AESFile Control

Properties   Methods   Events   Config Settings   Errors  

The AESFile control implements the AESF file format and uses the XTS-AES standard with 256-bit encryption.

Syntax

AESFile

Remarks

The AESFile component provides robust encryption capabilities to securely store and retrieve data using XTS-AES 256-bit encryption. This component implements the AESF file format, enabling developers to encrypt arbitrary data and serialize it in a standardized manner.

The first step in using the component is to set Password property. Specify the input data using InputFile or InputMessage. Next, call Encrypt and the component will encrypt the input data and populate OutputMessage, or write to the file specified by OutputFile with the result.

To change the password of existing file encrypted in AESF format, or to encrypt a file under a different password call ChangePassword. To decrypt data, first set Password property. Specify the input data using InputFile or InputMessage. Next, call Decrypt and the component will compute the plaintext and populate OutputMessage or write to OutputFile with the result.

AES File Format

The AES file format used by AES Drive is documented below in detail. All algorithms used by AES Drive are standards and publicly documented.

Each encrypted file consists of a header and the encrypted contents. The header is 144 bytes in length and contains the AES file format version, a checksum of the header bytes, and the encrypted file-specific key and padding length. The original file data is encrypted using XTS-AES with file-specific keys that are derived from a master key for the drive.

4 bytes [0-3] AESF. This is a file signature value which indicates the file is formatted according to this specification.
1 byte [4] 0x01. This is the file format version. This documentation defines the format for version 1.
2 bytes [5-6] Build number of the application used to create the file. These two bytes represent a 16-bit integer holding the build number of AES Drive that created the file. This field is informational only. Byte 5 holds the high-order bits and byte 6 holds the low-order bits. To decode these bytes into the build number the following code may be used: int buildNumber = headerBytes[5] << 8 | headerBytes[6];
5 bytes [7-11] 0x00. Reserved for future use.
4 bytes [12-15] CRC32 checksum. The CRC32 checksum is calculated by first replacing these 4 bytes with 0x00 then computing the checksum over the 144 byte header. The resulting numeric value is converted into 4 bytes using the operation:

byte[] CRC32Bytes = new byte[4]; for (int i = 0; i < 4; i++) CRC32Bytes[i] = (byte)((CRC32Bytes >> (24 - 8 * i)) & 0xff);

16 bytes [16-31] Global salt value. The global salt value is a random value created when the drive is created and used when encrypting newly created files within the drive. It is used when deriving the key to decrypt the encrypted header portion. See the section below for details about the encrypted header portion.
16 bytes [32-47] File-specific salt value. The file-specific salt value is a random value created when the file is created. It is used when deriving the key to decrypt the encrypted header portion. See the section below for details about the encrypted header portion.
80 bytes [48-127] AES-GCM encrypted header portion. The steps to derive the key to decrypt the encrypted header portion are as follows:
  • First use PBKDF2 with the following settings:
    • HMACSHA512 algorithm
    • 50,000 iterations
    • Salt is the 16 byte global salt value read from the header
    • Password is the original encryption password
    • Derived key length of 32 bytes
  • Combine the 16 byte file-specific salt with the 32 byte derived key to obtain a byte array of length 48. The first 16 bytes are the file-specific salt read from the file header. The last 32 bytes are the value derived from the PBKDF process above.
  • Compute the SHA512 hash over the 48 byte value from the above step.
  • The first 32 bytes of the hashed bytes are the AES-GCM key. The next 12 bytes are the AES-GCM IV. The remaining 20 bytes are unused.

The derived Key and IV are used together with the AES-GCM Auth Tag which are the last 16 bytes of the 144 byte header to AES-GCM decrypt the 80 byte encrypted header portion. The decrypted header portion contains:

2 bytes Padding length. The padding length is represented in Big Endian and may be converted from bytes to an integer using the following operation: PaddingLen = (decryptedHeaderBytes[0] << 8) + decryptedHeaderBytes[1];
14 bytes 0x00. Reserved. These bytes are all defined as 0x00.
64 bytes File-specific XTS-AES 256 encryption keys.

16 bytes [128-143] AES-GCM auth tag. This auth tag is used when decrypting the previous 80 byte encrypted header portion.
nn bytes The XTS-AES 256 encrypted file content. The data unit size is 512 bytes. The first 32 bytes of the file-specific encryption key from the decrypted header is the first key. The last 32 bytes of the file-specific encryption key from the decrypted header is the second key.
512 bytes

The last 512 bytes of the encrypted file contain encrypted padding bytes and additional unencrypted random bytes.

