.PAPER SIZE 55,60
.SPACING 1
.TITLE ^^DATA BASE ENCRYPTION TOOL\\
.CENTER
^^VIRTUAL ENCRYPTED DISK FACILITY\\
.SKIP 10
.LEFT MARGIN 10
.RIGHT MARGIN 50
.PARAGRAPH
^T\\HIS HANDLER, KNOWN AS ^^VDDRV\\ HEREIN,
IS A TASK RUNNING ON THE ^^RSX11D/IAS\\
OPERATING SYSTEMS ON ^^DEC PDP-11\\ ^^CPU\\'S WHICH WILL
PERMIT DATA TO BE STORED ON PUBLIC STORAGE IN ENCRYPTED
AND SECURE FORM WITH ACCESS RESTRICTED TO CERTAIN
USER-DEFINED ACCOUNTS. ^THE ENCRYPTION KEY IS NEVER STORED
ON DISK AND MUST BE KNOWN TO ENABLE ANY DATA ACCESS. ^NO
MODIFICATIONS TO USER SOFTWARE ARE REQUIRED TO ALLOW EXISTING
DATA-HANDLING SOFTWARE PACKAGES TO USE ENCRYPTED DATA; THE
HANDLER WILL PERFECTLY EMULATE A ^^FILES-11\\ DISK, PERMITTING
ANY INFORMATION TO BE STORED AS DESIRED IN ENCRYPTED FORM.
.LEFT MARGIN 5
.RIGHT MARGIN 55
.PAGE
.CENTER
^^INTRODUCTION\\
.PARAGRAPH
^THE ^^VDDRV\\ HANDLER ACTS AS A MULTI-UNIT DISK NAMED ^^VD:\\
(UNITS ^^VD0:\\ THROUGH ^^VD\\N: WHERE N IS USER SPECIFIED).
^THIS "DISK" MUST BE MOUNTED AND MUST HAVE AN ^ANCILLARY
^CONTROL ^PROCESSOR TASK (^^ACP\\) DIFFERENT FROM THAT
USED FOR THE SYSTEM DISK (USUALLY ^^F11ACP\\) FOR FILE ACCESS.
^IT MAY BE TREATED AS A SINGLE OR MULTIPLE DIRECTORY DEVICE
AT USER OPTION AND DEPENDING ON ITS SIZE, AND IN OTHER WAYS
ACTS AS ANY NORMAL DISK.
^HOWEVER, IT DOES ALL ^I/^O TO FILES ON THE SYSTEM DISK RATHER
THAN OPERATING ANY SPECIAL HARDWARE, ENCRYPTING ALL DATA WRITTEN
PRIOR TO WRITING AND DECRYPTING IT ON READING. ^THE FILES ARE
NEVER EXTENDED, SO WHEN THE DISK IS SELECTED, THE TOTAL SPACE
ALLOCATION IS ALSO SPECIFIED. ^IT IS POSSIBLE TO READ AND
WRITE DATA WITHOUT ENCRYPTION IF ONLY THIS SPACE ALLOCATION
FEATURE IS DESIRED. ^WHERE ENCRYPTION IS WANTED, THE HANDLER WILL
ENCRYPT EVERYTHING IT WRITES TO THE FILE. THIS PROVIDES A BIT OF
ISOLATION FROM FAILURES BY MAKING THE ACTUAL SPACE ALLOCATION
ON THE PHYSICAL DISK UNENCRYPTED. THE BITMAPS AND DIRECTORIES
ON THE VIRTUAL DISK ARE OF COURSE ALSO ENCODED, SO THE USER
WHO HAS NO ACCESS TO THE ENCRYPTION KEY CANNOT AT ANY TIME
FIGURE OUT WHAT IS ON THE FILE, MUCH LESS ALTER IT. THIS
GUARANTEES AGAINST TAMPERING WITH SENSITIVE FILES WHILE
A FACILITY IS IN USE AFTER HOURS, PROVIDED
THAT ADEQUATE SECURITY PREVAILS DURING THE TIME THE HANDLER IS
LOADED AND RUNNING FOR LEGITIMATE PURPOSES. ^PRIVILEGE TESTS
IN THE HANDLER PROVIDE SECURITY WHILE IT IS RUNNING, THOUGH
IN THE ABSENCE OF HUMAN MONITORING OF A FACILITY, IT IS DOUBTFUL
THE SYSTEM CAN BE SECURED AGAINST A WELL-INFORMED SYSTEMS
PROGRAMMER. ^ALL THIS CAN DO IS MAKE UNAUTHORIZED DATA MODIFICATIONS
DIFFICULT.
.PARAGRAPH
^THE SECURITY AVAILABLE IS THE FOLLOWING:
.PARAGRAPH
1. ^DATA IS ENCRYPTED ON THE FILE CONTAINING A DISK DATA BASE, SO THAT
IN ORDER TO EXTRACT IT, A USER MUST NOT ONLY BE ABLE TO DECODE THE
^^FILES-11\\ BITMAPS, HEADERS, DIRECTORIES, ETC. ON THE DISK (NO MEAN
JOB), BUT MUST DO SO AFTER BREAKING THE CIPHER USED TO ENCODE THE DATA.
.PARAGRAPH
2. ^THE CIPHER KEY IS NEVER STORED ON DISK BY THE HANDLER, AND IS
STORED INTERNALLY IN A FORM DIFFERENT FROM THAT IN WHICH IT WAS
ENTERED, SO THAT EXAMINATION OF HANDLER CORE WHILE IT IS RUNNING
WILL NOT READILY SHOW WHAT KEY TO ENTER TO DECODE THE DATA.
.PARAGRAPH
3. ^THE FILES ARE OPENED AT HANDLER LOAD AND CLOSED AT HANDLER UNLOAD.
^THUS ONE MAY NOT DISMOUNT THE DISK ON WHICH THEY EXIST WITH THE HANDLER
LOADED. ^THIS PREVENTS ANYONE FROM ^^SAV\\EING THE SYSTEM WITH THE
HANDLER (AND A VALID PASSWORD) LOADED. ^ALSO, IF ANYONE SHOULD MANAGE
TO SAVE THE SYSTEM AND BYPASS THIS RESTRICTION (AND YET NOT CORRUPT
HIS FILE STRUCTURE!), THE HANDLER WILL ZERO ANY PASSWORDS AS SOON
AS THE SYSTEM COMES UP, DESTROYING ALL INFORMATION BEFORE IT CAN
BE USED.
