2015 Articles

Security SDK that allows Multiple User Access for Encrypted Files and ensuring a file maintains integrity when encrypted

Security SDK that allows Multiple User Access for Encrypted Files and ensuring a file maintains integrity when encrypted

We have implemented a system which will provide functionality to manage multiple users, split into multiple groups, across one or more deployments and easily manage their access to encrypted data throughout an organisation’s entire infrastructure of technology. The SDK is also quite unique in the way it provides group access to encrypted data – unlike anything else we have seen in the market to date.


Why Use it?

Data encrypted on a web server will be compatible with data encrypted on an IoT device all the way along an organisation’s infrastructure. We have now implemented the first version of the SDK in C for Windows Mobile and Windows. We have also implemented the first version as a C#.NET DLL which will be compatible across all Microsoft platforms. We are currently in development on our Android Java SDK.

The C SDK can quite easily be ported to an embedded C library for easy integration to IoT devices. It could also be ported to a C SDK for Linux, for the Android Kernel developers. The SDK is going to be a great tool for all software developers from front end web developers, desktop developers, mobile application developers all the way down to Kernel driver developers and even embedded C developers.


How does it work?

Group Level Encryption

When using the Digital Defence Encryption SDK, a file (or raw data) is encrypted using a cryptographic key which is (securely) stored on the device in a (encrypted) data structure which is only readable by a user which has their username contained in the data structure’s stored list of allowed usernames.

Once the user has authenticated themselves, data is unlocked decrypted. This provides access to the group data structure, only if the authenticated user’s username is stored in the group’s list of group members. This group data structure contains the cryptographic key to be used for encryption and decryption of data accessible only to members of the group. All of this group data structure access is encapsulated into a Group class, DdGroup, in the Digital Defence Encryption SDK. 

The Digital Defence Encryption SDK provides an Encryption class, DdEncryption, which requires input of the unlocked group object before it will allow encryption and decryption.


Formatted Encryption

Formatted Encryption is a special type of encryption which maintains the format of data. This is known as Format Preserving Encryption. The Digital Defence Encryption SDK achieves this by performing some bit manipulations and then encrypting a resulting data buffer using standard AES encryption.

Within the SDK we provide a class, DdEncFormatPreserved, which allows the application developer to define a set of valid formats which are allowed in an input text value (for example). Currently it is designed so there must be a “power of 2” number of valid formats.

i.e. 2, 4, 8, 16, 32 etc.

When new data is written by the application, an input text value is examined and determined where each element is in the array of valid formats. Once this function has been performed, the index of each character is converted to an index. If, for example, there are 16 valid formats, then the index could be anything from 0 to 15. And we represent that as a 4 bit value within the SDK.

The outcome of all this data manipulation results in a list of many 4 bit values which are all constructed as a collection of 8-bit bytes.

Finally, the resulting byte array is encrypted using normal AES encryption before the reverse is performed to get the resulting encrypted text value.

The Digital Defence Encryption SDK implements special cases of this Formatted Encryption to provide methods in the DdEncryption class to encrypt Digit-only Text Values {0-9}*, Hex-digit-only Text Values {0-9,A-F}*, or Printable-only Text Values.


What is the application of our SDK?

The SDK is going to be a great tool for software developers from front end web developers to desktop developers to mobile application developers all the way down to Kernel driver developers and even embedded C developers.

We have designed an encryption system which will encrypt data to maintain the integrity of its format. This means an email address can be encrypted to another text value which is still a valid email address. A phone number can be encrypted to another phone number etc.

This, as an example, will enable database integration of encrypted data accessible to a range of user types which would yield significant benefits.


What are the benefits?

Using a familiar developer interface across multiple development platforms/environments, the Digital Defence Encryption SDK can be quickly integrated to provide:-

  • Fast secure data encryption across an organisation’s entire technology infrastructure, such as web servers, laptops, mobile devices, and IoT devices.
  • Conforming to FIPS 140-2 standard protection ensures a high secure protection.
  • Highly granular level of customisation access to specific users and groups of users.
  • Ability to maintain the format of information, e.g. phone numbers can still appear as phone numbers (but they’re encrypted!).
  • Ability to encrypt and decrypt information in real-time providing seamless access to encrypted files and databases.
  • Ability to recover any encrypted data if the deployment and group (secret) information is known about the encrypted data.


If you have any questions or require further information, please do not hesitate to contact us on 01604 521108 or via email to Heinrich@digital-defence.com