EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Encryption

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#27689
Posted: 12/17/2013 02:33:49
by Rico Domonkos (Basic support level)
Joined: 12/17/2013
Posts: 4

Hello!

I'm new to this.
Where should I apply encryption for the virtual disk?
I want the image to be encrypted, so on the fly encryption/decryption needed.
Any advices on this?

Thanks in advance.
#27691
Posted: 12/17/2013 03:00:22
by Volodymyr Zinin (EldoS Corp.)

Hello,

Thank you for interesting of CallbackDisk. You can add the code to encrypt in the OnWrite callback and to decrypt in the OnRead callback. The chunk of data to read/write is always multiple to the sector size so it isn't hard to use block cipher in this case.
#27692
Posted: 12/17/2013 03:44:45
by Rico Domonkos (Basic support level)
Joined: 12/17/2013
Posts: 4

Quote
Vladimir Zinin wrote:
Hello,

Thank you for interesting of CallbackDisk. You can add the code to encrypt in the OnWrite callback and to decrypt in the OnRead callback. The chunk of data to read/write is always multiple to the sector size so it isn't hard to use block cipher in this case.


Thank you Vladimir!
I can not find the OnWrite and OnRead callbacks, are you referring to OnReadFile and OnWriteFile callbacks instead?

Regarding the help, the OnWriteFile callback will only succeed when the written bytes are the same as the Count parameter.

I'd like to use System.Security.Cryptography namespace for asymmetric RSA enryption. Is that possible with your library? Can you please provide some example for that?

If it works, then I'm sold.

Thanks!
#27693
Posted: 12/17/2013 06:00:42
by Eugene Mayevski (EldoS Corp.)

Yes, they are historically named OnReadFile and OnWriteFile. Still those events refer to the backend storage (which is often a file) and not to the file on the filesystem that you expose.

These events require that you read X actual (decrypted) bytes from the disk or write Y decrypted bytes to the disk. It is up to you, where, how and in which format to store those bytes. This means that you can compress data blocks and store them compressed or encrypt them, as you like.

For example, your backend storage can have a reserved space of 1Kb (1024) in the beginning of the file where you store encryption-related information. Now when the OS asks you to write the data at position 0, you write it to the backend storage at position 1024. And if the OS asks you to read the 1Kb-large block on position 4096, you read it from position 5120.

Now about encryption. You already know that large amounts of data (larger than ~100 bytes for 1024-bit RSA key) are not encrypted with RSA directly. Instead the data is encrypted with the random key and some symmetric algorithm (nowadays AES is popular), then the key itself is encrypted using RSA and stored somewhere.

If you want to implement per-file encryption where different files are to be encrypted using different keys or different algorithms, other products, such as SolFS OS edition or Callback File System will work better. Please see the comparison on https://www.eldos.com/virtual-storage/vs_compare.php


Sincerely yours
Eugene Mayevski
#27694
Posted: 12/17/2013 08:16:13
by Rico Domonkos (Basic support level)
Joined: 12/17/2013
Posts: 4

Thanks Eugene,


So I should use a symmetric block cipher algorithm, and store the RSA encrypted key somewhere else (for example the first x bytes in the file)

I'm not so familiar with encryption, will the encrypted block size differ from the original? If I encrypt a block of 512 bytes with AES, the encrypted block is also 512 bytes in length?

In the meanwhile I'm going to check if your other product is more suitable for us.

Thanks in advance!

Rico
#27695
Posted: 12/17/2013 08:38:28
by Eugene Mayevski (EldoS Corp.)

Don't get me wrong but it's not a very good idea to develop security-related software without good knowledge of security. It's easy to overlook certain factors which will become an attack vector.

When talking about CallbackDisk, where reads and writes are always done in blocks of fixed length (though there can be several blocks in one read-writ request),
it's a good idea to derive the encryption key from the random session key and the block number (in other words on offset from the storage beginning), but the derivation must be non-linear. This is necessary to prevent attacks based on known plaintext and some other attacks.

The things become more complicated, when random access to the file data is needed. Special encryption modes are used there to turn block encryption into stream encryption.

Quote
Rico Domonkos wrote:
If I encrypt a block of 512 bytes with AES, the encrypted block is also 512 bytes in length?


Yes, in case of AES it's so, because it works with 16-byte blocks.


Sincerely yours
Eugene Mayevski
#27697
Posted: 12/17/2013 09:20:39
by Rico Domonkos (Basic support level)
Joined: 12/17/2013
Posts: 4

Thanks for the head-up, Eugene!

I'm on my way through the topic, bought books on security and ecryption.
Thanks though for your kind help.

Best regards,

Rico
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 8442 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!