My understanding is CAPI only exists in user mode (SDK). There is no CAPI in kernel mode (DDK). So, what is the industry approach in doing encryption within kernel mode ? Using a third party library ? Developing a user mode dll ? How about retrieving data from RADIUS server ? Thanks.
Joe
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Hi Joseph,
I have done AES encryption in kernel mode using a UserMode DLL and then
calling the encryption logic from the Kernel mode (Loading UserMode DLL in
kernel mode) and it works absolutely fine.
In fact i have seen a popular similar product doing such kind of stuff using
the same technique.
Regards,
Shreshth
On 4/5/06, Joseph Smith wrote:
>
> My understanding is CAPI only exists in user mode (SDK). There is no CAPI
> in kernel mode (DDK). So, what is the industry approach in doing encryption
> within kernel mode ? Using a third party library ? Developing a user mode
> dll ? How about retrieving data from RADIUS server ? Thanks.
>
> Joe
>
> ------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PChttp:and save big. — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
></http:>
Shreshth,
With due respect to your work, I don’t think what you have done is mortally
possible in the Windows OS.
Reasons being…
You can make it link, but it won’t load or execute. Probably either a DLL
load failure or an access violation while loading it will occur. It could be
possible to force linker to use kernel exports but resulting binary will be
probably refused by loader because of unresolvable imports.
Just recall how this works. At link time, the linker is given a implib,
here you are asserting the future existence of a PE file with a particular
name reachable by PATH or via delay loading. There are utils that can tell
you about these. If, at runtime, it can’t find a PE file with that name, it
won’t work.
You may however recompile your DLL code and if you haven’t used any
functions specific to user land it can be used in the kernel mode also.
Ofcourse, you are not using any outside functions in this DLL. While doable
this is not easy. The wasier way( and the correct one probably) is to ask
the kernel to do an inverted call for user mode services that use the DLLs.
Or the inverse where the kernel code can be called by an IOCTL from the user
code. The odds of getting this code right so it can be shared, and keeping
it right as changes are needed, is exceedingly small.
Best Regards,
amitr0 
amitr0 wrote:
With due respect to your work, I don’t think what you have done is
mortally possible in the Windows OS.Reasons being…
- You can make it link, but it won’t load or execute. Probably either
a DLL load failure or an access violation while loading it will occur.
It could be possible to force linker to use kernel exports but
resulting binary will be probably refused by loader because of
unresolvable imports.
It’s quite likely that a cryptographic DLL would be completely
standalone, with no external API needs at all. Such a DLL certainly
could be loaded in either user or kernel mode without modification.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Amit,
You are right, in what you are saying but i did not mention anywhere that
the the DLL i m calling is made by me. Maybe i should have clearly mentioned
there.
e.g. as in following lines
func ZwQuerySystemInformation=
(func)GetProcAddress(GetModuleHandle(“ntdll.dll”),
“ZwQuerySystemInformation”);
And thanks for your explaination.
Regards,
Shreshth
On 4/5/06, amitr0 wrote:
>
> Shreshth,
>
> With due respect to your work, I don’t think what you have done is
> mortally possible in the Windows OS.
>
> Reasons being…
>
> 1. You can make it link, but it won’t load or execute. Probably either a
> DLL load failure or an access violation while loading it will occur. It
> could be possible to force linker to use kernel exports but resulting binary
> will be probably refused by loader because of unresolvable imports.
>
> 2. Just recall how this works. At link time, the linker is given a implib,
> here you are asserting the future existence of a PE file with a particular
> name reachable by PATH or via delay loading. There are utils that can tell
> you about these. If, at runtime, it can’t find a PE file with that name, it
> won’t work.
>
> 3. You may however recompile your DLL code and if you haven’t used any
> functions specific to user land it can be used in the kernel mode also.
> Ofcourse, you are not using any outside functions in this DLL. While doable
> this is not easy. The wasier way( and the correct one probably) is to ask
> the kernel to do an inverted call for user mode services that use the DLLs.
> Or the inverse where the kernel code can be called by an IOCTL from the user
> code. The odds of getting this code right so it can be shared, and keeping
> it right as changes are needed, is exceedingly small.
>
> Best Regards,
>
>
> amitr0
>
> — Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List
> Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Shreshth,
I still don’t see how this works. Your example shows getting a kernel routine entry point from user mode. Most likely, I need the other way around. Anyway, when I mentioned using user mode dll, I am thinking to write a user mode dll to communicate with the kernel portion such as retrieving data from it. And, my user mode dll would make all the crypto calls and passes back the result to the kernel portion. However, I am seeing a security hole here. That is why I wonder how Windows does this. Thanks.
Joe
Shreshth Luthra wrote:
Amit,
You are right, in what you are saying but i did not mention anywhere that the the DLL i m calling is made by me. Maybe i should have clearly mentioned there.
e.g. as in following lines
func ZwQuerySystemInformation=
(func)GetProcAddress(GetModuleHandle(“ntdll.dll”),
“ZwQuerySystemInformation”);
And thanks for your explaination.
