EldoS | Feel safer!

Software components for data protection, secure storage and transfer

S3 Storage Demo Fails

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#15227
Posted: 12/06/2010 22:20:19
by Eric Lenington (Standard support level)
Joined: 12/06/2010
Posts: 37

Trying to use the S3 storage demo under D2009 (compiles and runs with no errors) with known-working AWS credentials (two sets, in fact), I get a "403 Forbidden" immediately upon connection.
#15231
Posted: 12/07/2010 02:26:10
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Could you please check whether you are using the latest SBB build (8.1.191)? If you don't, please upgrade to it and check if the issue persists.
#15238
Posted: 12/07/2010 08:03:51
by Eric Lenington (Standard support level)
Joined: 12/06/2010
Posts: 37

Yes. I just downloaded and installed yesterday. I tried the D2009 pre-built by itself and also then with the source. Both act identically.
#15240
Posted: 12/07/2010 08:11:25
by Ken Ivanov (EldoS Corp.)

Hmm, it is possible that something got broken on our side, or something has changed there at Amazon. I will check this right now.
#15244
Posted: 12/07/2010 10:27:38
by Ken Ivanov (EldoS Corp.)

It appears that S3 support in Unicode VCL edition has been broken in one of the latest builds. I am really sorry for that.

We are working on the fix at the moment. The fix will go to the future SecureBlackbox build update, which we plan to publish in few days. We can also provide you with the fix as soon as it is available, so that you do not have to wait for the official build. Just let us know.
#15245
Posted: 12/07/2010 11:06:29
by Eric Lenington (Standard support level)
Joined: 12/06/2010
Posts: 37

Well, at least I'm not crazy. Yes, please do send me the fix as soon as it's available. This is on the short-list of my project.

Thank you!

PS - Do you have any app notes or other documentation on using S3 with "simple/generic" encryption keys (i.e. our first objective is to encrypt/decrypt files to/from S3 without using an X.509 cert.
#15246
Posted: 12/07/2010 13:23:33
by Ken Ivanov (EldoS Corp.)

Unfortunately, there is no guidelines available except the documentation itself (http://www.eldos.com/documentation/sb...dler.html). As a matter of fact, the only properties you need to set are DataEncryptionAlgorithm, KeyEncryptionAlgorithm and GenericEncryptionKey.

I will create a Helpdesk ticket for you now and post the fixed S3 source file there.
#15247
Posted: 12/07/2010 13:33:25
by Eric Lenington (Standard support level)
Joined: 12/06/2010
Posts: 37

OK. Setting DataEncryptionAlgorithm and GenericEncryptionKey makes sense, but what is the purpose of setting the KeyEncryptionAlgorithm? I read that property as "algorithm to use to encrypt the key", but when doing generic key encryption, I wouldn't think the key is getting encrypted at all.
#15249
Posted: 12/07/2010 18:02:34
by Ken Ivanov (EldoS Corp.)

In fact, it is. SecureBlackbox uses session key scheme to encrypt the data. The object itself is encrypted with a random encryption key (which is called "session key"). The session key, in turn, is encrypted with the key supplied by the user (the one you assign to the GenericEncryptionKey property). Such scheme allows the data to be encrypted with multiple different keys, with the possibility of being later decrypted with any of them. Besides, as the data is encrypted with cryptographically strong random key, this scheme provides higher security level (comparing to encrypting data directly with user-supplied key).
#15251
Posted: 12/07/2010 19:50:36
by Eric Lenington (Standard support level)
Joined: 12/06/2010
Posts: 37

Thanks for the explanation. Conceptually that makes sense, but I'm a little fuzzy on some details:

1) I assume the session key is generated by the encryption handler "on demand" to encrypt a new file, but where it is stored afterward so I can use it later for decryption?

2) The KeyEncryptionAlgorithm options seem to all be symmetric. Shouldn't they key be encrypted with an asymmetric algorithm?

3) Please explain "Such scheme allows the data to be encrypted with multiple different keys, with the possibility of being later decrypted with any of them."
a) Is each file encrypted with only one key (its unique session key) or is a session key reused for several files over some duration?
b) Are you simply saying that the one unique session key can be encrypted by several different user keys, so that several users can each have a copy of the session key?
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 3308 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!