Table of contents Up Previous Next Glossary Home   BestCrypt encryption details  

Data ciphering services in BestCrypt system are provided solely by Encryption Algorithm modules. The Encryption Algorithm module is separate kernel mode driver that concerns encryption and decryption operations. Isolating encryption/decryption functionality in the sole module allows to achieve the following advantages:

  1. The encryption key is stored in alone place, and only Encryption Algorithm module is informed about storing the key. It is the Encryption Algorithm module who creates the Key Handles for the keys and supports the consistency between the key handles and the key data. All the rest of the BestCrypt software have no relation to the encryption key data. That feature of the BestCrypt architecture allows to support the software security in the easiest way.
  2. Including additional Encryption Algorithm modules to the BestCrypt software is rather easy because recompiling other BestCrypt modules is unnecessary.
NOTE: The assertion that the Encryption Algorithm module is alone informed about encryption key data implies one exception. Creating encryption key data is a target of the Key Generation module, so there is a short period when the encryption key data are stored in its memory. This interval may be estimated as a time required for reading about 1 Kbyte of data from the file and decrypting them. Then the Key Generation module passes the encryption key to the Encryption Algorithm driver and cleans the memory allocated for the encryption key. The source codes of the Key Generation module are available for public access, so you have a chance to evaluate its security degree youself.

Encryption Algorithm module consists of two essential parts (see figure):
  1. Encryption Algorithm code itself. Three functions must be provided: KeyExtend, Encrypt and Decrypt. Details are discussed in Encryption Algorithm module example.
  2. Common wrapper implementing some key features. Wrapper code provides key management and storage, encryption and driver-related stuff. Wrapper functions are considered in details below.

bc_alg.c wrapper functions in brief
make_key Takes original encryption key and 512-byte pseudo-random block (pool) provided by Key Generator as input values and returns key handle back. make_key also calls Encryption Algorithm's KeyExtend function and stores extended key along with pool in private array (see figure above).
test_key Takes key handle as input value and verifies its correctness. Return value is key handle validity.
lock_key Locks (or unlocks) key unit corresponding to supplied key handle. Locked keys cannot be deleted.
free_key Deletes key unit identified by supplied key handle. Upon success, all data related to that key unit are wiped.
encrypt

Requires following input values: key handle, initialization vector, source and destination buffers and data length. BestCrypt encryption functions work with 512-byte data blocks; size is implied by 512-byte disk sector size.

First, source data and initialization vector are exclusize OR-ed with pool (pseudo-random data block associated with encryption key). Thus predictable data sequences are being broken.

Next, modified source data and initialization vector are passed to Encryption Algorithm's Encrypt function. The result is an encrypted data block

decrypt decrypt function is reverse to encrypt

  Table of contents Up Previous Next Glossary Home   Top