EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SFTP CryptoProvider

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#18836
Posted: 01/27/2012 08:20:00
by Stanisław Jankowski (Basic support level)
Joined: 12/06/2011
Posts: 20

Hello!

I would like to know which CryptoProvider class is used by ElSimpleSftpClient. Is it ElBuiltInCryptoProvider or maybe ElWin32CryptoProvider?

By the way, has the ElBuiltInCryptoProvider support for AES-NI (Intel Advanced Encryption Standard) instructions?

The second question is if I can replace the CryptoProvider used by ElSimpleSftpClient class with another one in the way similiar as in PKI Blackbox? I ask because i can't found any information about it in the documentation. I found the SetCryptoProviderManager() method in ElSimpleSftpClient class. The problem is that i don't know how to use it properly to set the CryptoProvider.

Best regards,
Staszek
#18837
Posted: 01/27/2012 09:00:16
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Quote
I would like to know which CryptoProvider class is used by ElSimpleSftpClient. Is it ElBuiltInCryptoProvider or maybe ElWin32CryptoProvider?

TElBuiltInCryptoProvider is used by default.

Quote
By the way, has the ElBuiltInCryptoProvider support for AES-NI (Intel Advanced Encryption Standard) instructions?

No it doesn't.

Quote

The problem is that i don't know how to use it properly to set the CryptoProvider.

There are two crypto provider managers available: TElBuiltInCryptoProviderManager and TElFIPSCompliantCryptoProviderManager. You can assign them to the component's CryptoProviderManager property using SBCryptoProvManager.DefaultCryptoProviderManager() and SBCryptoProvManager.FIPSCompliantCryptoProviderManager() functions. What SBB edition (VCL, .NET, Java) do you use?
#18838
Posted: 01/27/2012 09:08:35
by Stanisław Jankowski (Basic support level)
Joined: 12/06/2011
Posts: 20

Thanks for response.
I'm using .NET API.

Staszek
#18839
Posted: 01/27/2012 09:54:37
by Ken Ivanov (EldoS Corp.)

Generally speaking, saying that "some component" (e.g. TElSimpleSFTPClient) uses or doesn't use some cryptographic provider is not correct enough. SecureBlackbox runtime maintains a set of cryptographic providers that can use different services for performing cryptographic operations. It is not a requirement that *all* the cryptographic operations used by a component are performed by the same cryptographic provider. For instance, under the default configuration all the SBB components use native implementations of cryptographic algorithms; the only exceptions are public key operations involving non-exportable private keys (e.g. protected by CryptoAPI or stored on hardware security modules). This way, TElSimpleSFTPClient can use PKCS#11 or Win32 cryptographic provider if the user's private key is stored on a security token.

Typical combinations of cryptographic provider are deployed as cryptographic provider manager classes. Each cryptographic provider manager declares a set of rules when to use one or another cryptoprovider. The default manager works in the way I described above (forces use of built-in provider except for operations with non-exportable keys). Another manager, FIPSCompliantCryptoProviderManager, forwards all the cryptographic operations to FIPS-compliant Win32 CryptoAPI cryptographic providers, switching built-in provider off. This in particular results in significant narrowing of the set of supported algorithms.

Quote
The second question is if I can replace the CryptoProvider used by ElSimpleSftpClient class with another one in the way similiar as in PKI Blackbox?

It depends on what exactly do you need to achieve with this operation. Could you please elaborate on your goal a bit?
#18849
Posted: 01/30/2012 01:50:34
by Stanisław Jankowski (Basic support level)
Joined: 12/06/2011
Posts: 20

As Vsevolod wrote, the ElBuiltInCryptoProvider does not support AES-NI processor instructions. The MSDN says that win32 crypto API uses AES-NI.

So I want to chose such crypto provider in ElSimpleSftpClient which utilizes win32 crypto API to encrypt the SFTP communication. So the main goal is to make SecureBlackbox .net SFTP library using the AES-NI processor instructions because it should give the significant performance boost.

As i understand, i should set the FIPSCompliantCryptoProviderManager in my application. Can you write some code snippet in .NET to show how to do it in the correct way?
#18850
Posted: 01/30/2012 02:17:23
by Vsevolod Ievgiienko (EldoS Corp.)

You can simply disable ElBuiltInCryptoProvider using this code:
Code
TElBuiltInCryptoProviderManager mgr = SBCryptoProvManager.Unit.DefaultCryptoProviderManager();
mgr.BuiltInCryptoProvider.Enabled = false;
SftpClient.CryptoProviderManager = mgr;

Its possible that you'll need to disable some algorithms using ElSimpleSFTPClient.EncryptionAlgorithms property because they become unsupported after this change.
#18851
Posted: 01/30/2012 02:26:04
by Stanisław Jankowski (Basic support level)
Joined: 12/06/2011
Posts: 20

It is exactly what i need. Thank you.
#18858
Posted: 01/30/2012 04:39:25
by Ken Ivanov (EldoS Corp.)

A small correction: a far better choice would be assigning the FIPSCompliantCryptoProviderManager to SFTP client's CryptoProviderManager property. This will help ensure that native Win32 CSPs (and not some add-on ones e.g. installed with some HSM firmware) will be used. So the code will actually look like

Code
SftpClient.CryptoProviderManager = SBCryptoProvManager.Unit.FIPSCompliantCryptoProviderManager();
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1662 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!