EFS Encryption Decryption Performance

Similar Messages

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

• Encrypt-Decrypt in XI

  Hi ,
     Can any one explain me how do u perform encryption decryption in XI
     with an example.
     I Just knw that it is possible through Java  mapping.
    but i dont knw how to do it. can any one send a sample code on
    [email protected]
     Is it possible through ABAP mapping ?
  Regards

  Hi
  Go through this
  http://help.sap.com/saphelp_nw04s/helpdata/en/4f/65c3b32107964996a56e4165077e24/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2e7020d-0d01-0010-269c-a98d3fb5d16c
  http://help.sap.com/saphelp_nw04s/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
  /people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
  How to achieve encryption in XI
  Encryption in XI
  XI Encryption
  Thanks

• How to encrypt/decrypt xml data into, and then out of IDS?

  Hi,
  How would we encrypt NPPI information being passed from an unencrypted xml through IDS, and then decrypt it on exit prior to Gendata.
  The IDS SDK gave a reference to IDSEncryptionRule(), but insufficient examples of implementation.
  It could be something like a single tag element, or even the entire xml, it's just not clear how to make it happen using native IDS methods.
  Any thoughts or help to implement this security measure would be most welcome!
  Thanks so much!
  Edited by: lodit on Apr 10, 2013 2:56 PM

  Hi there,
  You would need to write a custom IDS rule that implements this function. You can refer to the IDS SDK book for info on writing a custom rule. IDSEncryptionRule does operations based on the request state received. Normally when an IDS rule is executed, the rules in the request type definition are executed with the RUN_FORWARD request state. Then they are executed with the RUN_REVERSE request state. An example of why this model is used would be the ATCReceiveFile. On RUN_FOWARD, it writes the contents of file segments in a message to a temporary file. Subsequent rules execute. Then on the RUN_REVERSE, the ATCReceiveFile does clean up routines to remove the temporary file.
  So, armed with that knowledge, you can use the IDSEncryptionrule to perform on RUN_FORWARD (decrypt message variables for subsequent processing by Documaker) and then on RUN_REVERSE (encrypt message variables to send back to the client).
  It should be apparent at this point that you need to use an encryption/decryption mechanism with the IDS client otherwise you won't be able to prepare the message to send or read the response. On the client side there are functions - consult the examples included in the IDS SDK (DSI_DSK in the installer package).
  --Andy                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Encrypt/decrypt same file with two different passwords

  Hi everyone:
  I'm quite new to Java and cryptography in general and have a theoretical question. Is the following scenario possible and how would it be implemented:
  Two users with two passwords (say, a regular user and a superuser) encrypt, decrypt, read from and write to the same file. The secret key for encryption and decryption should be based on their passwords (generated from their passwords), i.e. not stored anywhere on the system.
  I've been racking my brains but can't think of a way. Am I missing an obvious solution?
  Can it be done?
  Thanks,
  Michael

  I don't think you can avoid having more than just a password hash stored on the system. Using a combination of my approach and Jeff's approach I can implement this as long as you allow a password protected key store to be stored on each system. A given user's key store would contain his RSA private key and associated public key together with the admin user's RSA certificate (thought the admin user's public key could be stored in the program since it does not have to be kept private). The admin user's key store would contain only his RSA private and public keys.
  Assume that the data file is to be create by a standard non-admin user. His code performs the following actions -
  1) Generates a random symmetric algorithm key. Say a 128 bit AES key.
  2) He write a digest of this to the output file.
  3) He writes the random key encrypted with his public key to the file.
  4) He writes his public key (or certificate) to the file.
  5) He writes the random key encrypted with the admin users public key to the file.
  6) He encrypts the data using the random key writes the result to the file.
  This user can then update the file by
  1) reading from the file the digest of the random key.
  2) reading the random key encrypted with his public key.
  3) Decrypting this encrypted random key using his private key extracted from his keystore.
  4) Check the digest of this key to make sure he has the correct random key.
  5) skipping his certificate and the random key encrypted using the admin user's public key.
  5) Decrypting the data using the random key.
  6) Update the data.
  7) Re-encrypt the file as described in the first part using a new random key.
  The admin user can
  1) read from the file the digest of the random key.
  2) skip the random key encrypted using the user's public key.
  3) reading the user's public key from the file (for use later if the file needs to be updated).
  4) read the random key encrypted using the admin's public key.
  5) decrypting the random key using the admin's private key obtained from his key store.
  6) check the digest of the random key to make sure it is correct.
  7) decrypt the the data.
  The admin can edit the data since he can re-encrypt the data in a similar manner to the way it was created in the first place.

