Reasonable to put the encryption module for an encrypted filesystem driver outside the kernel?

Hello,

from my point of view I would put the encryption module (which belongs
close to the file system driver) inside the kernel.
On the other hand I could mention that encryption is not a task for a
kernel and therefore I should put the encryption module outside kernel.

May I ask for your option?

Thank you for your efforts!
--

h.wulff
[dont send me an email]

pavel_a
Thu Jan 13 09:29:05 CST 2005

"h.wulff" wrote:
> Hello,
>
> from my point of view I would put the encryption module (which belongs
> close to the file system driver) inside the kernel.
> On the other hand I could mention that encryption is not a task for a
> kernel and therefore I should put the encryption module outside kernel.
>
> May I ask for your option?

Whatever you decide - you're right :)

--PA

cristalink
Thu Jan 13 13:15:21 CST 2005

> is not a task for a kernel
Why not? There's a system driver that does encryption for NTFS and IPSEC.
--
http://www.firestreamer.com - NTBackup to DVD and DV


"h.wulff" <zuhause@aol.com> wrote in message
news:MPG.1c508a8861defea5989694@news.t-online.de...
> Hello,
>
> from my point of view I would put the encryption module (which belongs
> close to the file system driver) inside the kernel.
> On the other hand I could mention that encryption is not a task for a
> kernel and therefore I should put the encryption module outside kernel.
>
> May I ask for your option?
>
> Thank you for your efforts!
> --
>
> h.wulff
> [dont send me an email]

Maxim
Thu Jan 13 15:23:27 CST 2005

> Why not? There's a system driver that does encryption for NTFS and IPSEC.

Are you sure IPSEC uses the same FIPS as EFS?

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Maxim
Thu Jan 13 15:22:55 CST 2005

Passing the cleartext via inverted call path is a drawback for me.

Just find some open-licensed (not GNU!) crypto code and port it to Windows
kernel. Task done.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"h.wulff" <zuhause@aol.com> wrote in message
news:MPG.1c508a8861defea5989694@news.t-online.de...
> Hello,
>
> from my point of view I would put the encryption module (which belongs
> close to the file system driver) inside the kernel.
> On the other hand I could mention that encryption is not a task for a
> kernel and therefore I should put the encryption module outside kernel.
>
> May I ask for your option?
>
> Thank you for your efforts!
> --
>
> h.wulff
> [dont send me an email]

cristalink
Thu Jan 13 15:40:30 CST 2005

> Are you sure IPSEC uses the same FIPS as EFS?

No, I don't. However,
http://www.microsoft.com/technet/Security/topics/issues/fipseval.mspx says
that <<Both IPSEC and EFS in Windows 2000, XP, and Server 2003 use the
FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated Kernel Mode
Cryptographic Module to encrypt the traffic packet data and file contents
respectively if configured appropriately with the selections of FIPS
compliant algorithms.>>
--
http://www.firestreamer.com - NTBackup to DVD and DV


"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:%23scaGYb%23EHA.1188@tk2msftngp13.phx.gbl...
>> Why not? There's a system driver that does encryption for NTFS and IPSEC.
>
> Are you sure IPSEC uses the same FIPS as EFS?
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>

cristalink
Thu Jan 13 15:54:43 CST 2005

I meant to say no, I am not [sure]. But it's quite likely the same fips is
used by both.

See also http://support.microsoft.com/default.aspx?scid=kb;en-us;272173

--
http://www.firestreamer.com - NTBackup to DVD and DV


"cristalink" <cristalink@nospam.nospam> wrote in message
news:et3aCib%23EHA.2804@TK2MSFTNGP15.phx.gbl...
>> Are you sure IPSEC uses the same FIPS as EFS?
>
> No, I don't. However,
> http://www.microsoft.com/technet/Security/topics/issues/fipseval.mspx says
> that <<Both IPSEC and EFS in Windows 2000, XP, and Server 2003 use the
> FIPS-140-1 or FIPS 140-2 (as appropriate) evaluated Kernel Mode
> Cryptographic Module to encrypt the traffic packet data and file contents
> respectively if configured appropriately with the selections of FIPS
> compliant algorithms.>>
> --
> http://www.firestreamer.com - NTBackup to DVD and DV
>
>
> "Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
> news:%23scaGYb%23EHA.1188@tk2msftngp13.phx.gbl...
>>> Why not? There's a system driver that does encryption for NTFS and
>>> IPSEC.
>>
>> Are you sure IPSEC uses the same FIPS as EFS?
>>
>> --
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> maxim@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>
>

h
Sun Jan 16 09:47:08 CST 2005

Hello,

thanks for your answer.

What is so evil about GNU?
That I have to publish my changes?

In article <ecASzXb#EHA.3372@TK2MSFTNGP10.phx.gbl>,
maxim@storagecraft.com says...
> Passing the cleartext via inverted call path is a drawback for me.
>
> Just find some open-licensed (not GNU!) crypto code and port it to Windows
> kernel. Task done.
>
>

--

h.wulff
[dont send me an email]

Maxim
Sun Jan 16 10:17:18 CST 2005

> What is so evil about GNU?
> That I have to publish my changes?

Yes. So, you cannot borrow from GNU in a box commercial product - you can do
this for a solution for a single particular customer though, in this case, the
responsibility of publishing the updates is it customer's.

As about public domain - they are free as sunshine. According to some US laws
(of some state at least), any scientific work results done for governemental
money is either classified or - if the military do not want to classify - is
public domain. No intellectual property at all. From what I know, most of
FreeBSD is such.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Don
Sun Jan 16 10:47:02 CST 2005

Actually, there used to be (and may still be) a federal law that if the
government funded the research or the equipment you ran on the work was in
the public domain. 30 years ago in college, I remember signing numerous
forms to use a computer in some cases. The public domain software was used
as the basis of a number of firms products, including Oracle.

My complaint with GNU is you cannot make money developing open source
software. Yes you can be paid by a hardware firm to develop it (some of us
don't enjoy that environment), or you can make a product that is hard to use
and charge for support. I had a product idea that I asked some professors
big into GNU how to do for Linux, their answer was charge for support. I
pointed out that much of the design of the product was to make it easy to
use, their response was "rip that out and make all those steps manual with
hard to understand commands". These were professors from one of the better
engineering schools in the country!


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:ujjS8a%23%23EHA.3120@TK2MSFTNGP12.phx.gbl...
> > What is so evil about GNU?
> > That I have to publish my changes?
>
> Yes. So, you cannot borrow from GNU in a box commercial product - you can
do
> this for a solution for a single particular customer though, in this case,
the
> responsibility of publishing the updates is it customer's.
>
> As about public domain - they are free as sunshine. According to some US
laws
> (of some state at least), any scientific work results done for
governemental
> money is either classified or - if the military do not want to classify -
is
> public domain. No intellectual property at all. From what I know, most of
> FreeBSD is such.
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>