An AES Encrypting Registry Class

Introduction

The CAESEncRegKey class addresses the occasional problem of securely saving data to the Registry. This article presents Yet Another Registry Class that uses AES to encrypt data.

Currently, there are three FIPS-approved symmetric encryption algorithms: AES, Triple DES, and Skipjack. The class presented uses AES or the Advanced Encryption Standard in CBC Mode.

Note: On May 19, 2005, DES (FIPS 46-3) was withdrawn, and is no longer approved for Federal use.

The underlying Cryptographic library is Wei Dai's Crypto++. If required, Crypto++ is FIPS 140-2 conformant. Using the conformant version of the library requires the programmer to load the library as a DLL.

Other cryptographic libraries exist, such as Peter Guttman's Cryptlib. The reader is encouraged to modify the program presented in this article to include other libraries.

Background

Windows maintains a secure area of the Registry called the SAM (Security Accounts Manager). Users, administrators, and programmers are generally not permitted access to this area of the Registry directly. One must use API functions such as the LSA family, or tools such as User Manager for Domains or Active Directory Users and Computers.

To allow programmers to securely save data to the Registry (but not the SAM), a programmer can use CAESEncRegKey. However, there are a few limitations that one must observe when using the Registry. The most important for the purposes of this article is limiting binary data (value type REG_BINARY) size at or below 2048 bytes. See Microsoft's Registry Element Size Limit in MSDN.

Downloads

This article includes four downloads:

• GUI demo
• CLI demo
• Source Code
• Key and IV Generator Program

The GUI demo is a release build demonstration that exercises the CAESEncRegKey class. The CLI (command line) demo is an AES proof of concept using the Crypto++ library. It simply demonstrates the Crypto++ AES Encryption/Decryption process.

The Key and IV Generator program uses the Crypto++ AutoSeededRandomPool PRNG to create pseudo random values for the Key and IV vectors.

Compiling and Integrating Crypto++ into the Microsoft Visual C++ Environment

Please see the related article, Compiling and Integrating Crypto++ into the Microsoft Visual C++ Environment.

In the past, I have worked as an IT consultant for County Government (Anne Arundel County), the Nuclear Energy Institute, the Treasury Department, and Social Security Administration as a Network Engineer and System Administrator. Primary Administration experience includes Microsoft Windows and Novell Netware, with additional exposure and familiarity with Mac and Linux OSes. Previous to the US government, I was a programmer for a small business using Microsoft Visual Languages (Basic 5.0, 6.0, and C++ 5.0, 6.0) and Scripting Languages. An undergraduate degree (BS in Computer Science) was obtained from University of Maryland, Baltimore County. Graduate work includes a Masters of Science (Computer Science) from Johns Hopkins University (expected before 2009). Training and Certifications include Microsoft, Checkpoint, and Cisco.