• Failed to call DBMS_CRYPTO.ENCRYPT / DECRYPT

  I tried to use Oracle 11gR2 DBMS_CRYPTO to perform AES256 encryption/decryption. From the Oracle Ref., it specifies "Security Model - Oracle Database installs this package in the SYS schema. You can then grant package access to existing users and roles as needed." So requested DBA to grant EXECUTE privilege for the SYS.DBMS_CRYPTO.
  I successfully run the SQL "select DBMS_CRYPTO.RANDOMBYTES(64) from dual;", but when I tried to implement Package body. The compiler prompted errors: PLS-00201: identified 'DBMS_CRYPTO' must be declared.
  Please kindly help and advise. Thanks!
  Src code of the package body:
  CREATE OR REPLACE PACKAGE BODY PKG_TOOLKIT AS
       g_encryption_type PLS_INTEGER := DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC     + DBMS_CRYPTO.PAD_PKCS5;
  FUNCTION encrypt (p_text IN VARCHAR2) RETURN RAW IS
       l_key VARCHAR2(512);
  l_text VARCHAR2(32767) := p_text;
  l_encrypted RAW(32767);          
  BEGIN
  getKey(l_key);
            l_encrypted := DBMS_CRYPTO.ENCRYPT(src => UTL_I18N.STRING_TO_RAW(l_text, 'AL32UTF8'),
  typ => g_encryption_type,
  key => UTL_I18N.STRING_TO_RAW(l_key, 'AL32UTF8'));
  RETURN l_encrypted;
  END;
  FUNCTION decrypt (p_raw IN RAW) RETURN VARCHAR2 IS
       l_key VARCHAR2(512);
  l_decrypted VARCHAR2(32767);
  BEGIN
  getKey(l_key);
            l_decrypted := DBMS_CRYPTO.DECRYPT(src => p_raw,
  typ => g_encryption_type,
  key => UTL_I18N.STRING_TO_RAW(l_key, 'AL32UTF8'));
  RETURN RTrim(UTL_I18N.RAW_TO_CHAR(l_decrypted, 'AL32UTF8'));
  END;
  END PKG_TOOLKIT;
  /

  From the Package DBMS_CRYPTO -> Grants, I found there is a privilege "EXECUTE" granted to grantee "ORADEV1". "ORADEV1" is the login ID I'm using to connect to Oracle. Can I tell whether the DBA is granting the privilege to this id or it's role thru Oracle Developer?

• Encryption vs performance

  As a laptop user I have always felt attracted by the use of encryption but as the laptop I am using is quite old (T23 - 1.13 Ghz / 256 RAM) I wonder if the gain of security would come at a too high price in terms of performance.
  Someone has used or is using encryption for a similar (or old in general) laptop and can share his/her experience in terms of gain/loss?
  Thanks in advance for any input.