.PARAGRAPH
4. ^THE HANDLER CHECKS ACCESS ACCOUNTS AGAINST LISTS BUILT INTO IT
PRIOR TO ALLOWING ANY ACCESS TO THE DATA. ^AN INVALID ACCOUNT WILL
NOT BE ALLOWED TO READ OR WRITE ANYTHING, REGARDLESS OF THE ^^FILES-11\\
PROTECTION OF THE DATA. ^A LIST OF ACCOUNTS AVAILABLE FOR ACCESS TO ALL
PSEUDO DISKS, AND SEPARATE LISTS FOR EACH OF SEVERAL PSEUDO DISK
UNITS, ARE PROVIDED FOR. ^THE HANDLER IS TASK-BUILT WITH THE PERMITTED
ACCOUNTS ENTERED AS PATCHES. ^IN ADDITION, A USER-WRITTEN SUBROUTINE
MAY BE PROVIDED TO DO FURTHER CHECKING AND ALLOW OR DENY ACCESS BASED
ON SPECIAL PRIVILEGE BITS, TASK NAMES, OR OTHER PURPOSES, OR MAY BE
USED TO LOG ATTEMPTS TO ACCESS THE FILE STRUCTURE. ^THIS ALLOWS EACH
INSTALLATION COMPLETE FLEXIBILITY IN DECIDING ON WHAT BASIS IT WILL
PERMIT ACCESS TO WHICH DATA.
.BREAK
.INDENT 5
^AN UNCIPHERED DISK (PASSWORD = ????????????????) MAY BE READ BY
ANY USER CONSISTENT WITH ^^RSX11D FILES-11\\ PROTECTION CODES.
^THE CHECKS IN ^^VDPRV\\ APPLY ONLY TO ENCRYPTED "DISKS". ^HOWEVER,
THIS DEFAULT MAY BE OVER-RIDDEN BY A ^^TKB\\ PATCH TO THE BYTE
ARRAY AT GLOBAL LABEL "^^CIPHPW\\". ^WHERE THE BYTE CORRESPONDING TO
A PARTICULAR UNIT OF ^^VD:\\ IS 0, THE DEFAULT WILL APPLY AS ABOVE.
^IF THE BYTE IS 1, THE FULL SERIES OF ACCESS TESTS (INCLUDING ^^UIC\\
CHECKS AND THE ^^VDPRV\\ CALL) WILL BE PERFORMED FOR UNENCIPHERED
USE. ^IF THE BYTE CONTAINS 2, THE ENCRYPTION/DECRYPTION ALGORITHM
USED WILL BE A RELATIVELY SIMPLE AND FAST ONE WHEREVER THE DATA MUST
BE ENCIPHERED. ^THIS WILL SUBSTANTIALLY SPEED UP THE HANDLER'S OPERATION
WHERE THE DATA NEED NOT HAVE HIGH CRYPTOGRAPHIC SECURITY, BUT THE CIPHER
CAN BE BROKEN RATHER EASILY. ^THE CIPHER/DECIPHER ALGORITHM IS A
VARIANT OF THE ^DATA ^ENCRYPTION ^STANDARD ALGORITHM WHEN THE
NORMAL DEFAULTS APPLY. ^SINCE THE CODING/DECODING IS DONE IN SOFTWARE,
HOWEVER, IT IMPOSES A TIME PENALTY THAT AN INSTALLATION MAY WISH TO
AVOID ON DATASETS THAT DO NOT REALLY REQUIRE IT. ^A 4 BIT SET IN THE
^^CIPHPW\\ BYTE FOR THE DRIVE WILL EFFECTIVELY TAKE IT OFF-LINE (DENY
ALL ACCESS), AND A 10 (OCTAL) BIT WILL EFFECTIVELY BYPASS ACCESS
RESTRICTIONS. ^THESE BYTES MAY BE SET BY ENTERING AN APPROPRIATE
EXTRA CHARACTER INTO THE KEY AT HANDLER LOAD TIME. ^NO PROVISION HAS
BEEN MADE FOR DOUBLY ENCIPHERING THE DATA, SINCE THE ^^RSX/IAS\\ SYSTEM
IS SUFFICIENTLY VULNERABLE TO EXAMINING A RUNNING HANDLER THAT
THE EXTRA TIME PENALTY SEEMS EXCESSIVE UNDER ANY CONCEIVABLE
CIRCUMSTANCES.
.BREAK
.INDENT 5
^NOTE THAT WHERE THE HANDLER IS LOADED AND ONE OF THE VIRTUAL DRIVES
IS NOT IN USE, THE CORRECT KEY NEED NOT BE ENTERED, THOUGH IT IS
DESIRABLE TO ARRANGE FOR THE DRIVE TO BE PLACED SOFTWARE OFFLINE
TO PREVENT ACCIDENTAL ATTEMPTS AT AN ^^INI\\TVOL FROM SUCCEEDING.
^A USER WILL OBSERVE THAT WHEN HE LACKS ACCESS RIGHTS, HE MAY MAKE
DIRECTORY LISTINGS, BUT CANNOT ACCESS THE FILES ON A ^^VD:\\ UNIT.
^THIS IS BECAUSE THE ^^ACP\\ MAY ACCESS THE DISK EVEN THOUGH THE
USER CALLING IT MAY NOT.
.PARAGRAPH
5. ^THE DATA FILES THE HANDLER ACCESSES MAY BE PROTECTED AGAINST ALL
ACCESS BUT THE OWNER. ^IF THE HANDLER IS BUILT WITH ^^UIC\\=[1,370]
AND THE DATA FILES ARE IN THAT ACCOUNT, THE DATA FILES MAY BE PROTECTED
SO THAT THEIR PROTECTION IS ^^/SY:/OW:RW/GR:/WO:\\ (I.E., ONLY ^^RW\\ ACCESS
FOR THE OWNER AND NO ACCESS FOR ANYONE ELSE), AND THE DIRECTORY MAY BE
PROTECTED TO ALLOW ONLY READ ACCESS FOR ALL BUT THE OWNER (INDEED, IT MAY
BE SET TO PREVENT ALL ACCESS EXCEPT THAT OF THE OWNER). ^THE VIRTUAL DISKS
MAY BE GIVEN VOLUME LABELS AND VOLUME PROTECTIONS ALSO IF IT IS DESIRED
TO DO SO, SUPPLEMENTING THE HANDLER'S PROTECTION WITH LAYERS OF ^^FILES-11\\
PROTECTION NOT NORMALLY AVAILABLE TO DATA BASES RESIDING ON PUBLIC STORAGE.

