Still the problem of crypt DOC file

NTFSD
1

In my file filter dirver, I catch the IRP_MJ_READ which Irp->Flags is
IRP_NOCACHE to Decrypt the DOC file, and also when saving the DOC file I
can successful Static Encrypt the DOC file.
My problem is that after I Encrypt the DOC file, close the file, and open
the DOC file the second time, I do not know how to Decrypt it, because
there are no NOCACHE IRP_MJ_READ.

So I wondered if there are some ways to cause the NOCASHE IRP_MJ_READ,
or my way of Decypt the DOC file is totally wrong?

Any suggestions will be appreciated.

Thanks!

Ice Fu

2

You’re checking the wrong flag. You should be checking for
IRP_PAGING_IO, not IRP_NOCACHE.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ice Fu
Sent: Saturday, April 05, 2003 1:07 AM
To: File Systems Developers
Subject: [ntfsd] Still the problem of crypt DOC file

In my file filter dirver, I catch the IRP_MJ_READ which
Irp->Flags is IRP_NOCACHE to Decrypt the DOC file, and also
when saving the DOC file I can successful Static Encrypt the
DOC file. My problem is that after I Encrypt the DOC file,
close the file, and open the DOC file the second time, I do
not know how to Decrypt it, because there are no NOCACHE IRP_MJ_READ.

So I wondered if there are some ways to cause the NOCASHE
IRP_MJ_READ, or my way of Decypt the DOC file is totally wrong?

Any suggestions will be appreciated.

Thanks!

Ice Fu

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Data on the disk is encrypted, right? So everything that comes from disk has
to be decrypted. Checking IRP_NOCACHE flag is valid, as far as I know
PagingIO has both IRP_PAGING_IO and IRP_NOCACHE flags set. Or you can choose
to check if one of those flags is set.
Actaully approach to do static encryption has one problem - because data is
not encrypted when written to disk working with a file that is encrypted may
lead to file being partially encrypted on disk.

Alexei.

“Nicholas Ryan” wrote in message news:xxxxx@ntfsd…
>
> You’re checking the wrong flag. You should be checking for
> , not IRP_NOCACHE.
>
> - Nicholas Ryan
>
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Ice Fu
> > Sent: Saturday, April 05, 2003 1:07 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Still the problem of crypt DOC file
> >
> >
> > In my file filter dirver, I catch the IRP_MJ_READ which
> > Irp->Flags is IRP_NOCACHE to Decrypt the DOC file, and also
> > when saving the DOC file I can successful Static Encrypt the
> > DOC file. My problem is that after I Encrypt the DOC file,
> > close the file, and open the DOC file the second time, I do
> > not know how to Decrypt it, because there are no NOCACHE IRP_MJ_READ.
> >
> > So I wondered if there are some ways to cause the NOCASHE
> > IRP_MJ_READ, or my way of Decypt the DOC file is totally wrong?
> >
> > Any suggestions will be appreciated.
> >
> > Thanks!
> >
> > Ice Fu
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
>

4

Right, I forget about non-cached non-paging I/O, which won’t result in
paging I/O. Therefore Ice’s code shouldn’t be missing any reads. His
problem seems to be that the method he uses to encrypt the file results
in encrypted data being put in the cache. Any write of encrypted data
generated by his filter should be a non-cached write.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Saturday, April 05, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] Re: Still the problem of crypt DOC file

Data on the disk is encrypted, right? So everything that
comes from disk has to be decrypted. Checking IRP_NOCACHE
flag is valid, as far as I know PagingIO has both
IRP_PAGING_IO and IRP_NOCACHE flags set. Or you can choose to
check if one of those flags is set. Actaully approach to do
static encryption has one problem - because data is not
encrypted when written to disk working with a file that is
encrypted may lead to file being partially encrypted on disk.

Alexei.

“Nicholas Ryan” wrote in message news:xxxxx@ntfsd…
> >
> > You’re checking the wrong flag. You should be checking for
> > , not IRP_NOCACHE.
> >
> > - Nicholas Ryan
> >
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Ice Fu
> > > Sent: Saturday, April 05, 2003 1:07 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Still the problem of crypt DOC file
> > >
> > >
> > > In my file filter dirver, I catch the IRP_MJ_READ which
> > > Irp->Flags is IRP_NOCACHE to Decrypt the DOC file, and also
> > > when saving the DOC file I can successful Static Encrypt the DOC
> > > file. My problem is that after I Encrypt the DOC file, close the
> > > file, and open the DOC file the second time, I do not know how to
> > > Decrypt it, because there are no NOCACHE IRP_MJ_READ.
> > >
> > > So I wondered if there are some ways to cause the NOCASHE
> > > IRP_MJ_READ, or my way of Decypt the DOC file is totally wrong?
> > >
> > > Any suggestions will be appreciated.
> > >
> > > Thanks!
> > >
> > > Ice Fu
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

5

If he encrypts data in-place, of course he will end up with encrypted data
in the cache - the “buffer” given to a file system in the IRP_MJ_WRITE entry
point IS the data in the cache.

