Greeting everyone,
After being a SDK/.NET developer for 10+ years, I am really excited that I
am going to dive into the kernel. Here is my situation:
I want to write a minifilter to encrypt/decrypt file on the fly. One goal is
transparency, meaning that encrypt/decrypt is done at background without
user’s knowledge. The second goal is that I NEVER wants to store file on
hard disk in decrypted format. I am pretty sure the first one is feasible,
but not sure about the second goal.
If a developer writes an application read a decrypted file into memory, then
he got a decrypted file in memory. Now if he save the file using a different
name, he will get a decrypted copy. Could someone here point me a direction
that I can prevent this from happening? If it can’t be done by minifilter, I
am open for other suggestions.
BTW, encrypting the whole disk isn’t an option for me.
Thank you in advance.
Ming
> If a developer writes an application read a decrypted file into memory, then
he got a decrypted file in memory. Now if he save the file using a different
name, he will get a decrypted copy. Could someone here point me a direction
that I can prevent this from happening?
You cannot prevent this.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
- Why would anyone give out such an idea to anyone else?
- There is 100% guarantee anything you make with the start-point of “Encrypt
every copy” will be broken.
Ming Zhang wrote:
Greeting everyone,
After being a SDK/.NET developer for 10+ years, I am really excited that I
am going to dive into the kernel. Here is my situation:
I want to write a minifilter to encrypt/decrypt file on the fly. One goal is
transparency, meaning that encrypt/decrypt is done at background without
user’s knowledge. The second goal is that I NEVER wants to store file on
hard disk in decrypted format. I am pretty sure the first one is feasible,
but not sure about the second goal.
If a developer writes an application read a decrypted file into memory, then
he got a decrypted file in memory. Now if he save the file using a different
name, he will get a decrypted copy. Could someone here point me a direction
that I can prevent this from happening? If it can’t be done by minifilter, I
am open for other suggestions.
BTW, encrypting the whole disk isn’t an option for me.
Thank you in advance.
Ming
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@alfasp.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
Dejan and Maxim, thanks for your reply (although this isn’t the answer I am
looking for).
All I am trying to do is a filter supports on-the-fly encrypt and decrypt. I
am sure this has been done many times. The difference is that I want to do
this (encrypt/decrypt) for all files with certain extension. I don’t want to
encrypt other type of files. So one thing I have to avoid is that if a user
saves the file with a different name or extension, it’s still encrypted. Of
course, then the file won’t be decrypted when opening because it doesn’t
have required extension anymore.
I don’t mind if real expert breaks the encryption. As long as it’s
reasonably secure, I am okay. I think there must be a way to achieve this.
At least I can do it in my filter by not allow a file to be saved ….
Any advices would be highly appreciated.
Thank you again
From: Dejan Maksimovic
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: Re: [ntfsd] Minifilter question
>Date: Sun, 26 Feb 2006 05:00:22 +0100
>
>
> 1. Why would anyone give out such an idea to anyone else?
> 2. There is 100% guarantee anything you make with the start-point of
>“Encrypt
>every copy” will be broken.
>
>Ming Zhang wrote:
>
> > Greeting everyone,
> > After being a SDK/.NET developer for 10+ years, I am really excited that
>I
> > am going to dive into the kernel. Here is my situation:
> >
> > I want to write a minifilter to encrypt/decrypt file on the fly. One
>goal is
> > transparency, meaning that encrypt/decrypt is done at background without
> > user’s knowledge. The second goal is that I NEVER wants to store file on
> > hard disk in decrypted format. I am pretty sure the first one is
>feasible,
> > but not sure about the second goal.
> >
> > If a developer writes an application read a decrypted file into memory,
>then
> > he got a decrypted file in memory. Now if he save the file using a
>different
> > name, he will get a decrypted copy. Could someone here point me a
>direction
> > that I can prevent this from happening? If it can’t be done by
>minifilter, I
> > am open for other suggestions.
> > BTW, encrypting the whole disk isn’t an option for me.
> >
> > Thank you in advance.
> > Ming
> >
> > —
> > Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@alfasp.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>–
>Kind regards, Dejan M.
>http://www.alfasp.com E-mail: xxxxx@alfasp.com
>Alfa Transparent File Encryptor - Transparent file encryption services.
>Alfa File Protector - File protection and hiding library for Win32
>developers.
>Alfa File Monitor - File monitoring library for Win32 developers.
>
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
> The difference is that I want to do this (encrypt/decrypt) for all files
with certain extension. I don’t want to
I think you have answered your own question - you just encrypt
all files that have certain extension. So:
Creating new file with your extension ==> file gets encrypted
Creating new file with another one ==> file remains unencrypted
Don’t forget about rename.
L.
Assuming most commonly used applications (Windows, Office, Adobe etc…) you can
use a certain level of heuristics to achieve that.
For example, Explorer will open the source file and make a file which has AT
LEAST the source file name in it (it might be Copy of Source File Name as well). That
would be the easiest case.
Next, Word. Save works by copying new data into a.tmp, renaming original.doc to
b.tmp, renaming a.tmp to original.doc and deleting b.tmp - fairly easy to handle.
Other applications have similar well-defined ways of handling things.
Without either: encrypting all files created by Word or denying creates (…) you
allow a user to do Save As to My Ideal Way of Circumventing The Security.My Extension
or My ideal security circumvent without extension file. Average users (or maybe I
have too good of an opinion of average users?) will figure this out.
Regards, Dejan.
Ming Zhang wrote:
Dejan and Maxim, thanks for your reply (although this isn’t the answer I am
looking for).