Regards,
Shreshth
On 4/5/06, amitr0 wrote: Shreshth,
With due respect to your work, I don’t think what you have done is mortally possible in the Windows OS.
Reasons being…
1. You can make it link, but it won’t load or execute. Probably either a DLL load failure or an access violation while loading it will occur. It could be possible to force linker to use kernel exports but resulting binary will be probably refused by loader because of unresolvable imports.
2. Just recall how this works. At link time, the linker is given a implib, here you are asserting the future existence of a PE file with a particular name reachable by PATH or via delay loading. There are utils that can tell you about these. If, at runtime, it can’t find a PE file with that name, it won’t work.
3. You may however recompile your DLL code and if you haven’t used any functions specific to user land it can be used in the kernel mode also. Ofcourse, you are not using any outside functions in this DLL. While doable this is not easy. The wasier way( and the correct one probably) is to ask the kernel to do an inverted call for user mode services that use the DLLs. Or the inverse where the kernel code can be called by an IOCTL from the user code. The odds of getting this code right so it can be shared, and keeping it right as changes are needed, is exceedingly small.
Best Regards,
amitr0
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
I am sure microsoft have implemented cry[to algoithms/interfaces in kernel
mode. You and I cant use them. Bad luck!
You could look at the crypto algorithms/imlpementations used in
OpenSSLperhaps? IIRC much smarter people than me have made the same sort of
suggestion.
“Joseph Smith” wrote in message news:xxxxx@ntdev…
My understanding is CAPI only exists in user mode (SDK). There is no CAPI in
kernel mode (DDK). So, what is the industry approach in doing encryption
within kernel mode ? Using a third party library ? Developing a user mode
dll ? How about retrieving data from RADIUS server ? Thanks.
Joe
New Yahoo! Messenger with Voice. Call regular phones from your PC and save
big.
>Your example shows getting a kernel routine entry point from user mode.
No, similar stuff works from Kernel mode as well. Check Compuware
DriverStudio Reference for that. If i remember correctly, one such driver
mode function is Shell_GetProcAddress.
Regards,
Shreshth
> My understanding is CAPI only exists in user mode (SDK). There is no CAPI in
kernel mode (DDK). So, what is the industry approach in doing encryption
within
kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Of course, there is no guarantee that FIPS or KSECDD will stick around
for vista, so relying on them is no guarantee of your driver working in
the future.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Monday, April 10, 2006 1:05 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode crypto API
My understanding is CAPI only exists in user mode (SDK). There is no
CAPI in
kernel mode (DDK). So, what is the industry approach in doing
encryption
within
kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by
EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Well, I can’t speak to FIPS, but routines exported by KSECDD are
documented public functions. If these are removed, it will break
compatibility - although that doesn’t mean they couldn’t be moved into a
different location.
For example, using SecLookupAccountName is now an accepted way of
converting an SID to an account name. This is implemented in KSECDD,
documented in the IFS Kit (and presumably the WDK although I didn’t
look) and relied upon by existing 3rd party drivers.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Monday, April 10, 2006 7:19 PM
To: ntdev redirect
Subject: RE: [ntdev] Kernel mode crypto API
Of course, there is no guarantee that FIPS or KSECDD will stick around
for vista, so relying on them is no guarantee of your driver working in
the future.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Monday, April 10, 2006 1:05 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode crypto API
My understanding is CAPI only exists in user mode (SDK). There is no
CAPI in
kernel mode (DDK). So, what is the industry approach in doing
encryption
within
kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by
EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Thanks for clarifying. What is doc’ed will stay, what is not documented
might not stick around though.
d
– I can spell, I just can’t type.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Monday, April 10, 2006 5:11 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Kernel mode crypto API
Well, I can’t speak to FIPS, but routines exported by KSECDD are
documented public functions. If these are removed, it will break
compatibility - although that doesn’t mean they couldn’t be moved into a
different location.
For example, using SecLookupAccountName is now an accepted way of
converting an SID to an account name. This is implemented in KSECDD,
documented in the IFS Kit (and presumably the WDK although I didn’t
look) and relied upon by existing 3rd party drivers.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Monday, April 10, 2006 7:19 PM
To: ntdev redirect
Subject: RE: [ntdev] Kernel mode crypto API
Of course, there is no guarantee that FIPS or KSECDD will stick around
for vista, so relying on them is no guarantee of your driver working in
the future.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
Sent: Monday, April 10, 2006 1:05 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode crypto API
My understanding is CAPI only exists in user mode (SDK). There is no
CAPI in
kernel mode (DDK). So, what is the industry approach in doing
encryption
within
kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by
EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
with all that was discussed w.r.t calling user land libraries in kernel, and
their pros and cons…can someone please explain how I can easily compile
and link the user mode strcpy etc functions into my kernel mode driver and
they work pretty well too…
Could you please rephrase? You discombobulated me…
You asked, "how I can easily compile and link the user mode strcpy etc
functions into my kernel mode driver and they work pretty well too… ".