While I cannot say that this is his problem, it is something that has been
discussed previously here on the list.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: Nicholas Ryan [mailto:xxxxx@nryan.com]
Sent: Saturday, April 05, 2003 7:34 PM
To: File Systems Developers
Subject: [ntfsd] Re: Still the problem of crypt DOC file

Right, I forget about non-cached non-paging I/O, which won’t result in
paging I/O. Therefore Ice’s code shouldn’t be missing any reads. His
problem seems to be that the method he uses to encrypt the file results
in encrypted data being put in the cache. Any write of encrypted data
generated by his filter should be a non-cached write.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Saturday, April 05, 2003 3:26 PM
To: File Systems Developers
Subject: [ntfsd] Re: Still the problem of crypt DOC file

Data on the disk is encrypted, right? So everything that
comes from disk has to be decrypted. Checking IRP_NOCACHE
flag is valid, as far as I know PagingIO has both
IRP_PAGING_IO and IRP_NOCACHE flags set. Or you can choose to
check if one of those flags is set. Actaully approach to do
static encryption has one problem - because data is not
encrypted when written to disk working with a file that is
encrypted may lead to file being partially encrypted on disk.

Alexei.

“Nicholas Ryan” wrote in message news:xxxxx@ntfsd…
> >
> > You’re checking the wrong flag. You should be checking for
> > , not IRP_NOCACHE.
> >
> > - Nicholas Ryan
> >
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Ice Fu
> > > Sent: Saturday, April 05, 2003 1:07 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Still the problem of crypt DOC file
> > >
> > >
> > > In my file filter dirver, I catch the IRP_MJ_READ which
> > > Irp->Flags is IRP_NOCACHE to Decrypt the DOC file, and also
> > > when saving the DOC file I can successful Static Encrypt the DOC
> > > file. My problem is that after I Encrypt the DOC file, close the
> > > file, and open the DOC file the second time, I do not know how to
> > > Decrypt it, because there are no NOCACHE IRP_MJ_READ.
> > >
> > > So I wondered if there are some ways to cause the NOCASHE
> > > IRP_MJ_READ, or my way of Decypt the DOC file is totally wrong?
> > >
> > > Any suggestions will be appreciated.
> > >
> > > Thanks!
> > >
> > > Ice Fu
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@nryan.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

Thanks Nicholas,Alexei

also I am think so!
but I don’t know how to perform NONCACHE write.

Here is my way of Encrypt the file.
create a new file a.doc.temp, and encrypt a.doc to a.doc.temp,(using
ZwReadFile,ZwWriteFile),rename a.doc.temp to a.doc.

7

If you’re using ZwWriteFile to write to a.doc.temp, you should make sure
the file handle you use was opened with the
FILE_NO_INTERMEDIATE_BUFFERING flag. This will prevent your encrypted
data from being cached.

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ice Fu
Sent: Saturday, April 05, 2003 9:11 PM
To: File Systems Developers
Subject: [ntfsd] Re: Still the problem of crypt DOC file

Thanks Nicholas,Alexei

also I am think so!
but I don’t know how to perform NONCACHE write.

Here is my way of Encrypt the file.
create a new file a.doc.temp, and encrypt a.doc to
a.doc.temp,(using ZwReadFile,ZwWriteFile),rename a.doc.temp to a.doc.

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

8

> to be decrypted. Checking IRP_NOCACHE flag is valid, as far as I
know

PagingIO has both IRP_PAGING_IO and IRP_NOCACHE flags set. Or you
can choose
to check if one of those flags is set.

For encrypted files, you can implement non-cached writes as writes to
cache and then flushes, and ignore “non-cached” attribute on reads.
Otherwise, you will have problems with unaligned IO.

Max

9

Safer is to just double buffer the I/O yourself… some applications
depend on non-cached I/O not requiring certain uses of the cache (such
as the various ‘virtual volume’ utilities out there that back a volume
with I/O to a file - writes to the file must be non-cached or deadlocks
can occur in the cache manager).

  • Nicholas Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim
S. Shatskih
Sent: Sunday, April 06, 2003 11:39 AM
To: File Systems Developers
Subject: [ntfsd] Re: Still the problem of crypt DOC file

> to be decrypted. Checking IRP_NOCACHE flag is valid, as far as I
know
> PagingIO has both IRP_PAGING_IO and IRP_NOCACHE flags set. Or you
can choose
> to check if one of those flags is set.

For encrypted files, you can implement non-cached writes as
writes to cache and then flushes, and ignore “non-cached”
attribute on reads. Otherwise, you will have problems with
unaligned IO.

Max

You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com