When encrypting, the last plaintext block of data may be padded with random bytes as needed to reach 512 bytes in length (the data unit size). The padding length is encrypted and stored in the encrypted header portion. Once the data is encrypted additional random bytes are appended to the end of the encrypted file so that the padding bytes plus additional random bytes together are 512 bytes in length.

For instance if the padding is 100 bytes in length, then 412 additional bytes will be appended to the encrypted data to reach a total of 512 bytes. This scheme allows applications to easily determine the length of the decrypted file without having to first decrypt the encrypted header portion to obtain the padding length. The decrypted file length can be computed like so: long decryptedFileLength = encryptedFileLength - 144 - 512. //Subtract 144 for the header length //Subtract 512 for the combination of padding bytes and additional random bytes

When decrypting, the padding length is determined from the encrypted header. The number of additional random bytes is 512 minus the padding length. The additional random bytes are discarded before using XTS-AES to decrypt the file content. After decrypting the file content, the padding bytes in the decrypted content are discarded.

// structure of the end of the encrypted file [512 bytes] | -------------------------------------------------- | | encrypted_content | encrypted_padding_bytes | additional_random_bytes

Property List


The following is the full list of the properties of the control with short descriptions. Click on the links for further details.

GlobalSaltThe additional random data to compute encryption keys.
InputFileThe file to process.
InputMessageThe message to process.
OutputFileThe output file when encrypting or decrypting.
OutputMessageThe output message after processing.
OverwriteIndicates whether or not the control should overwrite files.
PasswordThe password to be used to calculate encryption and decryption keys.
SaltThe additional random data included in the file header.
VersionThe AESF file format version number.

Method List


The following is the full list of the methods of the control with short descriptions. Click on the links for further details.

ChangePasswordChanges the password for the specified file.
ConfigSets or retrieves a configuration setting.
DecryptDecrypts the data.
EncryptEncrypts the data.
ResetResets the control.

Event List


The following is the full list of the events fired by the control with short descriptions. Click on the links for further details.

ErrorFired when information is available about errors during data delivery.
LogFires with log information during processing.
ProgressFired as progress is made.

Config Settings


The following is a list of config settings for the control with short descriptions. Click on the links for further details.

BuildNumberThe build number of the encrypted data.
LogLevelSpecifies the level of detail that is logged.
WriteToProgressEventWhether to write output data so it is accessible from inside the progress event.
CodePageThe system code page used for Unicode to Multibyte translations.
MaskSensitiveDataWhether sensitive data is masked in log messages.
UseInternalSecurityAPIWhether or not to use the system security libraries or an internal implementation.

GlobalSalt Property (AESFile Control)

The additional random data to compute encryption keys.

Syntax

aesfilecontrol.GlobalSalt[=string]

Default Value

""

Remarks

This is an optional property and will be populated when Decrypt is called. When this property is set, it will provide additional randomness to encryption. The length of the salt must be 16 bytes.

The global salt will be used during generation of a key and IV. It can optionally be set before calling the Encrypt method. It is recommended to use a unique and randomly generated value. If it is not set, then the control will generate a value automatically.

To read or write binary data to the property, a Variant (Byte Array) version is provided in .GlobalSaltB.

Data Type

Binary String

InputFile Property (AESFile Control)

The file to process.

Syntax

aesfilecontrol.InputFile[=string]

Default Value

""

Remarks

This property specifies the file to be processed. Set this property to the full or relative path to the file which will be processed.

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

Data Type

String

InputMessage Property (AESFile Control)

The message to process.

Syntax

aesfilecontrol.InputMessage[=string]

Default Value

""

Remarks

This property specifies the message to be processed.

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

To read or write binary data to the property, a Variant (Byte Array) version is provided in .InputMessageB.

Data Type

Binary String

OutputFile Property (AESFile Control)

The output file when encrypting or decrypting.

Syntax

aesfilecontrol.OutputFile[=string]

Default Value

""

Remarks

This property specifies the file to which the output will be written when Encrypt or Decrypt is called. This may be set to an absolute or relative path.

This property is only applicable to Encrypt and Decrypt.

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

  • OutputFile
  • OutputMessage: The output data is written to this property if no other destination is specified.

Data Type

String

OutputMessage Property (AESFile Control)

The output message after processing.

Syntax

aesfilecontrol.OutputMessage

Default Value

""

Remarks

This property will be populated with the output from the operation if OutputFile is not set.

