When to encrypt and when to decrypt??

Hi,

I want to modify the contents (flip the bits for now) of any file (on
the fly) that contains the name "output2.txt" in the disk. So far, I
cannot get my filter driver to behave consistently because:

1. It encrypts the whole file too many times or too little so when I
   read it in Notepad.exe I get all the bits flipped.

My procedure to create this encrypted filter driver is derived from
swapBuffers, included with IFS. Basically from my understanding
swapBuffers:

1. Pre IRP_MJ_READ:

sets up a new buffer and a new mdl that the IRP_MJ_WRITE uses

2. Post IRP_MJ_READ:

gets the new buffer and new mdl from the Pre IRP_MJ_WRITE and resets
the original Buffer or MdlAddress with it

3. Pre IRP_MJ_WRITE:

a) Creates a new buffer and mdl
b) gets the original buffer from iopb->Parameters.Write.WriteBuffer or
MmGetSystemAddressForMdlSafe()
c) Copies the originalBuffer to the new buffer
d) sets the write buffer and mdl address to the new buffer and mdl

4. Post IRP_MJ_WRITE:

cleanup

My algorithm

I. Decryption

For my encryption driver I modified the Post IRP_MJ_READ to decrypt
"output2.txt" files. Before it resets the original buffer to the new
buffer, i decrypt (flip the bits) on IRP_NOCACHE:

if (FltObjects->FileObject != NULL) {
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
if (NT_SUCCESS( status )) {
nameToUse = &nameInfo->Name;
charName = piUnicode2Ascii(nameToUse);
if (charName && strstr(charName, "output2.txt"))
{
if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) {
DbgPrint("Read(%s):%s", charName, p2pCtx->SwappedBuffer);

Encrypt(p2pCtx->SwappedBuffer, 0, Data->IoStatus.Information,
p2pCtx->SwappedBuffer);
}
}
}
else
{
nameToUse = &(FltObjects->FileObject)->FileName;
charName = piUnicode2Ascii(nameToUse);
if (charName && strstr(charName, "output2.txt"))
{
if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) {
DbgPrint("Read2(%s):%s", charName, p2pCtx->SwappedBuffer);
ftEncrypt(p2pCtx->SwappedBuffer, 0,
Data->IoStatus.Information, p2pCtx->SwappedBuffer);
}
}
}
if (charName)
PIMFREE(charName);
if (NULL != nameInfo) {
FltReleaseFileNameInformation( nameInfo );
}
}

II. Encryption
In PRE IRP_MJ_WRITE (for all writes with names) I encrypt the new
buffer that the original buffer will be set to.

RtlCopyMemory( newBuf,
origBuf,
writeLen );
//*************** Encrypt newBuf here ******************
if (FltObjects->FileObject != NULL) {
status = FltGetFileNameInformation( Data,
FLT_FILE_NAME_NORMALIZED |
FLT_FILE_NAME_QUERY_DEFAULT,
&nameInfo );
if (NT_SUCCESS( status )) {
nameToUse = &nameInfo->Name;
charName = piUnicode2Ascii(nameToUse);
if (charName && strstr(charName, "output2.txt"))
{
//if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) {
DbgPrint("Write%d:%s", writeLen, charName, newBuf);
Encrypt(newBuf, 0, writeLen, newBuf);
//}
}
//else
//{
// DbgPrint("no name with output2.txt");
//}
}
else
{
nameToUse = &(FltObjects->FileObject)->FileName;
charName = piUnicode2Ascii(nameToUse);
if (charName && strstr(charName, "output2.txt"))
{
//if (FlagOn(IRP_NOCACHE,iopb->IrpFlags)) {
DbgPrint("Write2(%s):%s", charName, newBuf);
Encrypt(newBuf, 0, writeLen, newBuf);
//}
}
}

if (NULL != nameInfo) {
FltReleaseFileNameInformation( nameInfo );
}
if (charName)
PIMFREE(charName);
} else
{
DbgPrint("Fileobject is null?");
}

III. Questions

a) What am I doing wrong that it encrypts too often or not too often?
b) When should I encrypt and when should I decrypt?
c) Should I encrypt during FastIO?

Thank you,

Marc

>a) What am I doing wrong that it encrypts too often or not too often?

b) When should I encrypt and when should I decrypt?
c) Should I encrypt during FastIO?

Note:
a) the OS has cache, which is a set of pages
b) the same pages are directly mapped to processes in MapViewOfFile. Exactly
the same pages.

This means - the cache must contain cleartext data.
And this in turn means - no crypto in FastIo, FastIo is between app and cache,
not cache and media.

Crypto must be in noncached IO IRPs - i.e. between app/cache and media. This
includes the paging IO.

The rest is - where to keep file encryption keys and how to manage the
different sizes for crypted and non-crypted files. For me, allowing the size
difference (which will inevitably occur if you keep FEKs in files themselves)
means 2-2.5 times more complex project.