All I am trying to do is a filter supports on-the-fly encrypt and decrypt. I
am sure this has been done many times. The difference is that I want to do
this (encrypt/decrypt) for all files with certain extension. I don’t want to
encrypt other type of files. So one thing I have to avoid is that if a user
saves the file with a different name or extension, it’s still encrypted. Of
course, then the file won’t be decrypted when opening because it doesn’t
have required extension anymore.
I don’t mind if real expert breaks the encryption. As long as it’s
reasonably secure, I am okay. I think there must be a way to achieve this.
At least I can do it in my filter by not allow a file to be saved ….
Any advices would be highly appreciated.
Thank you again
–
Kind regards, Dejan M.
http://www.alfasp.com E-mail: xxxxx@alfasp.com
Alfa Transparent File Encryptor - Transparent file encryption services.
Alfa File Protector - File protection and hiding library for Win32 developers.
Alfa File Monitor - File monitoring library for Win32 developers.
> encrypt other type of files. So one thing I have to avoid is that if a user
saves the file with a different name or extension, it’s still encrypted.
You cannot. For instance, imagine the user ZIPing the file.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
Thank you all for the reply. I think I can take a different approach:
I will maintain a global hash (key = process id, value = IsSourceEncrypted).
If a process opens an encrypted content, I will keep the process id and
IsSourceEncrypted = true in the hash. Whenever a process tries to write
anything to disk, I will check if the content originally coming from an
encrypted source. If it is, I will encrypt the content. So as long as the
original content is encrypted, it will never be decrypted.
This should make it sufficiently difficult to workaround, assuming there is
no way to do simple copy & paste.
BTW, thanks for the reminder, Dejan. I understand it.
From: “Maxim S. Shatskih”
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: Re: [ntfsd] Minifilter question
>Date: Sun, 26 Feb 2006 14:13:25 +0300
>
> > encrypt other type of files. So one thing I have to avoid is that if a
>user
> > saves the file with a different name or extension, it’s still encrypted.
>
>You cannot. For instance, imagine the user ZIPing the file.
>
>Maxim Shatskih, Windows DDK MVP
>StorageCraft Corporation
>xxxxx@storagecraft.com
>http://www.storagecraft.com
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
> Whenever a process tries to write anything to disk,
I will check if the content originally coming from an
encrypted source. If it is, I will encrypt the content.
How you want to check this ?
Imagine MS word. You open encrypted DOC file.
Then you change this document so it will not be even
close to the original one. Then choose Save. Word
creates temp file and saves content to it. If all is OK,
word renames the temp file to the original one.
Now please tell me, how do you want to check
if the content is originally coming from encrypted source ??
L.
Of course you could invent a mystical algorithm that can associate the two.
Maybe flip a ‘coin’ using random numbers and if it matches, just pretend you
should encrypt it. This has been covered several times in this newsgroup.
Why can’t anyone read the old posts? Why don’t they try using minispy and
watching the activity that just opening a document in Word, modifying it,
saving it and saving it using the ‘save as’? This would explain a lot and
eliminate many elementary questions.
“Ladislav Zezula” wrote in message news:xxxxx@ntfsd…
>> Whenever a process tries to write anything to disk,
>> I will check if the content originally coming from an encrypted source.
>> If it is, I will encrypt the content.
>
> How you want to check this ?
>
> Imagine MS word. You open encrypted DOC file.
> Then you change this document so it will not be even
> close to the original one. Then choose Save. Word creates temp file and
> saves content to it. If all is OK,
> word renames the temp file to the original one.
>
> Now please tell me, how do you want to check
> if the content is originally coming from encrypted source ??
>
> L.
>
>
> watching the activity that just opening a document in Word, modifying it,
saving it and saving it using the ‘save as’? This would explain a lot and
eliminate many elementary questions.
Off-topic:
Unfortunately, forums don’t work that way. Some people
(and now I don’t mean OP of this thread) are just lazy to
search informations. Remember in one recent posts
“I have the book but it’s too large to read it”.
People also often have not a clue how an user mode action
reflexes in kernel mode. They think there’s a IRP_MJ_SAVE_AS,
IRP_MJ_PASTE_CLIPBOARD, or IRP_MJ_MOUSE_CLICK
(a bit thick, but not that uncommon).
Third, people don’t have a clue how complex FS development is.
This is why I must laugh when I see posts like “I have modified FileSpy
to encrypt data and it does not work, do you know why ?”.
I apologize to all who feel offended by this, but this is just the
impression I mostly have from this forum (and another ones too).
L.
Apologize for the elementary questions. I will do more reading and testing
before bother you all again.
From: “Ladislav Zezula”
>Reply-To: “Windows File Systems Devs Interest List”
>To: “Windows File Systems Devs Interest List”
>Subject: Re: Re:[ntfsd] Minifilter question
>Date: Mon, 27 Feb 2006 09:49:51 +0100
>
>>watching the activity that just opening a document in Word, modifying it,
>>saving it and saving it using the ‘save as’? This would explain a lot and
>>eliminate many elementary questions.
>
>Off-topic:
>
>Unfortunately, forums don’t work that way. Some people
>(and now I don’t mean OP of this thread) are just lazy to
>search informations. Remember in one recent posts
>“I have the book but it’s too large to read it”.
>
>People also often have not a clue how an user mode action
>reflexes in kernel mode. They think there’s a IRP_MJ_SAVE_AS,
>IRP_MJ_PASTE_CLIPBOARD, or IRP_MJ_MOUSE_CLICK
>(a bit thick, but not that uncommon).
>
>Third, people don’t have a clue how complex FS development is.
>This is why I must laugh when I see posts like “I have modified FileSpy
>to encrypt data and it does not work, do you know why ?”.
>
>I apologize to all who feel offended by this, but this is just the
>impression I mostly have from this forum (and another ones too).
>
>L.
>
>
>
>—
>Questions? First check the IFS FAQ at
>https://www.osronline.com/article.cfm?id=17
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com