EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Custom encryption

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 03/13/2008 09:52:54
by rsm  (Basic support level)
Joined: 04/18/2006
Posts: 14


We bought a license of SolFS (non driver edition).

We would like to load a custom X509 certificate from a PFX file and use it in custom encryption/decryption callbacks.

Can you please tell us how to do this?

Storage.SetFileEncryption(FullName, SolFS.SolFSEncryption.ecCustom256, "", "password");

Storage.OnDataEncrypt = new SolFS.SolFSCryptDataEvent(Custom_EncryptData);
Storage.OnDataDecrypt = new SolFS.SolFSCryptDataEvent(Custom_DecryptData);

protected void Custom_EncryptData(SolFSStorage Sender, byte[] key, byte[] data, uint ObjectID, uint PageIndex, ref Int32 Result)
// use PFX file to load certificate and encrypt byte[] data

protected void Sample_DecryptData(SolFSStorage Sender, byte[] key, byte[] data, uint ObjectID, uint PageIndex, ref Int32 Result)
// use PFX file to load certificate and decrypt byte[] data

Posted: 03/13/2008 10:30:09
by Eugene Mayevski (Team)

I have a ToDo task to write about PKI security n SolFS, but got no time to do this :(.

PKI-based encryption is done in several steps:
1) generate a session symmetric key
2) encrypt the symmetric key with certificate's public key and store the encrypted result somewhere.
3) decrypt the symmetric key with certificate's private key
4) use the symmetric key to encrypt the actual data (so your above comments in code are not applicable)
5) Besides encryption callbacks, you would also need to handle hashing callbacks.

The encrypted session key and the list of certificates can be stored in RootData of SolFS Storage.

Steps 4 and 5 are not at all specific to SolFS but are the same as encryption and hashing of any other data. So all of the above steps can be discussed in SecureBlackbox forum if you want to use SecureBlackbox. However if you want to use .NET classes or other library, we won't be able to give you any serious support (regarding their use) as we don't have knowledge about them (besides very basic things).

Sincerely yours
Eugene Mayevski
Posted: 03/13/2008 12:00:26
by rsm  (Basic support level)
Joined: 04/18/2006
Posts: 14

Hi Eugene,

Thanks for your reply!

Yes, we are using licensed copy of SecureBlackbox and SolFS.

We are trying to implement some thing like this -

1. Encrypt symmetric key used by SolFS with our X509 certificate.
2. Remove certificate hence making data inaccessible.
3. Restore certificate later hence making data accessible.

Our solution is going to be similar to EFS solution Microsoft implemented in Windows. Basically with certificate delete and restore, data becomes inaccessible and accessible.

Are we thinking in right direction?

We will appreciate any help or suggestions.


Posted: 03/13/2008 12:20:25
by Eugene Mayevski (Team)

You should keep the certificate's private key separated from the storage, of course. However, you can keep certificates themselves in the storage (in RootData) in order to look for it's private key when it's time to decrypt the data of the storage. The encrypted session key can also be kept in RootData.

RootData is never encrypted as it was designed for the task of keeping certificates and encrypted session keys.

Sincerely yours
Eugene Mayevski
Posted: 03/13/2008 13:26:10
by rsm  (Basic support level)
Joined: 04/18/2006
Posts: 14

Thank you Eugene for the advice!

We will do a little more research on session keys, and encryption and hashing callbacks in SolFS.

We will let you know if we have any further questions.

Posted: 03/14/2008 13:45:45
by Eugene Mayevski (Team)

Forgot to ask - did you read the discussion in Borland newsgroup or your idea for custom encryption was a coincidence?

I just thought that you don't need custom encryption to use the certificate (unless you need to move encryption from SolFS to your main code). You can generate the session key and use it as a passphrase for SolFS built-in encryption. One thing you should note, however, is that to get at least 128 bit security (and SolFS uses 256-bit keys internally) you need to have *very* long passphrase or 256-bit symmetric session key.

Sincerely yours
Eugene Mayevski
Posted: 03/18/2008 16:29:14
by tagnal (Standard support level)
Joined: 03/18/2008
Posts: 21

I have a question about the RootData section of a storage object. Say I have multiple files or object that I would want to store there (certificate, configuration file for my app, maybe some other text based files, objects, etc.) I noticed that the OpenRootData() method returns a SolFSStream but it does not appear to take a paramater such as a filename. Does this RootData section only contain one Object/File/Stream? What would be the recommended way to store multiple items here?

Would I need to create one big object that contains everything together and serialize it?

Is there a way to keep separate files within the RootData section?

Thanks in advance for any input you can give me.
Posted: 03/19/2008 01:21:36
by Eugene Mayevski (Team)

RootData is, as you have noticed, exactly one stream of data. If you have too much information to store there, you can use another SolFS storage in callback mode. Alternatively, you can use some component that works with INI files or XML files (depending on your development tool). In MsgConnect we have MCDataTree class that lets one put a registry-like structure into the stream which can be saved and loaded to/from SolFS.

Sincerely yours
Eugene Mayevski
Also by EldoS: SecureBlackbox
200+ components and classes for digital security, signing, encryption and secure networking.



Topic viewed 6644 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!