.SKIP 2
.CENTER
^^HANDLER PROTECTION\\
.PARAGRAPH
^THE HANDLER WILL DECODE DATA (INDEED, ALLOW ANY ACCESS) ONLY WHERE THE
^^UIC\\ (^USER ^IDENTIFICATION ^CODE) OF THE CALLER TASK IS ONE
OF THE CODES STORED IN A HANDLER TABLE OF IDENTITIES OF PERMITTED
ACCOUNTS. ^THIS GIVES A MEASURE OF PROTECTION AGAINST UNAUTHORIZED
ACCESS TO THE PSEUDO DISK WHILE THE HANDLER IS RESIDENT, THOUGH
A HOSTILE PRIVILEGED USER COULD GET AROUND THIS. ^IT IS ASSUMED THAT
PRIVILEGED USERS ARE ALLOWED TO RUN UNDER THE PERMITTED ACCOUNTS
ONLY WHERE THIS WILL NOT COMPROMISE DESIRED SECCURITY. ^TO ENSURE
THAT THE HANDLER IS REMOVED BEFORE TAKING THE SYSTEM DOWN, IT
OPENS ITS DATA FILES ONLY WHEN LOADED (AT WHICH TIME IT READS
BUT DOES NOT ECHO THE ENCRYPTION KEYS), CLOSES THEM ONLY WHEN
UNLOADED (TO ENSURE THE HANDLER IS UNLOADED PRIOR TO ANY SAVING
OF THE SYSTEM), AND CLEARS THE ENCRYPTION KEYS OF ANY ENCRYPTED
PSEUDO DISKS AT ANY POWER FAILURE (MAKING IT NECESSARY TO DO
A HANDLER UNLOAD AND RELOAD). ^WHERE THE PSEUDO DISK FACILITY IS
ONLY LIMITING TOTAL SPACE, A POWER FAILURE WILL NOT BY ITSELF
CAUSE THE HANDLER TO REMOVE KEYS FLAGGING THAT THIS PSEUDO
DISK IS NOT ENCRYPTED.
^ADDITIONAL TESTS OF ACCESS PRIVILEGES MAY BE ADDED BY A USER-WRITTEN
SUBROUTINE NAMED ^^VDPRV\\ WHICH WILL ENTER WITH ^R0 CONTAINING THE
UNIT NUMBER OF ^V^D, ^R1 CONTAINING THE ^^IORQ\\ ADDRESS, AND ^R2
CONTAINING THE ^^VD\\ ^^UIT\\ ADDRESS. ^IT CAN TEST SPECIAL PRIVILEGE
BITS, TASK NAMES, ETC., AND RECORD A LOG OF ACCESSES IF DESIRED,
AND EITHER DENY ACCESS BY RETURNING WITH THE ^C BIT SET, PERMIT IT
BY RETURNING WITH THE ^Z BIT SET, OR ALLOW THE USUAL ^^UIC\\ TEST
BY RETURNING WITH BOTH CLEAR.  ^THIS ALLOWS AN INSTALLATION TO PROVIDE
AS MUCH SECURITY AS IT DESIRES.
.PAGE
.CENTER
^^SETTING UP THE HANDLER\\
.PARAGRAPH
^IT IS POSSIBLE TO CONFIGURE THE ^V^D: HANDLER FROM AN OBJECT FILE BY
TASKBUILDING WITH OPTIONS. THE HANDLER OPERATES ON DATA FILES THAT ARE
PREALLOCATED AND WHOSE SPECIFICATIONS ARE BUILT INTO THE HANDLER;
THE DEFAULT NAMES START WITH ^^SY0:[01,370]VDDAT0.DAT\\ AND
CONTINUE TO ^^SY0:[01,370]VDDAT\N.DAT\\
(FOR N UNIT HANDLERS) BUT MAY BE ALTERED BY THE GLOBAL PATCH FACILITY
OF ^^TKB\\. ^DECIDE FIRST HOW MUCH SPACE IS TO BE ALLOCATED EACH UNIT
AND THEN CREATE THESE FILES. ^USE ANY BLOCK-ACCESS FILE (LIKE A TASK
IMAGE) TO SET UP THE FILE SPECIFICATIONS AND COPY THE FILE ONTO THE
ACCOUNT NEEDED, POSSIBLY USING THE ^^PIP /AP\\ SWITCH TO TACK ON ENOUGH SHORT
FILES TO ALLOCATE THE DESIRED AMOUNT OF SPACE.
^WHERE THE FILE CAN BE MADE CONTIGUOUS, SOME PERFORMANCE IMPROVEMENTS
SHOULD RESULT. ^ALMOST CONTIGUOUS IS ALMOST AS GOOD.
.PARAGRAPH
^NEXT, YOU MUST SET UP THE ^^PUD\\ ENTRIES FOR THE ^^VD\\ DEVICES YOU
WANT TO SUPPORT. ^IF YOU DO A ^^SYSGEN\\, THE FORMAT OF THE SPECIFICATION
TO MAKE IS:
.LEFT MARGIN 2
.RIGHT MARGIN 57
.SKIP 1
^^DEV=VD0,RX11
.BREAK
DEV=VD1,RX11
.BREAK
DEV=VD2,RX11
.BREAK
DEV=VD3,RX11
.BREAK
DEV=VD4,RX11
.BREAK
DEV=VD5,RX11
.BREAK
DEV=VD6,RX11
.BREAK
DEV=VD7,RX11\\
.LEFT MARGIN 5
.RIGHT MARGIN 55
.SKIP 1
^IF YOU DO NOT DO A ^^SYSGEN\\, TAKE A FILE STRUCTURED DEVICE ^^PUD\\
AND COPY IT TO THE ^^VD PUD\\, CHANGING THE DEVICE NAME AND UNIT. ^START
WITH ^^VD0:\\ AND WORK UP. ^THE HANDLER ITSELF WILL ENSURE THAT THE NUMBER
OF BLOCKS IN THE ^^PUD\\ IS THE CORRECT VALUE WHEN IT IS LOADED. ^IT WILL
ALSO BE SURE THE DEFAULT ^^ACP\\ IS ^^VDAACP\\.