  @fledermann
  No worries. Thanks anyway for the info.
  @Strike0
  I totally forgot about that. A kernel update came along and I thought 'Well, will reply after rebooting and paste it' but as usual new things started crossing my mind afterwards and in the end I did not include the results in my reply.
  The results are as follows:
  # Tests are approximate using memory only (no storage IO).
  PBKDF2-sha1 51522 iterations per second
  PBKDF2-sha256 46545 iterations per second
  PBKDF2-sha512 17210 iterations per second
  PBKDF2-ripemd160 75851 iterations per second
  PBKDF2-whirlpool 22080 iterations per second
  # Algorithm | Key | Encryption | Decryption
  aes-cbc 128b 21,6 MiB/s 30,7 MiB/s
  serpent-cbc 128b 12,8 MiB/s 16,5 MiB/s
  twofish-cbc 128b 36,1 MiB/s 38,1 MiB/s
  aes-cbc 256b 23,5 MiB/s 23,7 MiB/s
  serpent-cbc 256b 12,9 MiB/s 16,5 MiB/s
  twofish-cbc 256b 36,0 MiB/s 38,2 MiB/s
  aes-xts 256b 30,7 MiB/s 29,8 MiB/s
  serpent-xts 256b 12,9 MiB/s 16,4 MiB/s
  twofish-xts 256b 37,4 MiB/s 37,0 MiB/s
  aes-xts 512b 23,7 MiB/s 23,3 MiB/s
  serpent-xts 512b 13,0 MiB/s 16,3 MiB/s
  twofish-xts 512b 37,1 MiB/s 37,0 MiB/s
  As for ewaller's example I understood it both as an simple example of a possible encryption scheme and as the suggestion of using more than one security 'layer' depending on the needs. Taking into account your comment I presume I should disregard the example and focus more on the suggestion.
  Regarding the access of 'other legitimate users' I didn't mean to refer specifically to a spouse, partner etc. which I consider to be part of a trustworthy circle but to 3rd persons that ocassionally may use the equipment. Like a guest who wants to check his mail or the tech support in case something is wrong with the computer. Especially in the later case I have personal 1st hand experience of the technicians being at the same time (or even more) interested in going through the user's personal data (the client was a girl) and fixing the problem the computer had.
  Taking this into account you will understand that I don't consider myself the provider of any content for this or similar kind of people even if it the most harmless one can think of (still private in the end though).
  The size of the 'private container' is indeed a tricky thing, just like it is when thinking of how to setup the different partitions when installing a Linux distro.
  The size drcouzelis suggested looks fine to me, even, to some extent, excessive but I presume it is better to overestimate than to underestimate.
  As for 'excluding' the home partition from a general disk encryption setup, well, as long as it works as it should I wouldn't mind trying that out but as you yourself state it indeed sounds trickier to setup. Thus I would be tempted to first try out the secure directory setup as explained in the wiki. But I understand, at least I think I do, the idea of your suggestion. Once I go through the documentation available I will most likely end up more or less convinced.
  Just as with regards to a specific/'personalized' encryption for the home partition in terms of using a different filesystem I wonder if it wouldn't come to the considerations of using X filesystem for X type of files just as one does when choosing the filesystem for the partitions. I mean filesystem A might show better performance because the encrypted files are of type B which it handels best.
  Therefore wouldn't I end up being a 'hostage' of those type of files when the data to be encrypted would be of 'mixed nature' (larger, lighter etc.)?

• Encryption/decryption through jar file and classes

  Hi,
  My application uses tomcat as web server.
  I am doing encrytion and decyption.
  i fetch encypted data from database and then decrypt it
  If i use calsses in webapps -> WEB-INF -> classes folder, i place classes in that ,
  In other case i use jar file and place that file in WEB-INF -> lib folder in the webapps directory.
  There is huge performance difference.
  While using classes performance is great while using jar file performance is very disappointed.
  I am using a file for encryption /decryption also.

  Are you getting any error messages? Have you put debugging code in those classes to see what is happening?

• Windows 7 problem with EFS (Encrypting file system)

  Hello colleagues!
  I think this topic is related more to the security.
  The problem is a bit unusual and google doesn't give me a clear answers, but maybe anyone came across
  with similar problem...
  In general, I suspect that my problem is EFS (Encrypting file system), ie
  service that automatically encrypts files using a digital signature (certificate).
  A little background:
  - On the work PC it was necessary to reinstall
  the system, according to corporate rules all the content we have is encrypted using EFS (Encrypted files are highlighted with green color as you know).
  I have copied all the data on a portable drive and also copied the certificates (certmgr.msc).
  The system was reinstalled. The only change - it was x32 and became x64.
  - It was necessary to free up some space on the hard drive (the file
  system on it is NTFS), so,  I temporary copied all the files on my home PC. My work certificate was installed on it too, because
  I work from home
  sometimes.
  When the  work PC was repaired, I've moved all the files back in
  the same way (ie on the portable HDD, then to the work PC).
  All files were working, but when I needed MS Word documents, it became clear that something was wrong.
  When I've opened the document, it gaveme a window with weird symbols and prompts me to select the encoding ... of course -
  no encoding was fit.
  Started to explore all the documents, it appears that some part of them were working,
  someof them not - all the old documents were working, ie the ones, which
  were created before deploying EFS (newly created or copied files immediately encrypted).
  So, now I am sure that the
  documents were somehow re-encrypted, at least on a portable hard drive, they do not look as encrypted (not highlighted in green), but it's still not open.
  Completely stopped opening all the documents that have
  been encrypted (for all types of files, ie it is not just an MS Word, but also pdf, presentations, charts, and even the pictures).
  Tell me, who faced similar?
  How can it all back? I have no possibility to restore those documents from another sources.

