Encryption Support in the TopSpeed driver

Top  Previous  Next

The TopSpeed driver already has a very secure encryption system.  However, it is not based on any of the standard encryption algorithms.  This makes the TopSpeed file format unavailable to some developers who have to guarantee the encryption algorithm.  You have the  option to use any encryption algorithm supported by any encryption provider that plugs into the Windows encryption subsystem.  This enables developers to create, store and exchange data in a very secure environment.

There are two providers that are installed on all Windows Operating Systems: Microsoft Base Cryptographic Provider and Microsoft Enhanced Cryptographic Provider.

The Microsoft Enhanced Cryptographic Provider supports the same capabilities as the Microsoft Base Cryptographic Provider, but provides for stronger security through longer keys and additional algorithms. The Enhanced provider is installed on your machine when you apply the Internet Explorer 128-bit security patch.

In addition, you now have the ability to use any encryption algorithm supported by any encryption provider that plugs into the Windows encryption subsystem. So you can now even use new encryption providers as they become available!

To enable use of an alternative encryption algorithm you just supply at least one of the following encryption settings to the driver via the driver string.

 

Example Format:

(DriverString = Default Value)

/PROVIDER= PROV_RSA_FULL 1

 

Multiple driver strings need to be SPACE delimited.

 

Driver String

Default Value

Description

/PROVIDER

Microsoft Enhanced Cryptographic Provider

The name of the cryptographic service provider

/CONTAINER

NULL

The container within the provider where the key algorithm is located (see (2) below)

/PROVIDERTYPE

(Full RSA)

The encryption type (see (3) below)

/KEYALGORITHM

(RC4)

The algorithm used to encrypt data

/HASHALGORITH

(MD5)

The algorithm used to hash the password (see (4) below)

/FORCEKEY

FALSE

Set to FALSE to use the default key algorithm if the supplied key algorithm is not available or not valid

/FORCEHASH

FALSE

Set to FALSE to use the default hash algorithm if the supplied hash algorithm is not available

 

Additional Notes:

(1) You can use any of the driver string switches in a SEND command before the file is open to set the encryption algorithm. You can also retrieve the current value of any of the encryption options as the return result of the SEND command.

 

(2) /CONTAINER is the key container name. This is a string that identifies the key container to the CSP (cryptographic service provider). This name is independent of the method used to store the keys. Some CSPs store their key containers internally (in hardware), some use the system registry, and others use the file system.

When /CONTAINER is not specified, a default key container name is used. For example, the Microsoft Base Cryptographic Provider uses the logon name of the currently logged on user as the key container name. Other CSPs can also have default key containers that can be acquired in this way.

(3) This is the value associated with the different provider types. See the Microsoft Cryptographic Provider Types page for full details on provider types. The values of the different provider types supplied by the Microsoft Enhanced Cryptographic Provider (MECP) are:

PROV_RSA_FULL 1

PROV_RSA_SIG 2

PROV_DSS 3

PROV_FORTEZZA 4

PROV_MS_EXCHANGE 5

PROV_SSL 6

PROV_RSA_SCHANNEL 12

PROV_DSS_DH 13

PROV_EC_ECDSA_SIG 14

PROV_EC_ECNRA_SIG 15

PROV_EC_ECDSA_FULL 16

PROV_EC_ECNRA_FULL 17

PROV_DH_SCHANNEL 18

PROV_SPYRUS_LYNKS 20

PROV_RNG 21

PROV_INTEL_SEC 22

PROV_REPLACE_OWF 23

PROV_RSA_AES 24

(4) Values supported by the Microsoft Enhanced Cryptographic Provider are:

32769 MD2

32771 MD5

32772 U.S. DSA Secure Hash Algorithm

32773 Message Authentication Code

32776 SSL3 client authentication

32777 HMAC, a keyed hash algorithm

 

(5) Some values supported by various providers are:

17921 DES

17922 RC2

17923 3DES

17929 3DES 112

18433 RC4

For full list of key and hash algorithms the user should consult the documentation of their cryptography provider.

 

Example:

 

 PROGRAM

 

 INCLUDE('EQUATES.CLW'),ONCE

 

CLALONG EQUATE(LONG)

 

 MAP

   CheckError(),CLALONG

 END

 

!       To enable an alternative encryption algorithm you have to supply at least one of

!       the following encryption settings to the driver via the driver string:

!

!       Driver String               Default                             Description

!       /PROVIDER       Microsoft Enhanced Cryptographic Provider       The name of the cryptographic service provider

!       /CONTAINER      NULL                                            The container within the provider where the key algorithm is located

!       /PROVIDERTYPE   1 (Full RSA)                                    The encryption type

!       /KEYALGORITHM   26625 (RC4)                                     The algorithm used to encrypt data

!       /HASHALGORITH   32771 (MD5)1                                    The algorithm used to hash the password

!       /FORCEKEY       FALSE                                           Set to FALSE to use the default key algorithm if the supplied key algorithm is not available or not valid

!       /FORCEHASH      FALSE                                           Set to FALSE to use the default hash algorithm if the supplied hash algorithm is not available

 

! use Microsoft Enhanced Cryptographic Provider, full RSA encryption and password hash using MD5

! Driver strings need to be SPACE delimited.

Secrets     FILE,DRIVER('TOPSPEED','/KEYALGORITHM=26625 /Providertype=1 /HASHALGORITH=32771'),OWNER('topsecret'),PRE(Sec),BINDABLE,CREATE,THREAD,ENCRYPT

ID_Key            KEY(Sec:ID),NOCASE,OPT

record            RECORD

ID                  LONG

Name                STRING(20)

Secret              STRING(500)

Secret2             STRING(20)

                 END

               END

i LONG

 

 CODE

 

  CREATE(Secrets)

  IF CheckError() THEN RETURN END

  OPEN(Secrets)

  IF CheckError() THEN RETURN END

 

   i=0

   LOOP 10 times

    i += 1

    Secrets.ID = i

    Secrets.Name = 'Jane'&i        

    Secrets.Secret = 'Secret text number ' & i

    Secrets.Secret2 = 'small Secret ' & i

    ADD(Secrets)

    IF CheckError() THEN MESSAGE('error on add to Secrets: ' & error()) END

   END

   CLOSE(Secrets)

 

CheckError  FUNCTION

 CODE

 IF ERRORCODE()

   IF ERRORCODE() = 90

     MESSAGE('File System Error: (' & FILEERRORCODE() & ') ' & FILEERROR())

     RETURN ERRORCODE()

   END

   MESSAGE('Error: ' & ERROR())

   RETURN ERRORCODE()

 END

 RETURN 0