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

  • OutputFile
  • OutputMessage: The output data is written to this property if no other destination is specified.

To read or write binary data to the property, a Variant (Byte Array) version is provided in .OutputMessageB.

This property is read-only and not available at design time.

Data Type

Binary String

Overwrite Property (AESFile Control)

Indicates whether or not the control should overwrite files.

Syntax

aesfilecontrol.Overwrite[=boolean]

Default Value

False

Remarks

This property indicates whether or not the control will overwrite OutputFile. If Overwrite is False, an error will be thrown whenever OutputFile exists before an operation. The default value is False.

Data Type

Boolean

Password Property (AESFile Control)

The password to be used to calculate encryption and decryption keys.

Syntax

aesfilecontrol.Password[=string]

Default Value

""

Remarks

When this property is set the control will use PBKDF2 to derive an XTS master key. This must be set before calling Encrypt or Decrypt.

While there are no strict format or length requirements, it is recommended to use complex passwords. Once set, the password is transformed and never held in plaintext in memory.

Data Type

String

Salt Property (AESFile Control)

The additional random data included in the file header.

Syntax

aesfilecontrol.Salt[=string]

Default Value

""

Remarks

This property is optional and will be populated when Decrypt is called. When this property is set it will provide additional randomness to encryption at the file level. The length of the salt must be 16 bytes.

The salt will be used within each file as input to encryption. It can optionally be set before calling the Encrypt method. It is recommended to use a unique and randomly generated value. If it is not set, then the control will generate a value automatically.

To read or write binary data to the property, a Variant (Byte Array) version is provided in .SaltB.

Data Type

Binary String

Version Property (AESFile Control)

The AESF file format version number.

Syntax

aesfilecontrol.Version[=integer]

Default Value

1

Remarks

This property will be populated when Decrypt is called. Possible values are:

1 (v1 - Default)

Data Type

Integer

ChangePassword Method (AESFile Control)

Changes the password for the specified file.

Syntax

aesfilecontrol.ChangePassword Path, OldPassword, NewPassword

Remarks

ChangePassword is optional and allows you to update the password used to encrypt an AESF file. This securely changes the password, ensuring that the file remains protected with the new password.

Config Method (AESFile Control)

Sets or retrieves a configuration setting.

Syntax

aesfilecontrol.Config ConfigurationString

Remarks

Config is a generic method available in every control. It is used to set and retrieve configuration settings for the control.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the control, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

Decrypt Method (AESFile Control)

Decrypts the data.

Syntax

aesfilecontrol.Decrypt 

Remarks

This method will decrypt the specified data. The Password property is required.

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

Encrypt Method (AESFile Control)

Encrypts the data.

Syntax

aesfilecontrol.Encrypt 

Remarks

This method will encrypt the specified data. The following properties are applicable:

Input and Output Properties

The control will determine the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

When a valid source is found, the search stops. The order in which the output properties are checked is as follows:

Reset Method (AESFile Control)

Resets the control.

Syntax

aesfilecontrol.Reset 

Remarks

When called, the control will reset all of its properties to their default values.

Error Event (AESFile Control)

Fired when information is available about errors during data delivery.

Syntax

Sub aesfilecontrol_Error(ErrorCode As Integer, Description As String)

Remarks

The Error event is fired in case of exceptional conditions during message processing. Normally the control fails with an error.

The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Log Event (AESFile Control)

Fires with log information during processing.

Syntax

Sub aesfilecontrol_Log(LogLevel As Integer, Message As String, LogType As String)

Remarks

This event fires during processing with log information. The level of detail that is logged is controlled via the LogLevel.

LogLevel indicates the level of message. Possible values are:

0 (None) No events are logged.
1 (Info - default) Informational events are logged.
2 (Verbose) Detailed data is logged.
3 (Debug) Debug data is logged.

LogMessage is the log entry.

LogType indicates the type of log. Possible values are:

  • "INFO"
  • "ENCRYPT"
  • "COMPRESS"
  • "SIGN"
  • "DECRYPT"
  • "DECOMPRESS"
  • "VERIFY"
  • "DEBUG"

Progress Event (AESFile Control)

Fired as progress is made.

Syntax

Sub aesfilecontrol_Progress(Data As String, Filename As String, BytesProcessed As Long64, PercentProcessed As Integer)

Remarks

This event is fired automatically as data is encrypted or decrypted by the control. When WriteToProgressEvent is true, the output data is provided through the Data parameter, allowing for it to be streamed out.