  Try copy those corrupted files and make sure you are using the same certificate and then re-encrypt the copied files and try decrypt them.
  If possible, use the same account as you used for encryption.

• How to share EFS encrypted files over a network (\\workstation\c$\encrypted-file.txt)

  Hello,
  we decided to theft-protect our workstations by using EFS encryption on some important documents and directories.
  Just to be sure: I hope that data will not be readable in the case that someone physically gains access to the disk or computer with encrypted data and does not know user's name & password to log in or does not have the right encryption certificate with
  private key. Please correct me, if I'm wrong.
  All workstations are Windows 7 Professional joined to the domain controlled by Windows 2008R2 DC. We are a bit lazy, so we have generated a local, self-signed EFS certificate on a single workstation and installed this (the same) certificate on all workstations.
  Now, we are able to share EFS encrypted files for example via a NTFS formatted flash drive.
  Later, we have setup a Certificate authority (we can potentially issue new EFS personal, domain-based certificates that are published in AD), and established DRA as well (published DRA via a Group Policy).
  All logged-in users have the same (non-domain) certificate installed in their "My User Account" certificate store, cipher /y command shows the same thumbprint value.
  However, we would like to be able access files remotely, in a "lazy" way using an administrative share like
  \\workstation\c$\users\bob\document.txt. We all are Domain Admins, so NTFS and SMB privileges should be OK, unencrypted files are accessible OK.
  I have tried to issue a new certificates via the Cert Authority, putting them into "Trusted People" container etc., adding them to the "Users who can access this file:" list on the encrypted file and nothing worked.
  So is it possible to share EFS encrypted files over a workstation's share (i.e.
  \\workstation\something)?
  What should I do to get it working? :-)
  Thank you for any ideas.
  Jan

  OK, I understand that. However, I have read this article
  Using Encryption File System (Technet)
  and there is stated "Remote EFS operations on files stored on network file shares are possible in Windows 2000 or later domain environments only. Domain users can remotely encrypt or decrypt files,
  but this capability is not enabled by default"
  There are notes about computer trust etc., so I am seeking for someone who would help me a little bit with this.
  Just imagine the simplest possible "single-user" case: there are two Win7 computers A, B joined into the domain and just single user BOB. Bob uses those two computers and need to access own documents like
  \\A\DocumentsA or
  \\B\DocumentsB. Standard setup - folder sharing: everything is working fine, share and NTFS permissions are set up, BOB can work with his own "remote" documents from both computers (\\A\DocumentsA from computer B and
  vice versa).
  BOB decides to encrypt his documents. So BOB logs in computer A, starts "Manage file encryption certificates Wizard", gets an EFS Certificate from CA and encrypts his c:\Documents (shared as
  \\A\DocumentsA). I assume the EFS certificate is stored on computer A in BOB's local profile, therefore I ask:
  Now, BOB moves to the computer B and logs on.
  Q1: Will be \\A\DocumentsA accessible for BOB from B?
  Q2: If not, what should do now? Should I do something in AD for computer accounts (A and/or B) ?
  Thank you.

• Encryption / Decryption

  Dear all,
  I want to know the encryption and decrytion details of a PDF file. I have read PDF Specs for this purpose, but unable to figure out that how we can perform encryption / decryption in PDF document. It is done using a combination of MD5 & RC4 algorithms.
  I DON'T KNOW, HOW IT IS DONE? If any one of you have ever experienced something similar, do let me know. Thanks in advance.
  Regards,
  Shozi

  You're question is not very clear to me: do you want to encrypt a pdf file, or do you want to figure out how pfd files are encrypted?
  I'm almost sure that pfd files are not encrpyted in anyway (shouldn't know why), so I assume you want to know how to encrypt pfd files?
  Well, simply encrypt it like you would encrypt any document, or piece of information ;) It really doesn't matter if it's a pdf or word-doc or an mp3 file! Read the bytes in the file and encrypt them with a suitable algorithms. This choice depends on how you want to use the encrypted pdf.
  Cheers,
  Tom

• E72 cannot install on sd after encrypt/decrypt act...