.PARAGRAPH
^OBJECT KITS WILL NORMALLY BE FURNISHED WITH VERSIONS OF ^^VDDRV\\ SET
UP FOR 1 TO 8 UNITS OF ^^VD\\. ^IT WILL NOT HURT TO USE A VERSION
SET UP FOR MORE UNITS THAN YOU HAVE ^^PUD\\ ENTRIES, BUT YOU
SHOULD HAVE A FILE SET UP FOR EACH ^^PUD\\ ENTRY YOU HAVE. ^VERSIONS
FOR FEWER UNITS CONTAIN FEWER BUILT-IN ^^FDB\\S, HOWEVER, AND THIS
SAVES SPACE. ^A FURTHER ASIDE: IF YOU WANT TO PUT VIRTUAL DISKS ON A
VIRTUAL DISK, IT MAY BE DONE, BUT THE ^^ACP\\ YOU USE MUST BE DIFFERENT
FROM BOTH THE NORMAL ^^F11ACP\\ FOR THE ^^SY:\\ DISK AND FROM ^^VDAACP\\
USED FOR THE FIRST LEVEL OF ^^VD:\\. ^THIS MEANS USING THE ^^/ACP=\\
SWITCH IN ANY MOUNTS. ^DO NOT EXPECT MULTI-LEVEL VIRTUAL DISKS TO BE
ESPECIALLY FAST.
.PARAGRAPH
^IF YOU WISH TO ADD ADDITIONAL CHECKS TO THE HANDLER, THE SUBROUTINE
^^VDPRV\\ WILL HAVE TO BE SET UP TO DO IT. ^THIS SUBROUTINE IS ENTERED
AS DESCRIBED ELSEWHERE IN THIS DOCUMENT AND MAY PERFORM FURTHER CHECKS
ON ACCESS REQUESTS THAN THE ^^UIC\\ CHECK BUILT INTO THE HANDLER ITSELF.
^IF NONE ARE DESIRED, A ROUTINE OF THE FORM FOLLOWING WILL DO:
.SKIP 1
.NOFILL
.TAB STOPS 16,24,32,40,48
^^	.TITLE	VDPRV
VDPRV::	CCC
	RTS	PC	;CLEAR C AND Z, THEN RETURN
	.END\\
.SKIP 2
.FILL
^ENTER THIS SUBROUTINE AND ASSEMBLE IT TO PREPARE TO LINK WITH ^^VDDRV\\.
.PARAGRAPH
^YOU ARE NOW READY TO TASKBUILD THE HANDLER. ^SINCE THE HANDLER HAS TABLES
TELLING WHO MAY ACCESS EACH VIRTUAL DISK, DECIDE WHAT ^^UIC\\'S YOU WILL
ALLOW TO ACCESS THESE DEVICES WHILE THE HANDLER IS UP. ^THERE IS A TABLE
AT ^^PRVLST\\ OF ^^UIC\\ CODES THAT MAY ACCESS ALL VIRTUAL DISKS. ^ITS
FIRST 7 WORDS ARE FILLED IN WITH UIC'S NEEDED FOR CORRECT OPERATION BY
THE SYSTEM. THERE ARE 8 MORE THAT MAY BE FILLED IN WITH ANY ^^UIC\\ YOU
WISH. ^THE HIGH BYTE OF A BINARY ^^UIC\\ IS THE GROUP NUMBER; THE LOW
BYTE IS THE PROGRAMMER CODE. ^USE THE ^^GBLPAT=VDDRV:PRVLST+16:1500\\
DIRECTIVE TO ^^TKB\\ TO ENTER A ^^UIC\\ (IN THIS CASE, [3,100] = 1500 OCTAL)
OR POSSIBLY MULTIPLE ^^UIC\\S. ^THESE WILL BE PERMITTED ACCESS TO ENCRYPTED
DISKS. ^UNENCRYPTED DISKS (PASSWORD EQUAL TO 16 QUESTION MARKS) MAY ALWAYS
BE READ IF ^^FILES-11\\ ALLOWS.
.PARAGRAPH
^IF YOU WANT SPECIAL ACCOUNTS TO HAVE THE ABILITY TO READ ONLY ONE OR A FEW
VIRTUAL DISKS, YOU MAY ADD THESE ACCOUNT NUMBERS (^^UIC\\S) TO A SECOND TABLE
AT ^^PRVUSR\\, WHICH HAS SPACE FOR 7 ACCOUNTS PER UNIT. ^THE ENTRIES FOR
VIRTUAL DISK 0 START AT ^^PRVUSR\\; THOSE FOR UNIT 1 START AT ^^PRVUSR+20\\;
THOSE FOR UNIT 2 START AT ^^PRVUSR+40\\, AND SO ON. ^USE A DIRECTIVE
LIKE THIS, FOR EXAMPLE, TO ALLOW [3,100] TO READ ^V^D2:
.SKIP 1
^^GBLPAT=VDDRV:PRVUSR+40:1500\\
.SKIP 1
.PARAGRAPH
^TO USE MULTIPLE COPIES OF DEVICE ^V^D: YOU MUST RENAME ONE OR MORE. ^TO DO
THIS REQUIRES ONLY THAT THE ^^ASCII\\ DEVICE NAME AT GLOBAL LOCATION
^^VDNAM\\ BE CHANGED TO WHATEVER YOU WANT. ^THE PATCH WOULD POSSIBLY LOOK
LIKE:
.SKIP 1
^^GBLPAT=VDDRV:VDNAM:"DV"\\
.SKIP 1
WHERE INSTEAD OF "^D^V" ONE USES THE OCTAL EQUIVALENT OF THOSE 2 ^^ASCII\\
CHARACTERS, TO USE THE HANDLER FOR A DEVICE CALLED "^D^V:". ^THE ^^PUD\\
ENTRIES WOULD OF COURSE ALSO HAVE TO CHANGE.
.PARAGRAPH
^TO USE DIFFERENT FILES OR DEVICES TO HOLD THE PSEUDO-DISKS, THE HANDLER
MUST BE PATCHED IN ITS FILE SPECIFIERS, ONCE PER UNIT OF THE HANDLER.
