FILE CRYPT.TXT VAN SWAAY 13-MAY-81
Author: Maarten van Swaay
Department of Chemistry
Kansas State University
Manhattan, Kansas 66506
Operating System: RT11 V3 or later
SYSGEN options: SJ with .TWAIT support, or FB
CRYPT is a program that will encrypt and decrypt files. It is primarily
intended for use on text files, although it will operate on all file types.
CRYPT is called with a standard monitor command: .R CRYPT <RETURN>.
CRYPT performs the following actions:
1. CRYPT requests an encryption string, which may be any string of at least
8 keystrokes and a <CR>. If the encryption string contains 20 or more
keystrokes before the <CR>, only the first 20 are used. If the string
contains between 9 and 19 keystrokes before the <CR>, the <CR>, and the
<LF> that comes with it, will be used as part of the encryption string.
CRYPT does not write or retain any record of the encryption string. It is
the responsibility of the user to keep a record of that string; without it
there is no way to regenerate the plaintext after a pass through CRYPT.
The operation performed by CRYPT is symmetrical: an even number of passes
through CRYPT, with the same encryption string, will regenerate the
the original input.
CRYPT is also symmetrical with respect to the crypt string and the input
text. If the input is nonrandom, e.g. if it contains long strings of space
codes, information about the crypt string can be retrieved from the output
file. For the intended applications (exams, etc.), that should not be a
major shortcoming.
2. After CRYPT has accepted the encryption string, it requests a file
command. That command may not contain wildcards (% and *). The command
can have the following structures:
a. indev:infile
b. oudev:=indev:infile
c. oudev:outfile=indev:infile
DK: will be inserted by CSI if indev: or oudev: are omitted from the
string. More than one input and/or output file may be specified, but only
the first of each will be recognized.
Type <a> will encrypt the input file in-place on the disk. This is the
recommended use, because no plaintext records will then remain anywhere.
Type <b> will create a new output file if the output device is not
file-structured, e.g. if TT: is used for output. If the output device
specified is file-structured, the input file will be encrypted in-place,
even if the output device is not the same as the input device. Note that
this action differs from the standard interpretation of the CSI string.
Type <c> will create a new output file if the input and output filespecs
are not identical. If the two filespecs are identical, the input file
will be encrypted in-place.
�3. CRYPT assumes no responsibility for the disposition of privileged
information elsewhere on a disk, e.g. in the form of backup files or
deleted early versions.
For the protection of sensitive information, such as exams etc., it will
be the responsibility of the user to insure that no unencrypted versions
of the text are left on a disk. Although it is not a simple job to gain
access to deleted files, it is by no means impossible.
To avoid the existence of plaintext information on a disk one should do
the following:
a. Encrypt each backup file as it is made, and before it is deleted by
a subsequent edit session. At the end of the work session, encrypt
the current version of the file in-place, and convert it back into
plaintext before the start of the next edit session.
b. If a backup file is accidentally deleted before it is encrypted,
retrieve it with the help of the DIR/DEL command and a session with
DUP, which can create directory entries without moving files.
c. If neither of the above approaches are practical, copy some large files
beyond all existing files, and then squeeze the disk. That will roll
the newly written files over the blocks that previously held the
deleted versions of your plaintext.
Methods <b> and <c> require some familiarity with file manipulations beyond
what the average user is aware of. More information about that can be found
in the chapters on DIR, DUP, and PIP in RT11 Vol. 2A.
It is safe to print plaintext output from CRYPT via the SPOOL, even though
that will involve the temporary presence of a plaintext copy of the file on
on the system disk. The spooler can be compiled with a condition DSTROY=1,
and will then destroy the content of all files it prints, in addition to
deleting those files from the directory.
PROGRAM NOTES
The mechanisms used by CRYPT is a word-by-word XOR between the input file
and a text string that is entered at run-time. The encryption string must
be at least 10 bytes long (8 characters + CRLF). If the entered string is
longer than 20 bytes (including CRLF), it is truncated to 20 bytes (10 words).
A text string containing 8-19 characters closed by CRLF is acceptable; the
CRLF code will then be part of the encryption string. There are no
restrictions on the character set used in the encryption string, but monitor
control codes (^C, ^F, ^B, ^X) will be intercepted by the monitor. To avoid
the creation of copies of the crypt string at the end of the encrypted file,
null words in the input file are left unchanged.
CRYPT begins with a request for buffer space to hold the CSI I/O list and
enough queue space for the I/O, completion routines, and .TWAIT requests.
Then the encryption string is requested. Before input of that string, any
unused input in the ring buffer is discarded.
After the input string has been accepted, CSI is called in special mode,
to avoid lookup and enter functions. On return, the command string is
inspected for absence of wildcard specs.
�Next, the input filespec is inspected: input from a non-file device is
refused. The absence of an input file is also ground for rejection of the
command string.
If no output file was specified, CRYPT will encrypt the input file in-place,
without modifying the directory of the input device.
If an output device was specified, its nature is inspected. If the output
device is non-file, output will be written to that device without further
tests. If the output device is file-structured, a test is made whether a
file name was given. If no file name was given for output, the input file
will be encrypted in-place. Note that this action differs from the standard
interpretation of a CSI string. If a file name was given, it is compared
against the input filespec. If the two filespecs are identical, the input
file will be rewritten in-place. Only if the output filespec differs from
the input filespec will a new file be created on a file-structured device.
CRYPT will announce its choice of in-place encryption or creation of a
new output file, and then perform the action.
The I/O loop contains a pair of .READC requests with separate staging
blocks and transfer buffers, and separate completion routines. Each
completion routine contains a call to the conversion subroutine and a
.WRITC request on the same buffer and staging block as the parent .READC.
Block numbers for the input requests are controlled from the I/O loop;
block numbers for the output requests are maintained in the completion
routines.
After the last .READC has been issued, an exit routine waits for release
of both transfer buffers. Between tests on the release flags, the program
puts itself to sleep for 2 time ticks, or about 33 msec.
There remain some unresolved questions:
1. How should magtape and cassette be treated? At present, both are
refused as input devices, but that may be overly restrictive.
2. No space is requested for drivers, under the assumption that RMON
is smart enough not to overlay occupied memory during a .FETCH. That
sounds reasonable enough, but may not be watertight.
3. The queue elements are 10 words long, but under XM a .FETCH is not
allowed. Only LOADed drivers can be used under XM. That means that
the program should be restricted to SJ and FB, in which case the
queue elements need only be 7 words each. If the program must run under
XM, it should do .DSTATUS on each driver, rather than .FETCH.
4. If the input device can read a block in less than 6 msec, it would
be possible to generate a re-entrant call to the conversion subroutine
under the SJ monitor, because SJ allows interruption of completion
routines by other completion routines. Under FB and XM all completion
routines are queued up, so that they cannot interrupt each other.
5. Items 3 and 4 would justify an up-front call to RMON to check for
compatibility between the program and the monitor under which it is
running. That has not been done yet.
�6. The .READC and .WRITC requests are made with brute force; they all
fill the entire staging block. It should be possible to leave most
or the argument fields blank in those requests. In the interest of
readability that has not been done.
7. After the crypt string is accepted, the program clears the lower-case
bit in the JSW. For unknown reasons, lower-case input is still passed
through when CSI accepts its filespec. CSI is bright enough to handle
the conversion by itself, but that does not answer the question why
the JSW is ignored at that time. An untested hypothesis is that CSIGEN
has its own ideas about case conversion, although that sounds a bit
farfetched.
Any user comments that can shed light on these questions will be very
welcome!
��