  Hi,
  after encrypting my strorage card I switched mind, because of decreasing performance. Decryption worked fine, accept for the fact that the name of the SD card. This was stil unreadable, but I could change it. So far so good, but now two things don't work anymore:
  - first, when downloading an application I cannot not install it on the SD card, it simply says "Cannot install"
  - second, when I want to change a profile eg. select different sound, an "opening..."  screen opens, but nothing further
  Is there a way to fully recover the SD card to it's original settings, the way Nokia provided it?
  I only own this phone a week, not so happy at this moment (Outlook calendar screwed)
  Thanks for help!
  regards,
  Tom

  I did 3 encryption/decryption cycles on my E72 (with a 16 GB microSD) and have not had such problems installing apps or changing profiles. Something went wrong.
  If you have access to the card you might consider copying the data to a PC, reformat it (eventually hard reset the E72) and then copy it back (making sure you backed up contacts and calendar).

• Encryption/Decryption  failure for pdf and MSWord files

  Hi,
  Is there anybody to help me to find out what is wrong with my class (listing below)? I am sucessfuly using this class to encrypt and decrypt txt, html files but for unknown reasons I am unable to use it for e.g. pdf files. The encrypion somehow works but any atempt to decrypt is a failure.
  /* This class accepts an input file, encrypts/decrypts it using DES algorithm and
  writes the encrypted/decrypted output to an output file. DES is used in Cipher
  Block Chaining mode with PKCS5Padding padding scheme. Note that DES is a symmetric
  block cipher that uses 64-bit keys for encryption. A password of length no less
  than 8 is to be passed to the encryptFile/ decryptFile methods. This password is
  used to generate the encryption key. All exception handling is to be done by
  calling methods. These exceptions are thrown by encryptFile/ decryptFile methods.
  The input buffer is 64 bytes, 8 times the key size.
  import java.io.*;
  import javax.crypto.*;
  import javax.crypto.spec.*;
  import java.security.*;
  import java.security.spec.*;
  public class Crypto
  public Crypto(FileInputStream inStream_, FileOutputStream outStream_)
  fInputStream_ = inStream_;
  fOutputStream_ = outStream_;
  public void encryptFile(String password_) throws InvalidKeySpecException, InvalidKeyException,
  InvalidAlgorithmParameterException, IllegalStateException, IOException, Exception
  DataOutputStream dataOutStream_ = new DataOutputStream(fOutputStream_);
  // key generation
  SecretKey encryptKey_ = createEncryptionKey(password_);
  // Cipher initialization
  Cipher cipher_= Cipher.getInstance(cipherType);
  cipher_.init(Cipher.ENCRYPT_MODE, encryptKey_);
  // write initialization vector to output
  byte[] initializationVector_ = cipher_.getIV();
  dataOutStream_.writeInt(initializationVector_.length);
  dataOutStream_.write(initializationVector_);
  // start reading from input and writing encrypted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_, inputOffset_, inputLength_);
  if (output_ != null)
  dataOutStream_.write(output_);
  // finalize encryption and wrap up
  byte[] output_ = cipher_.doFinal();
  if (output_ != null)
  dataOutStream_.write(output_);
  fInputStream_.close();
  dataOutStream_.flush();
  dataOutStream_.close();
  public void decryptFile(String password_) throws IllegalStateException, IOException, Exception
  DataInputStream dataInStream_ = new DataInputStream(fInputStream_);
  // key generation
  SecretKey encryptKey_ = createEncryptionKey(password_);
  // read initialization vector from input
  int ivSize_ = dataInStream_.readInt();
  byte[] initializationVector_ = new byte[ivSize_];
  dataInStream_.readFully(initializationVector_);
  IvParameterSpec ivParamSpec_= new IvParameterSpec(initializationVector_);
  // Cipher initialization
  Cipher cipher_= Cipher.getInstance("DES/CBC/PKCS5Padding");
  cipher_.init(Cipher.DECRYPT_MODE, encryptKey_, ivParamSpec_);
  // start reading from input and writing decrypted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_, inputOffset_, inputLength_);
  if (output_ != null)
  fOutputStream_.write(output_);
  // finalize decryption and wrap up
  byte[] output_ = cipher_.doFinal();
  if (output_ != null)
  fOutputStream_.write(output_);
  fInputStream_.close();
  fOutputStream_.flush();
  fOutputStream_.close();
  // the following method creates the encryption key using the supplied password
  private SecretKey createEncryptionKey(String passwd_) throws InvalidKeySpecException,
  InvalidKeyException, NoSuchAlgorithmException
  byte[] encryptionKeyData_ = passwd_.getBytes();
  DESKeySpec encryptionKeySpec_ = new DESKeySpec(encryptionKeyData_);
  SecretKeyFactory keyFactory_ = SecretKeyFactory.getInstance(algorithm_);
  SecretKey encryptionKey_ = keyFactory_.generateSecret(encryptionKeySpec_);
  return encryptionKey_;
  private FileInputStream fInputStream_;
  private FileOutputStream fOutputStream_;
  private final String algorithm_= "DES";
  private final String cipherType= "DES/CBC/PKCS5Padding";
  private byte[] input_ = new byte[64]; // The input buffer size is 64
  private int inputLength_;
  private final int inputOffset_= 0;
  }

