
> Subject: [ntfsd] Encryption over a share
>
>
>
> Has anyone done an encryption filter that encrypts data
> over a share? Just like on a normal volume.
> I didn’t think it would work as it would for a normal
> volume (IIRC, the Lanman doesn’t use the cache manager completely?).
> Ideas?
>
> –
> Kind regards, Dejan M. MVP for DDK
> http://www.alfasp.com E-mail: xxxxx@alfasp.com
> Alfa Transparent File Encryptor - Transparent file encryption
> services. Alfa File Protector - File protection and hiding
> library for Win32 developers. Alfa File Monitor - File
> monitoring library for Win32 developers.
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · April 4, 2003, 12:46am

> If you’re filtering LanManager, you are NOT guaranteed to see paging I/O

for all corresponding data that comes down first as non-paging I/O.

I thought so, so how should one handle shares?

I wish Microsoft would modify this behavior, this guarantee is necessary
in order for filters to operate efficiently (i.e. for us not to go to disk
for every cached I/O we see for certain filesytems).

For which FS do you need this?

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · April 4, 2003, 12:48am

You mean adding IRP_NOCACHE bit only?
What was the result? Did you do encryption on every I/O, or did it result in
paging non-cached I/O?

Ampsi wrote:

yup, tat’s what i did, forcing all i/o to be non-cached over the redirector.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · April 4, 2003, 4:16am

yes. i change all io to non cached and encrypt all non cached io.

i have not try the other way of disabling redirector caching through the
registry though.

Ampsi

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Friday, April 04, 2003 13:47
Subject: [ntfsd] RE: Encryption over a share

You mean adding IRP_NOCACHE bit only?
What was the result? Did you do encryption on every I/O, or did it
result in
paging non-cached I/O?

Ampsi wrote:

> yup, tat’s what i did, forcing all i/o to be non-cached over the
redirector.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · April 4, 2003, 5:09am

But what do you mean by change it to non cached?

yes. i change all io to non cached and encrypt all non cached io.
> yup, tat’s what i did, forcing all i/o to be non-cached over the
redirector.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

OSR_Community_User · April 4, 2003, 12:50pm

In Windows 2000 and more recent, RDR2 is implemented in two kernel pieces:
the RDBSS core, and the MRXSMB.SYS driver that is specific to CIFS. The
RDBSS code was present in the NT 4.0 IFS Kit, although it has been removed
from more recent kits. The older source code should NOT be used directly,
but is useful for reference. In addition, the data structures are in the
header files contained in the current IFS Kit (gee, I guess that would now
be the Windows Server 2003 IFS Kit!)

If you look through the header files (and the older source version if you
have it) you will notice that the shared FCB structure includes information
about the caching state of the file. If this structure indicates the file
should be non-cached it is treated as if it were non-cached I/O.

This can be confusing in an encryption driver because it means that you must
look for this condition (the settings in the FCB) as well as the “standard”
value for the local file systems (IRP_NOCACHE).

The lesson here, and one worth remembering, is that much of what is
discussed on this list is based upon observed behavior and performance.
There is nothing that requires that all file systems behave identically -
and they do not. Third party file systems may deviate from this
considerably more than Microsoft’s own file systems. Perhaps in future
versions of Windows there will be file systems provided that operate very
differently (e.g., WinFS support that is anticipated in Longhorn).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Ampsi [mailto:xxxxx@pmail.ntu.edu.sg]
Sent: Friday, April 04, 2003 4:11 AM
To: File Systems Developers
Subject: [ntfsd] RE: Encryption over a share

yes. i change all io to non cached and encrypt all non cached io.

i have not try the other way of disabling redirector caching through the
registry though.

Ampsi

----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Friday, April 04, 2003 13:47
Subject: [ntfsd] RE: Encryption over a share

You mean adding IRP_NOCACHE bit only?
What was the result? Did you do encryption on every I/O, or did it
result in
paging non-cached I/O?

Ampsi wrote:

> yup, tat’s what i did, forcing all i/o to be non-cached over the
redirector.

–
Kind regards, Dejan M. MVP for DDK
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32
developers.
Alfa File Monitor - File monitoring library for Win32 developers.

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com