EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PGP encryption with X.509 certificates

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#24245
Posted: 03/22/2013 07:18:36
by Frank Munsberg (Standard support level)
Joined: 06/04/2009
Posts: 47

We're thinking of changing the encryption from 2048Bit RSA keyfiles to X.509 certificates.

Right now we're encrypting with

Code
pgpWriter = new SBPGP.TElPGPWriter();
pgpWriter.Armor = false;
pgpWriter.Compress = false;

SBPGPKeys.TElPGPKeyring pubKeyring = new SBPGPKeys.TElPGPKeyring();
SBPGPKeys.TElPGPPublicKey publicKey = new SBPGPKeys.TElPGPPublicKey();
publicKey.LoadFromFile(recipientPublicKey.FullName);
pubKeyring.AddPublicKey(publicKey);

pgpWriter.EncryptingKeys = pubKeyring;
pgpWriter.SigningKeys = null;
pgpWriter.EncryptionType = SBPGP.TSBPGPEncryptionType.etPublicKey;
pgpWriter.Protection = SBPGPConstants.TSBPGPProtectionType.ptNormal;
pgpWriter.SignBufferingMethod = SBPGP.TSBPGPSignBufferingMethod.sbmRewind;
pgpWriter.SymmetricKeyAlgorithm = SBPGPConstants.Unit.SB_PGP_ALGORITHM_SK_AES256;
pgpWriter.Timestamp = DateTime.Now;
pgpWriter.UseNewFeatures = false;
pgpWriter.UseOldPackets = false;


The result is supposedly something along the OpenPGP standard but what is the result when we switch over to X.509 Certificates?
Is that still called OpenPGP or does the output follow another standard?
#24246
Posted: 03/22/2013 07:26:49
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Hi. OpenPGP RFC doesn't tell anything about usage of X.509 certificates within standard.
They can be used in PGP desktop, so we added some code to support saving/loading of such keys and signatures, however this suport is limited.
And, using x.509 certificate will not provide any additional security - the same RSA algorithm will be used.

So I don't see any reason to use X.509 certificates with OpenPGP. If you actually need X.509, you should switch to PKI/CMS.
#24264
Posted: 03/25/2013 04:36:52
by Frank Munsberg (Standard support level)
Joined: 06/04/2009
Posts: 47

Hi, thanks for the reply!

So the result won't be standard OpenPGP then, which is most likely a bad idea.

How should we do hybrid encryption for large (i.e. 2Gb) .zip files using the PKI/CMS components then?
What kind of standard (PKCS#7 / CMS) and file format would we get then?

We wouldn't want to end up with non-standard formats in the end so more than one piece of software will be able to decrypt the data much later.
#24265
Posted: 03/25/2013 04:51:39
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

You can use ElMessageEncryptor, which will produce a standard-compliant PKCS#7 message.
PKCS#7 document (RFC 2315, "PKCS #7: Cryptographic Message Syntax, Version 1.5") is an older version of CMS document (RFC 5652, "Cryptographic Message Syntax (CMS)"), and they both describe almost the same syntax.
#24266
Posted: 03/25/2013 05:05:55
by Frank Munsberg (Standard support level)
Joined: 06/04/2009
Posts: 47

Is there any way to get the newer CMS / RFC5652 format? It somehow seems like a good idea to stick with the latest version of the standard.
#24267
Posted: 03/25/2013 05:57:17
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

We support RFC 5652 as well - it doesn't change format of encrypted messages, just adds some new entities/algorithms.
#24281
Posted: 03/25/2013 09:24:49
by Frank Munsberg (Standard support level)
Joined: 06/04/2009
Posts: 47

Thank you, that is good to hear! I'm not sure if we will really do this type of encryption in the end because its more of a political decision from this point on. It's a good thing that it follows a standard though.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 1175 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!