Filename contains the name of the file being written. If no file is being written, Filename will contain an empty string, and the output data will be provided exclusively through this event.

The PercentProcessed parameter indicates the current status of the operation.

The BytesProcessed parameter holds the total number of bytes processed so far.

Config Settings (AESFile Control)

The control accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the control, access to these internal properties is provided through the Config method.

AESFile Config Settings

BuildNumber:   The build number of the encrypted data.

This property will be populated when Decrypt is called, and will be set to the current component build number when Encrypt is called. This configuration setting is read-only.

LogLevel:   Specifies the level of detail that is logged.

This setting controls the level of detail that is logged through the Status event. Possible values are:

0 (None)No events are logged.
1 (Info - default)Informational events are logged.
2 (Verbose)Detailed data is logged.
3 (Debug)Debug data is logged.
WriteToProgressEvent:   Whether to write output data so it is accessible from inside the progress event.

When set to True this setting allows output data to be obtained from within the Progress event. event.

By default, this config is set to false.

Base Config Settings

CodePage:   The system code page used for Unicode to Multibyte translations.

The default code page is Unicode UTF-8 (65001).

The following is a list of valid code page identifiers:

IdentifierName
037IBM EBCDIC - U.S./Canada
437OEM - United States
500IBM EBCDIC - International
708Arabic - ASMO 708
709Arabic - ASMO 449+, BCON V4
710Arabic - Transparent Arabic
720Arabic - Transparent ASMO
737OEM - Greek (formerly 437G)
775OEM - Baltic
850OEM - Multilingual Latin I
852OEM - Latin II
855OEM - Cyrillic (primarily Russian)
857OEM - Turkish
858OEM - Multilingual Latin I + Euro symbol
860OEM - Portuguese
861OEM - Icelandic
862OEM - Hebrew
863OEM - Canadian-French
864OEM - Arabic
865OEM - Nordic
866OEM - Russian
869OEM - Modern Greek
870IBM EBCDIC - Multilingual/ROECE (Latin-2)
874ANSI/OEM - Thai (same as 28605, ISO 8859-15)
875IBM EBCDIC - Modern Greek
932ANSI/OEM - Japanese, Shift-JIS
936ANSI/OEM - Simplified Chinese (PRC, Singapore)
949ANSI/OEM - Korean (Unified Hangul Code)
950ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC)
1026IBM EBCDIC - Turkish (Latin-5)
1047IBM EBCDIC - Latin 1/Open System
1140IBM EBCDIC - U.S./Canada (037 + Euro symbol)
1141IBM EBCDIC - Germany (20273 + Euro symbol)
1142IBM EBCDIC - Denmark/Norway (20277 + Euro symbol)
1143IBM EBCDIC - Finland/Sweden (20278 + Euro symbol)
1144IBM EBCDIC - Italy (20280 + Euro symbol)
1145IBM EBCDIC - Latin America/Spain (20284 + Euro symbol)
1146IBM EBCDIC - United Kingdom (20285 + Euro symbol)
1147IBM EBCDIC - France (20297 + Euro symbol)
1148IBM EBCDIC - International (500 + Euro symbol)
1149IBM EBCDIC - Icelandic (20871 + Euro symbol)
1200Unicode UCS-2 Little-Endian (BMP of ISO 10646)
1201Unicode UCS-2 Big-Endian
1250ANSI - Central European
1251ANSI - Cyrillic
1252ANSI - Latin I
1253ANSI - Greek
1254ANSI - Turkish
1255ANSI - Hebrew
1256ANSI - Arabic
1257ANSI - Baltic
1258ANSI/OEM - Vietnamese
1361Korean (Johab)
10000MAC - Roman
10001MAC - Japanese
10002MAC - Traditional Chinese (Big5)
10003MAC - Korean
10004MAC - Arabic
10005MAC - Hebrew
10006MAC - Greek I
10007MAC - Cyrillic
10008MAC - Simplified Chinese (GB 2312)
10010MAC - Romania
10017MAC - Ukraine
10021MAC - Thai
10029MAC - Latin II
10079MAC - Icelandic
10081MAC - Turkish
10082MAC - Croatia
12000Unicode UCS-4 Little-Endian
12001Unicode UCS-4 Big-Endian
20000CNS - Taiwan
20001TCA - Taiwan
20002Eten - Taiwan
