EldoS | Feel safer!

Software components for data protection, secure storage and transfer

encrypt/decrypt file in memory stream

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#32964
Posted: 04/06/2015 23:07:51
by Mark Naples (Standard support level)
Joined: 07/02/2012
Posts: 4

I have license for FTPSBlackbox client VCL edition and I'd like to use that to perform file encryption and decryption. I'll have an encrypted file (AES 256) on the disk, the application will read it into memory and decrypt it, write to it, then write it back to disk in encrypted format.

With the Eldos SBB package that I have, what is the best way to do this? I have multiple users using the same databases so I can't have the user enter a password, and I want the application to encrypt/decrypt automatically. I can either store the password securely and have the application retrieve it, or I can hardcode it into the application. I know that is not preferred, but the application is on a secure server with access via VPN given only to a small number of preapproved users. The likelihood of a legitimate user disassembling the exe file and discovering the password is nearly nil. Additionally, the data files are located on separate server with a secure connection between the two servers.

I'm hoping that you can provide information on this. If I run into problems with the implementation I'd like to use your custom services so I can get this resolved. Thank you.
#32966
Posted: 04/07/2015 00:25:12
by Eugene Mayevski (EldoS Corp.)

In the simple cases you can use PKCS7/CMS encryption (see TElMessageEncryptor and TElMessageDecryptor classes) with a self-signed certificate (the same as the password, but the certificate embedded into the application resources and obfuscated is much harder to see in the code). The mentioned classes can be used with any license, i.e. your existing one will fit.

The question is, however, how it is expected for this data to be read. If it's read and written by only one instance of your application, and when the size of the data is relatively small (say under 1 Mb), then the above approach will work.

If you have larger amounts of data (eg. you want a large encrypted file to be accessed from different instances of your application), the task becomes a bit more complicated. The main problem is concurrent access and time needed to encrypt the data. Such task can be solved by using, for example, our Solid File System (Application edition if you have all file access in one running process and OS edition if several processes can access the data in parallel).

If you have a DBMS whose files you want to encrypt, then SolFS is *the* right approach.


Sincerely yours
Eugene Mayevski
#32984
Posted: 04/07/2015 09:03:16
by Mark Naples (Standard support level)
Joined: 07/02/2012
Posts: 4

Hello and thank you.

The file is about 2 MB and there will be several concurrent users, but there are only 50 - 100 writes to the database over the course of the day by all users combined. Does this sound like an issue.

Also, how do I proceed with a formal request for you to incorporate the certificate work and encryption within a procedure, including instructions on how to obtain certificates on the server? Thank you again for your thoughtful answer.
#32986
Posted: 04/07/2015 09:16:13
by Eugene Mayevski (EldoS Corp.)

Quote
Mark Naples wrote:
The file is about 2 MB and there will be several concurrent users, but there are only 50 - 100 writes to the database over the course of the day by all users combined. Does this sound like an issue.


If all changes go through the same process (i.e. running EXE), then this should not be a big issue once you ensure that the data is not read/written concurrently.

Quote
Mark Naples wrote:
Also, how do I proceed with a formal request for you to incorporate the certificate work and encryption within a procedure, including instructions on how to obtain certificates on the server?


Sorry, I don't understand the question.


Sincerely yours
Eugene Mayevski
#32991
Posted: 04/07/2015 10:44:34
by Mark Naples (Standard support level)
Joined: 07/02/2012
Posts: 4

Thank you. You write "once you ensure that the data is not read/written concurrently." What method/code do I use to ensure this?

Is there sample code using TElMessageEncryptor and TElMessageDecryptor showing how to encrypt/decrypt from file to stream and also saving/retrieving certificates for use in those processes?
#32992
Posted: 04/07/2015 10:50:19
by Eugene Mayevski (EldoS Corp.)

Quote
Mark Naples wrote:
Thank you. You write "once you ensure that the data is not read/written concurrently." What method/code do I use to ensure this?


You use mechanisms like critical sections (see TCriticalSection class) to ensure that the code which accesses the data is executed in only one thread at the same time.

Quote
Mark Naples wrote:
Is there sample code using TElMessageEncryptor and TElMessageDecryptor showing how to encrypt/decrypt from file to stream and also saving/retrieving certificates for use in those processes?


Yes, you will find the sample in <SecureBlackbox>\Samples\Delphi\PKIBlackbox\PKCS7 folder.


Sincerely yours
Eugene Mayevski
#32993
Posted: 04/07/2015 11:16:50
by Mark Naples (Standard support level)
Joined: 07/02/2012
Posts: 4

Thank you. I do not have a PKCS7 folder but I do have a PKCS11 folder.

Can you provide a quotation to me for your developers to write an implementation of the TCriticalSection class and also the encryption/decryption and certificate assignment processes? I would rather have the experts do it than have me spend hours trying to learn what needs to be done.

Please let me know if you can provide this service. Thank you again for your prompt answers.
#32994
Posted: 04/07/2015 14:18:38
by Eugene Mayevski (EldoS Corp.)

If you have older version of SecureBlackbox, the sample can be called MessagesDemo.

As for the service, - I am afraid this is not easy, and here's why -- I have described a tiny piece of code which would become an integral part of your application design. We can't develop a tiny piece without seeing how it will fit into the overall application. And learning this (together with you) will take more of your and our time, than it would take you to learn about TCriticalSection.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 985 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!