Loading…

		

		
		
		
		
		

	
						
		
			

				
				

					
					
Kryptel Storage

				

				
				

					


	
Kryptel FIPS 140-2 Storage



	

	
		

			FIPS 140-2 -compliant storage is organized similarly to the standard
			Kryptel 6 storage
			with several differences, which reflect the fact that the storage handler
			uses Windows CAPI.
		



		
Container Header


		

			

				Size
				Description
			


			

				4
				Container tag
			


			

				2
				Header size including header hash
			


			

				2
				Version of handler that created the container
			


			

				2
				Version of handler required to process the container
			


			

				16
				Storage Handler component ID (must be CID_FIPS140_STORAGE)
			


			

				16
				Agent component ID
			


			

				16
				Key ID
			


			

				2
				Size of reserved area (must be 0)
			


			

				. . .
				Reserved area (not present in Kryptel 6 storage)
			


			

				4
				Size of agent data field (0 if no agent data)
			


			

				6
				Agent data address (points to directory if no agent data)
			


			

				6
				Size of the directory area
			


			

				16
				MD5 hash of the header
			

		


		

			Key ID is always IDENT_PASSWORD.
		


		

			The cipher is always CAPI-provided AES-256 with 128 bit block size. Passwords are
			processed to keys with CAPI-provided SHA-256. The standard Kryptel ZIP component is used
			for compressing data.
		


		

			This storage handler does not compute agent data and directory HMACs, fully relying on the
			pre-open integrity check pass based on the container trailer.
			Key verification block is not maintained either: if directory verification passed, but
			LoadDirectory encountered an error, then the pasword is assumed to be wrong.
		



		
Directory Entry


		

			

				Size
				Description
			


			

				2
				Object start tag
			


			

				16
				Object ID
			


			

				6
				Size of object's data block (0 if no data)
			


			

				6
				Size of uncompressed data block (present if data size > 0)
			


			

				6
				Address of data block (present if data size > 0)
			


			

				16
				Initialization vector (present if data size > 0)
			


			

				16
				Data block MD5 hash (present if data size > 0)
			


			

				4
				Size of object's attribute block (0 if no attributes)
			


			

				. . .
				Attribute block
			


			

				. . .
				[Optional directory entries for child objects]
			


			

				2
				Object end tag
			

		


		

			The difference with the standard Kryptel 6 directory entry are a) the size of
			the initialization vector is fixed, and b) there is no recovery block size field.
		



		
Limitations


		

			The FIPS 140-2 -compliant storage has several limitations comparing to the
			standard Kryptel 6 storage.
		


		
    
			
  • The only key material supported is password.
    • 

			
  • No support for key verification, so it is not possible to tell if the given
			password fits. As a result, it is not possible to re-use cached passwords.
    • 

			
  • No support for data recovery,
			recovery blocks are not created.
    •