^THE GLOBALS ARE NAMED "^^FL0" \\THROUGH "^^FL7\\", EACH CONTAINING
^^ASCII\\ CHARACTERS "^^VDDAT\N.DAT\\" (N IS 0 THROUGH 7). ^CHANGE
THESE TO MODIFY THE FILENAMES. ^THE DEVICE SPECIFICATIONS ARE AT
SYMBOLIC LOCATIONS NAMED "^^DEV0 \\THROUGH ^^DEV7\\ AND CONTAIN
^^ASCII\\ FOR "^^SY0:\\" BY DEFAULT. ^THE ^^UIC\\ FOR THESE FILES
(WHICH SHOULD BE THE HANDLER'S ^^UIC\\ AND MUST BE ON THE ACCESS
LIST IN ^^PRVLST\\) IS STORED IN GLOBAL LOCATIONS LABELLED
^^DIR0 \T\H\R\O\U\G\H DIR7\\, WHICH CONTAIN ^^ASCII\\ FOR
"[01,370]". ^THE LENGTHS OF THESE STRINGS MAY NOT BE CHANGED, BUT
THEIR CONTENTS MAY BE IF DESIRED. ^THESE FILES ARE OPENED WHEN
THE HANDLER IS LOADED AND REMAIN OPEN UNTIL IT IS UNLOADED.  (^THIS
MAKES IT ALMOST IMPOSSIBLE TO SAVE THE SYSTEM WITH THE HANDLER LOADED.)
.PARAGRAPH
^THE HANDLER WILL ALTER ANY ^^PUD\\ ENTRIES IT FINDS TO REFLECT THE
SIZE OF THE DEVICE AND A DEFAULT ^^ACP\\ OTHER THAN ^^F11ACP\\.
^NORMALLY ONE SHOULD INSTALL ^^FCP\\ AS ^^VDAACP\\ TO MOUNT ^^VD:\\
WITH.
^CHOOSE ENCRYPTION KEYS CAREFULLY AND ^^REMEMBER THEM\\, AND ^^GUARD
THEM CAREFULLY\\. ^THEY SHOULD BE WRITTEN DOWN SELDOM OR NEVER,
SHOWN TO AS FEW PEOPLE AS POSSIBLE, AND NEVER STORED ON DISK IN
CLEAR FORM. ^THEY ARE THE HEART OF YOUR DATA SECURITY, AND IF THEY
ARE NOT KEPT SECURE THEMSELVES, THE ENTIRE EFFECT OF SECURING DATA
WILL BE LOST. ^THE PERSON WHO KNOWS THEM SHOULD PROBABLY NOT BE
NORMALLY ASSOCIATED WITH SYSTEM OPERATIONS, BUT RATHER SHOULD BE
SOMEONE WHOSE ASSOCIATION WITH DATA PROCESSING IS TOO REMOTE TO
BE NORMALLY USING THE COMPUTER. ^FURTHERMORE, THE KEYS SHOULD BE
ENTERED FROM A LOCAL TERMINAL TO AVOID WIRETAPPING A LINE USED TO
TYPE THEM IN. ^THE KEYS ARE NOT ECHOED, BUT THEY MUST BE SENT TO
THE COMPUTER IN CLEAR FORM. ^THE SHORTER THE DISTANCE, THE LESS
CHANCE THERE IS OF BREACH OF SECURITY THERE.
.PARAGRAPH
^REMEMBER, A KEY CONSISTS OF 16 CHARACTERS (ALPHABETIC OR SPACES)
NOT ALL SPACES. ^AFTER THE KEY MAY APPEAR EITHER A CARRIAGE RETURN
(TO LEAVE THE ^^CIPHPW\\ BYTE ALONE) OR A CHARACTER WHOSE LOW
5 BITS WILL BE PLACED IN ^^CIPHPW\\ FOR THAT UNIT. ^THUS, AN
"^A" AFTER THE 16 CHARACTER PASSWORD ENABLES ACCESS CHECKING FOR
UNCIPHERED ^^VD\\ UNITS, A "^B" ENABLES THE SIMPLIFIED (AND FASTER)
ENCRYPTION METHOD FOR THAT UNIT IF THE PASSWORD IS NOT ALL "?"'S,
A "^D" DISABLES ALL ACCESS TO THE UNIT BY ANYONE, AND AN "^H"
ALLOWS ACCESS BY ANYONE (PROVIDED ^^RSX11D/IAS\\ ALLOWS AND THE
16 CHARACTER KEY IS CORRECT) TO THE DATA. ^COMBINATIONS OF BITS MAY
BE PERMITTED. ^NOTE THAT IF A GLOBAL PATCH IS MADE BY ^^TKB\\ TO
THE BYTES STARTING AT ^^CIPHPW\\, THEY WILL BE UNCHANGED FROM THOSE
DEFAULTS IF ONLY 16 CHARACTERS FOLLOWED BY C.R. ARE ENTERED. ^A SPACE
ENTERED AS THE 17TH CHARACTER EXPLICITLY RESETS THE ACCESS MODE
BYTE IN ^^CIPHPW\\ TO 0 (NORMAL DEFAULT OPERATION).
.PARAGRAPH
^THE SEQUENCE OF OPERATIONS TO BEGIN USE OF ^V^D: IS, AFTER 
BUILDING IT AND INSTALLING IT IN A SYSTEM WITH SOME VALID ^^VD PUD\\
ENTRIES:
.SKIP 1
.LEFT MARGIN 2
.RIGHT MARGIN 57
.NOFILL
^^MCR>FIX VDAACP
MCR>LOA VD$
ENTER 16 CHAR. KEY _& ACC CODE FOR VD0:
PASSWORD 0 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD1:
PASSWORD 1 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD2:
PASSWORD 2 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD3:
PASSWORD 3 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD4:
PASSWORD 4 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD5:
PASSWORD 5 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD6:
PASSWORD 6 -NOT ECHOED
ENTER 16 CHAR. KEY _& ACC CODE FOR VD7:
PASSWORD 7 -NOT ECHOED
(TYPE CONTROL-C)
MCR>INI VD:
MCR>MOU VD:
MCR>UFD VD:[1,1]
MCR>;VD0: NOW CAN BE USED BY [1,1]
MCR>;(MAY ENTER ANY OTHER UFD INSTEAD IF DESIRED...)