I thought I was the only drunken poster…
M
A P wrote:
with all that was discussed w.r.t calling user land libraries in
kernel, and their pros and cons…can someone please explain how I can
easily compile and link the user mode strcpy etc functions into my
kernel mode driver and they work pretty well too… — Questions?
First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
why what is the issue here, I can use all strcpy (and friends) in the kernel
too…hell with so much of FIlemon’s code ebng dissected out here, even
filemon code (ancient one) uses some of them in the kernel…
The OP seems to think that because he can build with strcpy that this proves
that he can go off and link with anything in usermode, no problem. Darn, I
hate it when they figure out our secrets! How can we be gurus if we don’t
have any secrets?
Strcpy is inlined and is in the set of runtime functions that happen to
work in the kernel. It is also deprecated as it is a chronic source of
buffer overrun security holes. The set of kernel-friendly runtime functions
that at this point one generally should never be using as they are replaced
by string safe equivalents can be found in ntstrsafe.h, and also in
string.h.
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of MM
Sent: Tuesday, April 11, 2006 7:15 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode crypto APICould you please rephrase? You discombobulated me…
You asked, "how I can easily compile and link the user mode
strcpy etc functions into my kernel mode driver and they work
pretty well too… ".I thought I was the only drunken poster…
M
A P wrote:
> with all that was discussed w.r.t calling user land libraries in
> kernel, and their pros and cons…can someone please
explain how I can
> easily compile and link the user mode strcpy etc functions into my
> kernel mode driver and they work pretty well too… — Questions?
> First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256 To unsubscribe,
visit the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
Thanks. Actually, I did use the approach1 (pulling the OpenSSL crypto in). I guess there is no better way. I have another question: how can it retrieve the certificate from outside ? user mode service ? Thanks.
Joe
“Maxim S. Shatskih” wrote:
> My understanding is CAPI only exists in user mode (SDK). There is no CAPI in
>kernel mode (DDK). So, what is the industry approach in doing encryption
within
>kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
---------------------------------
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
What is the licensing implications of using openSSL? Does use of openSSL require a open source of the software including it?
Vedvyas
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Joseph Smith
Sent: Tuesday, April 11, 2006 11:00 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel mode crypto API
Thanks. Actually, I did use the approach1 (pulling the OpenSSL crypto in). I guess there is no better way. I have another question: how can it retrieve the certificate from outside ? user mode service ? Thanks.
Joe
“Maxim S. Shatskih” wrote:
> My understanding is CAPI only exists in user mode (SDK). There is no CAPI in
>kernel mode (DDK). So, what is the industry approach in doing encryption
within
>kernel mode ?
Pull the OpenSSL crypto maths source to your project.
Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by EFS).
Proxy the crypto work to user mode service.
These are the 3 main ways.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
________________________________
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries http:</http:> for just 2?/min with Yahoo! Messenger with Voice. — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
OpenSSL has a BSD like license. Actually there are two of them that work on
OpenSSL, both of them put together will amount you to mention the credits of
cryptographic code to the OpenSSL Project and SSLeay Library, also their
respective authors. Also you will be required to reproduce the license
agreements in your manual or may be during the installation.As far as making
your own source code open, well thats never required(even GPL has a lesser
license!).
On 4/11/06, Shanbhogue, Vedvyas wrote:
>
> What is the licensing implications of using openSSL? Does use of
> openSSL require a open source of the software including it?
>
> Vedvyas
> ------------------------------
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Joseph Smith
> Sent: Tuesday, April 11, 2006 11:00 AM
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Kernel mode crypto API
>
>
> Thanks. Actually, I did use the approach1 (pulling the OpenSSL crypto
> in). I guess there is no better way. I have another question: how can it
> retrieve the certificate from outside ? user mode service ? Thanks.
>
> Joe
>
> “Maxim S. Shatskih” wrote:
>
> > My understanding is CAPI only exists in user mode (SDK). There is no
> CAPI in
> >kernel mode (DDK). So, what is the industry approach in doing encryption
> within
> >kernel mode ?
>
> Pull the OpenSSL crypto maths source to your project.
> Use the undocumented Fips.sys, which is a kernel-mode CryptoAPI (used by
> EFS).
> Proxy the crypto work to user mode service.
>
> These are the 3 main ways.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> ------------------------------
> Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countrieshttp:</http:>for just 2?/min with Yahoo! Messenger with Voice. — Questions? First check
> the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To
> unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> —
>
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
–
Ankit Raizada
Room No. 349
Boys Hostel
IIITA Campus
Deoghat Jhalwa
Allahabad - 211012
Email: xxxxx@iiita.ac.in
xxxxx@yahoo.com
xxxxx@gmail.com
A P wrote:
with all that was discussed w.r.t calling user land libraries in
kernel, and their pros and cons…can someone please explain how I can
easily compile and link the user mode strcpy etc functions into my
kernel mode driver and they work pretty well too…
This works because there is a kernel-mode library called libcntpr.lib
that re-implements much of the C run-time library in a kernel-safe way,
designed specifically for kernel drivers.
Note that much of the recent discussion has been about calling user-land
DLLs from kernel, not user-land libraries.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.