20003IBM5550 - Taiwan
20004TeleText - Taiwan
20005Wang - Taiwan
20105IA5 IRV International Alphabet No. 5 (7-bit)
20106IA5 German (7-bit)
20107IA5 Swedish (7-bit)
20108IA5 Norwegian (7-bit)
20127US-ASCII (7-bit)
20261T.61
20269ISO 6937 Non-Spacing Accent
20273IBM EBCDIC - Germany
20277IBM EBCDIC - Denmark/Norway
20278IBM EBCDIC - Finland/Sweden
20280IBM EBCDIC - Italy
20284IBM EBCDIC - Latin America/Spain
20285IBM EBCDIC - United Kingdom
20290IBM EBCDIC - Japanese Katakana Extended
20297IBM EBCDIC - France
20420IBM EBCDIC - Arabic
20423IBM EBCDIC - Greek
20424IBM EBCDIC - Hebrew
20833IBM EBCDIC - Korean Extended
20838IBM EBCDIC - Thai
20866Russian - KOI8-R
20871IBM EBCDIC - Icelandic
20880IBM EBCDIC - Cyrillic (Russian)
20905IBM EBCDIC - Turkish
20924IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol)
20932JIS X 0208-1990 & 0121-1990
20936Simplified Chinese (GB2312)
21025IBM EBCDIC - Cyrillic (Serbian, Bulgarian)
21027Extended Alpha Lowercase
21866Ukrainian (KOI8-U)
28591ISO 8859-1 Latin I
28592ISO 8859-2 Central Europe
28593ISO 8859-3 Latin 3
28594ISO 8859-4 Baltic
28595ISO 8859-5 Cyrillic
28596ISO 8859-6 Arabic
28597ISO 8859-7 Greek
28598ISO 8859-8 Hebrew
28599ISO 8859-9 Latin 5
28605ISO 8859-15 Latin 9
29001Europa 3
38598ISO 8859-8 Hebrew
50220ISO 2022 Japanese with no halfwidth Katakana
50221ISO 2022 Japanese with halfwidth Katakana
50222ISO 2022 Japanese JIS X 0201-1989
50225ISO 2022 Korean
50227ISO 2022 Simplified Chinese
50229ISO 2022 Traditional Chinese
50930Japanese (Katakana) Extended
50931US/Canada and Japanese
50933Korean Extended and Korean
50935Simplified Chinese Extended and Simplified Chinese
50936Simplified Chinese
50937US/Canada and Traditional Chinese
50939Japanese (Latin) Extended and Japanese
51932EUC - Japanese
51936EUC - Simplified Chinese
51949EUC - Korean
51950EUC - Traditional Chinese
52936HZ-GB2312 Simplified Chinese
54936Windows XP: GB18030 Simplified Chinese (4 Byte)
57002ISCII Devanagari
57003ISCII Bengali
57004ISCII Tamil
57005ISCII Telugu
57006ISCII Assamese
57007ISCII Oriya
57008ISCII Kannada
57009ISCII Malayalam
57010ISCII Gujarati
57011ISCII Punjabi
65000Unicode UTF-7
65001Unicode UTF-8
The following is a list of valid code page identifiers for Mac OS only:
IdentifierName
1ASCII
2NEXTSTEP
3JapaneseEUC
4UTF8
5ISOLatin1
6Symbol
7NonLossyASCII
8ShiftJIS
9ISOLatin2
10Unicode
11WindowsCP1251
12WindowsCP1252
13WindowsCP1253
14WindowsCP1254
15WindowsCP1250
21ISO2022JP
30MacOSRoman
10UTF16String
0x90000100UTF16BigEndian
0x94000100UTF16LittleEndian
0x8c000100UTF32String
0x98000100UTF32BigEndian
0x9c000100UTF32LittleEndian
65536Proprietary

MaskSensitiveData:   Whether sensitive data is masked in log messages.

In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to to mask sensitive data. The default is .

This setting only works on these controls: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.

UseInternalSecurityAPI:   Whether or not to use the system security libraries or an internal implementation.

When set to , the control will use the system security libraries by default to perform cryptographic functions where applicable.

Setting this configuration setting to tells the control to use the internal implementation instead of using the system security libraries.

This setting is set to by default on all platforms.

Trappable Errors (AESFile Control)

AESFile Errors

20106    An invalid parameter was specified.
20112    Overwrite is false and the destination already exists.
20113    No input was specified.
20116    Invalid password.
20117    No password was specified.
20203    The input file is not valid AESF format.
20304    Cannot open file.
20305    Cannot write file.
20306    Cannot read file.
20307    Cannot create file.