MCR>;(NOTE--ONLY DO THE INI ONCE--IT DESTROYS ALL DATA
MCR>; ON THE VIRTUAL DISK)
MCR>INI VD1:
MCR>INI VD2:
MCR>INI VD3:
MCR>INI VD4:
MCR>INI VD5:
MCR>INI VD6:
MCR>INI VD7:
MCR>MOU VD1:
MCR>MOU VD2:
MCR>MOU VD3:
MCR>MOU VD4:
MCR>MOU VD5:
MCR>MOU VD6:
MCR>MOU VD7:
MCR>; NOW ADD UFD ENTRIES AS DESIRED ON ALL DISKS AND USE.
MCR>; ENCRYPTION KEYS MUST BE REMEMBERED AND ENTERED
MCR>; EVERY TIME THE VD: HANDLER IS LOADED.
\\
.FILL
.LEFT MARGIN 5
.RIGHT MARGIN 55
.SKIP 1
^THE HANDLER MAY BE USED FOR NORMAL DISK - LIKE OPERATIONS AS A REAL
DISK, EXCEPT THAT TASKS SHOULD NOT BE RUN FROM A SIMULATED DISK (DUE
TO PROBLEMS IN MAPPING TO TASK SPACE WHERE THERE IS NO TASK THERE...).
^UNLOAD THE HANDLER PRIOR TO TAKING DOWN THE SYSTEM ("^^UNL#VD\\")
OR PRIOR TO TRYING TO DISMOUNT THE SYSTEM DISK FOR A SAVE. ^NOTE THAT
THE ^V^D HANDLER WORKS FINE WITH A NON-^^FILES-11\\ FILE STRUCTURE (E.G.
^^DOS\\ OR ^^RT11\\) IF SUITABLY NAMED TO ALLOW ^^FLX\\ TO RECOGNIZE IT
AS SUCH. ^HOWEVER, BEWARE OF TOTAL SIZES, SINCE ^^FLX\\ MAY NOT USE
THE SIZE IN THE ^^PUD\\ FOR THE DEVICE.

.TEST PAGE 12
.SKIP 2
.CENTER
^^REVIEW\\
.PARAGRAPH
^THE ^^VD:\\ DEVICE IS SET UP AND USED AS A NORMAL ^^RSX11D/IAS\\
DISK IS USED. ^ONE FIRST MUST ALLOCATE THE DATA FILES IT ASSUMES
ARE PRESENT. ^THE CURRENT VERSION WILL TRY TO OPEN
^^SY:[1,370]VDDAT0.DAT\\ FOR THE FIRST UNIT, ^^VDDAT1.DAT\\ FOR
THE SECOND, AND SO ON. ^THESE MUST BE PREALLOCATED (AND SHOULD BE
AS RANDOM ACCESS FILES, LOGICAL RECORD LENGTH 1000 BYTES (OCTAL)
AND FIXED RECORD LENGTH) PRIOR TO HANDLER LOAD.
.PARAGRAPH
^NOW LOAD THE ^V^D HANDLER. (^IT IS ASSUMED THE ^^PUD\\S HAVE BEEN
SET UP FOR A DISK OF SUITABLE SIZE FIRST AND THE HANDLER TASK
INSTALLED). ^^VD:\\ WILL PROMPT ON ^^LUN 1\\ (WHICH SHOULD BE
ASSIGNED TO ^T^I:) FOR THE KEYWORDS. ^FOR EACH, ENTER A 16 CHARACTER
ENCRYPTION KEY. ^THE SPECIAL KEY OF ^^????????????????\\ (16 QUESTION MARKS)
WILL PRODUCE NO ENCRYPTION. ^ANYTHING ELSE WILL GIVE ENCRYPTION
EXCEPT ALL SPACES, WHICH IS ILLEGAL. ^REMEMBER THE VALUES THAT YOU
ENTER; THEY WILL BE NEEDED LATER WHENEVER YOU ACCESS THOSE FILES.
^ONCE ALL UNITS DEFINED HAVE THEIR KEYS ENTERED, THE HANDLER WILL
BE READY TO GO. ^USE ^^INI\\ TO INITIALIZE A ^^FILES-11\\ FILE
STRUCTURE ON THE DISKS. ^THE HANDLER WILL INITIALIZE THE MAXIMUM NUMBER
OF BLOCKS AVAILABLE ON THE "DISK" TO THE ENDFILE BLOCK POSITION IN THE
FILE AFTER OPENING EACH FILE, SO THE SIZE OF "DISK" WILL BE THE
SAME AS THE IN-USE FILE SIZE.
^MOUNT THE DISK
USING AN ^A^C^P DIFFERENT FROM THE ONE USED BY THE DISK IN USE
AS ^S^Y: (TO PREVENT RE-ENTRANCY PROBLEMS IN ^^F11ACP\\). ^YOU MUST
BE LOGGED INTO A PERMITTED ACCOUNT TO ALLOW THIS. ^NOW YOU CAN (FROM
A PERMITTED ACCOUNT) PROCEED TO USE ^^PIP\\ OR OTHER UTILITIES ON THE
PSEUDO DISK. ^YOU MAY MOVE YOUR DATA BASE TO THE DISK AND REASSIGN
THE ^^LUN\\S OF ANY TASK USING IT TO ^V^D: TO GET THE TASK TO READ
AND WRITE ENCRYPTED DATA. ^THE HANDLER WILL EXECUTE A ^^QIO$\\
FOR EVERY BLOCK IT MOVES, SO THAT DATA WILL NOT BE LOST IN A SYSTEM
CRASH. ^TRANSFERS LONGER THAN A BLOCK WILL BE DONE A BLOCK AT A TIME
UNTIL COMPLETE.