Keep FEKs in some database or the registry.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

> The rest is - where to keep file encryption keys and how to manage the

different sizes for crypted and non-crypted files. For me, allowing the
size
difference (which will inevitably occur if you keep FEKs in files
themselves)
means 2-2.5 times more complex project.
Keep FEKs in some database or the registry.

It is possible to do it this way, but it brings an unpleasant side effects
that are not obvious at the first sight, but exacerbate later when you’ll
want to sell the finished product.

Customers often require possibility to archive the encrypted files
(e.g. burn them on CD or store somewhere).
Also implementing encrypted files on removable media or
network drives (which will be certainly required by customers)
votes for storing the FEKs in the file.

L.

Dear Shatskih,

I am writing a encryption filter driver, and must we deal with the Paging IO
in my filter Driver?

Ben

“Maxim S. Shatskih” ???:xxxxx@ntfsd…
> >a) What am I doing wrong that it encrypts too often or not too often?
>>b) When should I encrypt and when should I decrypt?
>>c) Should I encrypt during FastIO?
>
> Note:
> a) the OS has cache, which is a set of pages
> b) the same pages are directly mapped to processes in MapViewOfFile.
> Exactly
> the same pages.
>
> This means - the cache must contain cleartext data.
> And this in turn means - no crypto in FastIo, FastIo is between app and
> cache,
> not cache and media.
>
> Crypto must be in noncached IO IRPs - i.e. between app/cache and media.
> This
> includes the paging IO.
>
> The rest is - where to keep file encryption keys and how to manage the
> different sizes for crypted and non-crypted files. For me, allowing the
> size
> difference (which will inevitably occur if you keep FEKs in files
> themselves)
> means 2-2.5 times more complex project.
>
> Keep FEKs in some database or the registry.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>

> I am writing a encryption filter driver, and must we deal with the Paging

IO in my filter Driver?

Why you’re using this mailing list if you don’t read the incoming
mails, even these which are about things you’re interested in ?
You are asking a question that Maxim’s already answered.
Here is the part of his mail that you’ve probably missed.

> Crypto must be in noncached IO IRPs - i.e. between app/cache and media.
> This includes the paging IO.

L.

----- Original Message -----
From: “ben”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Friday, July 29, 2005 4:30 AM
Subject: Re:[ntfsd] When to encrypt and when to decrypt??

> Dear Shatskih,
>
> I am writing a encryption filter driver, and must we deal with the Paging
> IO in my filter Driver?
>
> Ben
>
> “Maxim S. Shatskih” ???:xxxxx@ntfsd…
>> >a) What am I doing wrong that it encrypts too often or not too often?
>>>b) When should I encrypt and when should I decrypt?
>>>c) Should I encrypt during FastIO?
>>
>> Note:
>> a) the OS has cache, which is a set of pages
>> b) the same pages are directly mapped to processes in MapViewOfFile.
>> Exactly
>> the same pages.
>>
>> This means - the cache must contain cleartext data.
>> And this in turn means - no crypto in FastIo, FastIo is between app and
>> cache,
>> not cache and media.
>>
>> Crypto must be in noncached IO IRPs - i.e. between app/cache and media.
>> This
>> includes the paging IO.
>>
>> The rest is - where to keep file encryption keys and how to manage the
>> different sizes for crypted and non-crypted files. For me, allowing the
>> size
>> difference (which will inevitably occur if you keep FEKs in files
>> themselves)
>> means 2-2.5 times more complex project.
>>
>> Keep FEKs in some database or the registry.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@volny.cz
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

What’s the Paging IO? how can I deal with it in my filter driver?
thanks.

“Ladislav Zezula” ???:xxxxx@ntfsd…
>> I am writing a encryption filter driver, and must we deal with the Paging
>> IO in my filter Driver?
>
>
> Why you’re using this mailing list if you don’t read the incoming
> mails, even these which are about things you’re interested in ?
> You are asking a question that Maxim’s already answered.
> Here is the part of his mail that you’ve probably missed.
>
>>> Crypto must be in noncached IO IRPs - i.e. between app/cache and
>>> media. This includes the paging IO.
>
> L.
>
> ----- Original Message -----
> From: “ben”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Friday, July 29, 2005 4:30 AM
> Subject: Re:[ntfsd] When to encrypt and when to decrypt??
>
>
>> Dear Shatskih,
>>
>> I am writing a encryption filter driver, and must we deal with the Paging
>> IO in my filter Driver?
>>
>> Ben
>>
>> “Maxim S. Shatskih” ???:xxxxx@ntfsd…
>>> >a) What am I doing wrong that it encrypts too often or not too often?
>>>>b) When should I encrypt and when should I decrypt?
>>>>c) Should I encrypt during FastIO?
>>>
>>> Note:
>>> a) the OS has cache, which is a set of pages
>>> b) the same pages are directly mapped to processes in MapViewOfFile.
>>> Exactly
>>> the same pages.
>>>
>>> This means - the cache must contain cleartext data.
>>> And this in turn means - no crypto in FastIo, FastIo is between app and
>>> cache,
>>> not cache and media.
>>>
>>> Crypto must be in noncached IO IRPs - i.e. between app/cache and
>>> media. This
>>> includes the paging IO.
>>>
>>> The rest is - where to keep file encryption keys and how to manage the
>>> different sizes for crypted and non-crypted files. For me, allowing the
>>> size
>>> difference (which will inevitably occur if you keep FEKs in files
>>> themselves)
>>> means 2-2.5 times more complex project.
>>>
>>> Keep FEKs in some database or the registry.
>>>
>>> Maxim Shatskih, Windows DDK MVP
>>> StorageCraft Corporation
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@volny.cz
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>