  Please can u give me refined code for me///
  at [email protected]
  Hi,
  I found at least one thing wrong. In the decrypt
  method you are reading from 'fInputStream_' rather
  than 'dataInStream'.
  Worked for me on MSWord after changing this!
  Roger
  // start reading from input and writing decrypted
  ted data to output
  while (true) {
  inputLength_ = fInputStream_.read(input_);
  if (inputLength_ ==-1) break;
  byte[] output_ = cipher_.update(input_,
  input_, inputOffset_, inputLength_);
  if (output_ != null)
  fOutputStream_.write(output_);

• How to resolve bug RC4 encrypt-decrypt on iPAD with AIR15 only

  Hi everybody,
  I have some trouble with AIR15 only, In the past, I created a small game on iPad It could send or receive messge from server. I used lib as3crypto.swc encrypt or decrypt message (RC4). But when I upgrade to AIR15 encrypt-decrypt cannot work ( Another thing about this crash is that it only happens with a release (adhoc or appstore) build but NOT with a debug build). I check so many time but i don't know what is problem here.
  Please help me, thanks so much any advice.
  P/S: My game have many swf files (code and resource). I must combine multiple SWF files into one.
  Class RC4.as
  import com.hurlant.crypto.prng.ARC4;
  import com.hurlant.util.Base64;
  import com.hurlant.util.Hex;
  import flash.utils.ByteArray;
  public class RC4
    private static const key:String = "keytest";
    private static var byteKeys:ByteArray = Hex.toArray(Hex.fromString(key));
    private static var rc4:ARC4 = new ARC4();
    public static function encrypt(clearText:String):String
    var byteText:ByteArray = Hex.toArray(Hex.fromString(clearText));
    rc4.init(byteKeys);
    rc4.encrypt(byteText);
    return Base64.encodeByteArray(byteText);
  public static function decrypt(encryptedText:String):String
    var byteText:ByteArray = Base64.decodeToByteArray(encryptedText);
    rc4.init(byteKeys);
    rc4.decrypt(byteText);
    return Hex.toString(Hex.fromArray(byteText));

  Sorry, exact message is "this movie could not be played".
  There are hundreds of posts about this message but no one states a clear solution to the problem.
  Your help will be much appreciated.
  Thank you.

• Help ! Need PCI Encryption/Decryption Controller Driver for New HP 355 G2 (AMD) w/Win 7 Pro 64 Bit

  Just rebuilt new HP 355 G2 to Win 7 64 bit.  The ONLY driver I can not locate or get to work is the PCI Encryption/Decryption Controller. I installed all latest drivers for this model/OS from both HP and AMD sites still no luck. AMD autodetect utility and Catalyst software installed all other drivers successfully except this one and when completes says all drivers, including chipset, are installed successfully and current.
  I am at a complete loss where to get this driver from a OEM site, can you help ?
  Device ID's:
  PCI\VEN_1022&DEV_1537&SUBSYS_15371022&REV_00
  PCI\VEN_1022&DEV_1537&SUBSYS_15371022
  PCI\VEN_1022&DEV_1537&CC_108000
  PCI\VEN_1022&DEV_1537&CC_1080
  Thanks !!!
  This question was solved.
  View Solution.

  Hi:
  You need to run this driver and then manually install it.
  http://h20565.www2.hp.com/hpsc/swd/public/detail?swItemId=vc_133833_1
  To manually install the driver go to the device manager and click on the PCI Encryption/Decryption Controller needing the driver.
  Click on the driver tab.  Click on Update Driver.
  Select the Browse my computer for driver software option, and browse to the driver folder that was created when you ran the file.
  That folder will be located in C:\SWSetup\sp66974.
  Make sure the Include Subfolders box is checked, and the driver should install.
  Then reboot.