.PARAGRAPH
^REMEMBER THAT WHEN YOU ENTER ^^UIC\\S, THE HIGH BYTE OF THE ^^UIC\\
IS THE GROUP CODE AND THE LOW BYTE IS THE PROGRAMMER CODE. ^THERE IS
NO PROVISION IN THE HANDLER ITSELF FOR WILD CARD ^^UIC\\ ALLOWANCES;
THIS MAY BE PUT INTO ^^VDPRV\\ IF AN INSTALLATION NEEDS IT. ^THE
LOCATIONS ^^PRVLST\\ AND ^^PRVUSR\\ ARE LISTS, TERMINATED BY ZERO
WORDS, OF ^^UIC\\S THE HANDLER ALLOWS, AND THESE ARE GLOBAL, HENCE
AVAILABLE TO ^^VDPRV\\. ^DO NOT REMOVE THE FIRST PRE-ENTERED
SYSTEM ACCOUNTS FROM THE ACCESS LISTS; THE ^^ACP\\ AND OTHER
SYSTEM FUNCTIONS (^^MOU, INI, \\ETC.) MUST BE ABLE TO DO OPERATIONS
TO THE DISK.
.PARAGRAPH
^WHENEVER IT IS DESIRED TO CHANGE THE ENCRYPTION KEY, A SIMPLE PROGRAM
TO COPY BLOCK FOR BLOCK TO ANOTHER VIRTUAL DISK WILL ALLOW A FOREIGN-
MOUNTED VIRTUAL DISK TO RECEIVE THE NEW DATA. ^JUST MOUNT THE OLD
AND NEW UNITS OF ^^VD:\\ WITH THE FOREIGN CHARACTERISTICS AND
HAVE THE OLD KEY FOR THE OLD DATA FILE, AND THE NEW ONE FOR THE
NEW DATA FILE. ^A SIMPLE RENAME WILL ALLOW THE HANDLER TO USE THE
NEW UNITS AFTER DISMOUNT AND HANDLER UNLOAD. ^^DSC\\ MAY BE ABLE TO
HANDLE THIS.
^FAILING THIS, ^^PIP\\ MAY BE USED TO COPY THE FILES TO A SCRATCH AREA
OF THE NORMAL SYSTEM DISK (^S^Y:) FOR A SHORT TIME, THE DISK MAY BE
RE-^^INI\\TED FOR A NEW PASSWORD (AFTER HANDLER UNLOAD/RELOAD), AND
THE FILES COPIED BACK WITH ^^PIP\\, AFTER WHICH THEY ARE DELETED FROM
^^SY:\\. ^THIS SHOULD SUFFICE PROVIDED REMOTE USERS ARE KEPT OFF THE
SYSTEM WHILE IT IS GOING ON.

.TEST PAGE 12
.SKIP 3
.CENTER
^^THINGS TO REMEMBER\\
.SKIP 1
.PARAGRAPH
^REMEMBER TO UNLOAD THE HANDLER BEFORE TAKING DOWN THE SYSTEM. ^IF THIS
IS NOT DONE, ANY POWER UP WILL CLEAR THE KEYWORDS, BUT IT IS SAFER TO
UNLOAD FIRST. ^THE KEYS ARE NOT STORED INTERNALLY IN A FORM THAT WILL
ALLOW ONE EASILY TO DEDUCE THE KEYWORDS TO ENTER TO THE HANDLER, BUT
WITH THE HANDLER SOURCE CODE, THE FORM MIGHT BE POSSIBLE TO DEDUCE
FROM OPENING CORE LOCATIONS WHERE THE HANDLER IS RESIDENT. ^THIS IS
POSSIBLE TO A PRIVILEGED USER AND AN INSTALLATION DESIRING SECURITY
SHOULD BE CAREFUL WHO IS GIVEN PRIVILEGES. ^SINCE THE HANDLER TASK IS
NOT STORED WITH ANY KEYS AND KEYS ARE NOT NORMALLY STORED IN ANY FORM
EXCEPT IN TRANSFORMED FASHION IN CORE, A DISASSEMBLY OF THE TASK WILL
NOT IN ITSELF PERMIT FILE ACCESS. ^HOWEVER, SUCH A DISASSEMBLY IS TO
BE GUARDED AGAINST IF POSSIBLE, AS IT WILL HELP A HOSTILE USER TO
EXAMINE CORE FOR THE KEYS LATER IF HE CAN FIGURE OUT ENOUGH. ^THE MORAL
OF THIS IS TO KEEP SOURCE CODE OFF PUBLIC STORAGE, AND HAVE THE SYSTEM
ACCOUNTING PACKAGE UP TO MONITOR WHO TRIES TO USE THE MORE DANGEROUS
UTILITIES FROM WHICH ACCOUNTS. ^^OPE\\N SHOULD AT A MINIMUM BE BUILT
AS ACCOUNTABLE (WITH A LARGE TIME LIMIT) TO ALLOW MONITORING OF
ITS OPERATION AND POSSIBLE QUESTIONING OF ANYONE USING IT IF SECURITY
BREACHES ARE SUSPECTED. ^THIS SYSTEM IS MEANT AS AN AID, NOT A TOTAL
SECURITY SYSTEM. ^IT WILL ALLOW CONSIDERABLE PROTECTION AGAINST
UNAUTHORIZED ACCESSES TO DATA AFTER HOURS OR WHERE THE ^^DEC\\
FILE PROTECTION SCHEME IS INADEQUATE, AND IS BASICALLY RELIABLE
AGAINST NONPRIVILEGED USERS. ^IT ASSUMES SOME MONITORING IS GOING ON
WHILE THE HANDLER IS LOADED TO DETECT AT LEAST WHICH ACCOUNTS ARE
ACTIVE FOR WHICH TASKS.
(^THIS IS STANDARD IN THE ^^DEC\\ ACCOUNTING PACKAGE.)
^WHEN THE HANDLER IS UNLOADED, THE INFORMATION
ABOUT KEYS IS NO LONGER IN EXISTENCE AND IS THEREFORE SAFE. ^WHILE IT
IS LOADED, IT CANNOT DISTINGUISH WHO IS ASKING FOR DATA EXCEPT BY
ACCOUNT, AND FURTHER PROTECTION SHOULD BE HANDLED THROUGH USER
SOFTWARE. ^THIS SYSTEM COULD BE USED EVEN IN HIGHLY INTERACTIVE SYSTEMS
AS A MEANS OF ARCHIVAL BACKUP, WHERE A DATA BASE AND TRANSACTIONS ARE
STORED (POSSIBLY SEPARATELY) AND COMPARED PERIODICALLY AGAINST THOSE
STORED IN THE WORKING DATABASE (WHICH MIGHT BE KEPT UNENCRYPTED FOR
PERFORMANCE REASONS). ^USE OF A NON-EXISTENT ACCOUNT AS THE PERMITTED
ACCOUNT MIGHT BE A WAY TO ENSURE SECURITY; THE TRANSACTION RECORDER
COULD RUN IN THAT ACCOUNT, AND NOTHING ELSE MIGHT, IF THE ACCOUNT NUMBER
WERE NOT GENERALLY KNOWN; NOBODY COULD LOG INTO SUCH AN ACCOUNT.