If you have to ask these questions, are you ready to be writing a file
system filter? This is one of the most difficult drivers to write.

“ben” wrote in message news:xxxxx@ntfsd…
> What’s the Paging IO? how can I deal with it in my filter driver?
> thanks.
>
> “Ladislav Zezula” ???:xxxxx@ntfsd…
>>> I am writing a encryption filter driver, and must we deal with the
>>> Paging IO in my filter Driver?
>>
>>
>> Why you’re using this mailing list if you don’t read the incoming
>> mails, even these which are about things you’re interested in ?
>> You are asking a question that Maxim’s already answered.
>> Here is the part of his mail that you’ve probably missed.
>>
>>>> Crypto must be in noncached IO IRPs - i.e. between app/cache and
>>>> media. This includes the paging IO.
>>
>> L.
>>
>> ----- Original Message -----
>> From: “ben”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List”
>> Sent: Friday, July 29, 2005 4:30 AM
>> Subject: Re:[ntfsd] When to encrypt and when to decrypt??
>>
>>
>>> Dear Shatskih,
>>>
>>> I am writing a encryption filter driver, and must we deal with the
>>> Paging IO in my filter Driver?
>>>
>>> Ben
>>>
>>> “Maxim S. Shatskih” ???:xxxxx@ntfsd…
>>>> >a) What am I doing wrong that it encrypts too often or not too often?
>>>>>b) When should I encrypt and when should I decrypt?
>>>>>c) Should I encrypt during FastIO?
>>>>
>>>> Note:
>>>> a) the OS has cache, which is a set of pages
>>>> b) the same pages are directly mapped to processes in MapViewOfFile.
>>>> Exactly
>>>> the same pages.
>>>>
>>>> This means - the cache must contain cleartext data.
>>>> And this in turn means - no crypto in FastIo, FastIo is between app and
>>>> cache,
>>>> not cache and media.
>>>>
>>>> Crypto must be in noncached IO IRPs - i.e. between app/cache and
>>>> media. This
>>>> includes the paging IO.
>>>>
>>>> The rest is - where to keep file encryption keys and how to manage the
>>>> different sizes for crypted and non-crypted files. For me, allowing the
>>>> size
>>>> difference (which will inevitably occur if you keep FEKs in files
>>>> themselves)
>>>> means 2-2.5 times more complex project.
>>>>
>>>> Keep FEKs in some database or the registry.
>>>>
>>>> Maxim Shatskih, Windows DDK MVP
>>>> StorageCraft Corporation
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@volny.cz
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>>
>>>
>>
>>
>
>
>

Paging I/O is the read or write operation, when Memory
Manager (MM) reads or writes pages of the file from/to
the volume.

But as David pointed out, you really should study some
documentation and a book about file systems. Without it,
you will loose time with questions like this (not that no one
gives you an advice, but gathering knowledge this way
is vveeeerrryyy ssslloooowwww).

L.

Paging IO is a sub-kind of noncached IO. Must I continue?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “ben”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Friday, July 29, 2005 6:30 AM
Subject: Re:[ntfsd] When to encrypt and when to decrypt??

> Dear Shatskih,
>
> I am writing a encryption filter driver, and must we deal with the Paging IO
> in my filter Driver?
>
> Ben
>
> “Maxim S. Shatskih” ???:xxxxx@ntfsd…
> > >a) What am I doing wrong that it encrypts too often or not too often?
> >>b) When should I encrypt and when should I decrypt?
> >>c) Should I encrypt during FastIO?
> >
> > Note:
> > a) the OS has cache, which is a set of pages
> > b) the same pages are directly mapped to processes in MapViewOfFile.
> > Exactly
> > the same pages.
> >
> > This means - the cache must contain cleartext data.
> > And this in turn means - no crypto in FastIo, FastIo is between app and
> > cache,
> > not cache and media.
> >
> > Crypto must be in noncached IO IRPs - i.e. between app/cache and media.
> > This
> > includes the paging IO.
> >
> > The rest is - where to keep file encryption keys and how to manage the
> > different sizes for crypted and non-crypted files. For me, allowing the
> > size
> > difference (which will inevitably occur if you keep FEKs in files
> > themselves)
> > means 2-2.5 times more complex project.
> >
> > Keep FEKs in some database or the registry.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> >
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com