Articles

learn more about encryption

Silver Key FIPS 140-2 Parcel

The purpose of this article is to provide information on Kryptel internal data formats for public scrutiny. At least a basic understanding of programming is required.

Parcel Format

The FIPS 140-2 -compliant parcel format is based on the standard Silver Key 4 parcel format. The differences reflect the fact that FIPS 140-2 parcel does use Silver Key crypt components and instead fully relies on Windows CAPI. This documents describes only the parts, which differs from the standard parcel, i.e. parcel header and trailer.

Parcel Header

Size Description
4 Parcel tag (0x7A95FFEB)
2 Engine version used to create the parcel
2 Extractor version required
16 Engine GUID (always CID_SILVER_KEY_FIPS)
16 Parcel GUID
4 Parcel flags
STR Parcel title
  --- Description (if SK_FLAG_SHOW_DESCRIPTION) ---
4 Uncompressed description size (number of UTF-16 chars, no terminating zero)
4 Compressed description size (bytes)
. . . Compressed description (UTF-16, no terminating zero)
  --- Uninstaller (if SK_FLAG_UNINSTALLER) ---
4 Uncompressed uninstaller size
4 Compressed uninstaller size
. . . Compressed uninstaller
  --- Localized strings (if SK_FLAG_LOCALIZED_STRINGS) ---
2 Uncompressed size of string set
2 Compressed size of string set
. . . Compressed string set

The only supported key material is password so Key ID is always assumed to be IDENT_PASSWORD.

The cipher is always CAPI-provided AES-256 with 128 bit block size. Passwords are processed to keys with CAPI-provided SHA-256. The standard Kryptel ZIP component is used for compressing data.

This parcel does not compute HMACs, fully relying on the pre-open integrity check pass.

Key verification block is not maintained either: if MD5 verification passed, but decryption produces invalid data, then the password is assumed to be wrong.

Parcel Trailer

Size Description
4 Parcel end tag (0xEBFF957A)
16 Parcel GUID
8 Offset to the file area, relative to header start
8 Offset to the script area, relative to header start
8 File position of the parcel ID tag; 0 if no stub
16 MD5 hash of the preceding area, starting from parcel ID tag