.TEST PAGE 12
.SKIP 2
.CENTER
^^SOURCE CONTROL APPLICATIONS\\
.PARAGRAPH
^THE FACILITY OF VIRTUAL DISKS LENDS ITSELF WELL TO THE CONCEPT OF
CONTROLLED COPIES OF SOURCE FILES WHICH ARE MODIFIED ONLY SUBJECT TO
QUALITY CONTROL AND MANAGEMENT. ^THE ^^CMP\\ UTILITY WILL ALLOW
ONE TO COMPARE TWO FILES, THE ORIGINAL AND THE EDITED COPY, TO LIST
CHANGE BARS, CHANGES, OR TO GENERATE A ^^SLP\\ CORRECTOR FILE TO
CHANGE ONE TO THE OTHER. ^THE DIFFICULTY HAS BEEN THAT THE SOURCE
FILES ON A ^^FILES-11\\ STRUCTURE HAVE BEEN SO EASILY ALTERED THAT
MANAGEMENT CANNOT BE SURE THEY ARE INDEED THE VERSIONS THEY HAVE
TRIED TO CONTROL. (^EVEN IF FILE ^^ID\\'S HAVE BEEN RECORDED, A PROGRAM
LIKE ^^ZAP\\ COULD BE USED TO EFFECT SMALL EDITS TO A SOURCE TO
ATTEMPT TO ERASE EVIDENCE OF AN ERROR IN A CONTROLLED SOURCE. ^BUT THEY
ARE SELDOM RECORDED, SINCE A FILE COPY, WHICH MAY BE LEGAL, WOULD ALSO
CHANGE THE FILE ^^ID\\.) ^WITH AN ENCRYPTED DATA BASE, THE SOURCE FILE
CANNOT EVEN BE FOUND AND IS SECURE AGAINST TAMPERING. ^CONTROLLING A
SOURCE FILE MEANS ONLY COPYING IT TO A CIPHERED VIRTUAL DISK. ^TO
UPDATE IT REQUIRES ONLY RUNNING ^^CMP\\ TO GENERATE THE SET OF
CORRECTIONS NEEDED TO CHANGE THE NEW FILE BACK TO THE OLD FILE
AND STORING THE NEW FILE AND THAT SET OF CORRECTIONS ON THE ENCIPHERED
DISK WITH THE NEW FILE. ^^CMP\\ MAY ALSO BE RUN TO GENERATE CHANGE
BARS. ^NO OTHER MULTIPLE SOURCE CODE NEED BE STORED SINCE THE
^^CMP\\ OUTPUTS MAY BE RUN FROM THE LAST BACK TO REGENERATE THE
COMPLETE ORIGINAL TEXT OF ANY FILE (IN ANY LANGUAGE). ^THE
VIRTUAL DISK FILE STRUCTURE MAY BE CONFIGURED TO HAVE A SEPARATE
^^UIC\\ FOR EACH FILE (OR OTHER SCHEMES MAY BE USED), AND THE
RESULT IS A VERY CLEAN AND GENERAL TEXT CONTROL SYSTEM. ^WHENEVER
IT IS DESIRED TO START CLEAN, ALL THE OLD ^^CMP\\ FILES MAY BE DELETED
AND ONLY THE CURRENT SOURCE WILL REMAIN. ^THIS SORT OF TEXT CONTROL
MAY BE USED WITH NORMAL ^^RSX-11D/IAS\\ (OR EVEN ^^RSX11M\\), BUT
THE DATA SECURITY NEEDED FOR THE APPLICATION IS MISSING WITHOUT THE
ENCODING OF THE DATA. ^THE OPERATION MAY BE SIMPLIFIED BY GENERATING
INDIRECT ^^MCR\\ COMMAND FILES (^INDIRECT ^^MCR\\ IS AVAILABLE THROUGH
THE ^^RSX SIG \O\F DECUS\\ NOW, AND WILL BE SUPPORTED BY ^^DEC\\
STARTING WITH ^^IAS V3\\.) ^THESE CAN ALLOW MANAGEMENT PERSONNEL
TO PERFORM THE COMPLETE SEQUENCE (INCLUDING LOADING THE ^^VD\\
HANDLER AND ENTERING THE CIPHER KEYS) OF COMMANDS TO RUN ^^CMP\\
ON THE DATASETS DESIRED. (^THE BASIC OPERATION IS AUTOMATIC; ONLY
THE ENCRYPTION KEY IS REALLY NEEDED. ^THE AUDIT TRAIL CAPABILITIES OF
^^SLP\\ MAY BE USED WHERE DESIRED BY EDITING THE ^^SLP\\ COMMAND
FILE TO ENABLE THEM FROM WITHIN THE PROCEDURE. ^A ^^TECO\\ MACRO
IS A USEFUL TOOL FOR ACCOMPLISHING THIS.)
^MANAGEMENT MUST OF COURSE KEEP RECORDS OF WHAT CHANGES TAKE PLACE
IN ORDER TO BE SURE NO EXTRA ACCESSES HAVE OCCURRED WHILE AN
AUTHORIZED CHANGE WAS DONE UNLESS IT DOES THEM BY PERSONALLY
ENTERING THE KEYS AND SEEING THE HANDLER IS UNLOADED ONCE THE
CHANGE IS FINISHED. ^THIS IS COMMON TO ANY SIMILAR SYSTEM, THOUGH.
^AN AUTHORIZATION FILE MUST BE PROTECTED IN THE SAME WAY AND UNLESS
IT IS ENCIPHERED, IT IS DIFFICULT TO PROVIDE THE DESIRED PROTECTION.
^THE ^V^D SYSTEM ALLOWS ONE TO DISPENSE WITH EXTRA PRECAUTIONS
EXCEPT DURING AN ACTUAL CONTROLLED UPDATE, AND TO MINIMIZE THOSE.