LockandLoad Files

19.2.2011 superwj5 on LockandLoad:

Hi, today I've released a primitive version of the Encryption and Hashing class library along with a test project. Soon, I 
will be adding documentation, then the generation of key files and such and their verification. Hope you like it!

And yes, I've been thinking about the storage of the keys and such and have come up with a model I would implement in the 
application (or perhaps credential provider?). As most of you know, many security systems use salts, just as the model 
below:



Salt______________________________________
                                          \
                                           \
                                            \
                                             \
                                              \
                                               \
                                                \
                                                 \
                                                  \
                                                   \
                                                   Final Hash
                                                   /
                                                  /
                                                 / 
                                                /
                                               /
                                              /
                                             /
                                            /
                                           /
User Credentials__________________________/



Well, I do not want to store any component twice, nor do I want to directly store the User Credentials, which would ruin 
the entire point to store hashes. I must place the Final Hash on the computer and if I put the Salt on the computer there 
is no way you can validate any Removable Device. If you place the Salt on the Removale Device, if the user loses the key
and needs to enter the User Credentials to access the system again, he would need the key, which he has already lost.
Therefore, I came up with the following model where the extra object I will call "Sugar" for the mean time as in 
correspondence to Salt:



Salt______________________________________
                                          \
                                           \
                                            \
                                             \
                                              \
                                               \
                                                \
                                                 \
                                                  \
                                                   \
                                                   Final Hash
Sugar____________________                          /
                         \                        /
                          \                      /
                           \                    / 
                            \                  /
                            Sugar Hash________/
                            /
                           /
                          /
                         /
User Credentials________/



The Salt, Sugar, and Final Hash will be stored on the computer, and the Sugar Hash will be stored on the key. When the 
user inserts the key, the application (or perhaps credential provider?) would take the Sugar Hash stored on the key and 
calculate its hash with the salt as a key, then verify it to the final hash. If the user loses the key, the user may enter 
his credentials and, using the Sugar as a key, the Sugar Hash would be calculated, from which you may calculate with the 
Salt to obtain and verify the Final Hash.

Well, thats it for now and have a good time! :)