gpg/pgp integration issues

Discussion:

(too old to reply)

jgreuel

2008-11-21 16:25:03 UTC

Here's our situation:

We have two historical interfaces with a third-party.

One of these data transfers uses GnuPG and is run manually by users on
an old Windows server. Transfers on this server go in both directions.

The other data transfer runs on a UNIX box and uses PGP. Transfers on
this box only go from us to the third-party, there is no return of
data.

The third-party holds the necessary credentials to decrypt from either
source.

Here's what I'd like to do:

I want to move a particular data transfer from the old Windows server
to the UNIX machine. This will mean that the UNIX machine will now be
receiving data from the third-party and then decrypting that data.

Here's my problem:

I can't figure out how to modify my PGP settings on the UNIX box so
that the incoming data from the third-party can be decrypted. I
thought I'd be able to exchange keys between our two servers and
essentially say 'our UNIX box is trusted by our Windows server, so
allow decryption of this file on the UNIX box' but I'm not having
success doing that. The GnuPG / PGP differences make this a
complicated as well.

Is what I'm trying to do even possible without involving the third-
party?

Any suggestions would be appreciated.

1PW

2008-11-21 17:26:54 UTC

Permalink

Post by jgreuel
We have two historical interfaces with a third-party.
One of these data transfers uses GnuPG and is run manually by users on
an old Windows server. Transfers on this server go in both directions.
The other data transfer runs on a UNIX box and uses PGP. Transfers on
this box only go from us to the third-party, there is no return of
data.
The third-party holds the necessary credentials to decrypt from either
source.
I want to move a particular data transfer from the old Windows server
to the UNIX machine. This will mean that the UNIX machine will now be
receiving data from the third-party and then decrypting that data.
I can't figure out how to modify my PGP settings on the UNIX box so
that the incoming data from the third-party can be decrypted. I
thought I'd be able to exchange keys between our two servers and
essentially say 'our UNIX box is trusted by our Windows server, so
allow decryption of this file on the UNIX box' but I'm not having
success doing that. The GnuPG / PGP differences make this a
complicated as well.
Is what I'm trying to do even possible without involving the third-
party?
Any suggestions would be appreciated.

I recall seeing something like this come up several months ago and it
became apparent that both parties must "sign" the public key of the
other for this to work properly.

Please let us know your progress.

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

David E. Ross

2008-11-21 18:29:40 UTC

Permalink

For transferring a key-pair from one host to another, see my
<http://www.rossde.com/PGP/key_mgmnt.html#xfer>.

If the issue is merely establishing a Web of trust between keys on
different hosts, then 1PW is correct. The key on one host must be
signed by the public key on the other host.

--
David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush cocktail?
A: Business on the rocks.

jgreuel

2008-11-21 20:00:59 UTC

Permalink

Post by David E. Ross

For transferring a key-pair from one host to another, see my
<http://www.rossde.com/PGP/key_mgmnt.html#xfer>.
If the issue is merely establishing a Web of trust between keys on
different hosts, then 1PW is correct. The key on one host must be
signed by the public key on the other host.
--
David E. Ross
<http://www.rossde.com/>
Q: What's a President Bush cocktail?
A: Business on the rocks.

Hey David,

I had stumbled on your document at <http://www.rossde.com/PGP/
key_mgmnt.html#xfer> after my first post and used it as a guide.

Here's what I did:

1) I extracted my public key on the UNIX machine (which uses PGP),
2) then imported that public key onto my Windows server (running
GnuPG),
3) then signed that same public key on the Windows server,
4) then exported that signed public key
5) and imported it onto the UNIX machine

When I display the contents of the public ring and check the
certifying signatures (-kc) on the UNIX, here's what I get:

Key ring: '/home/xxxxxxx/.pgp/pubring.pkr'
Type bits keyID Date User ID
DSS 2048/1024 0x839EC13A 2006/11/16 expires 2009/08/12
*** DEFAULT SIGNING KEY ***
***@xxxxxxxx.ca
sig! 0x839EC13A ***@xxxxxxxx.ca
sig? 0xAE1788F7 (Unknown signator, can't be
checked)
DSS 1024/1024 0xF0A30F9E 2005/12/21 zzzz gpg <***@zzzz.zz.zz>
sig! 0xF0A30F9E zzzz gpg <***@zzzz.zz.zz>
sig! 0x839EC13A ***@xxxxxxxx.ca
2 matching keys found.

KeyID Trust Validity User ID
0xF0A30F9E untrusted complete zzzz gpg <***@zzzz.zz.zz>
untrusted zzzz gpg <***@zzzz.zz.zz>
c ultimate ***@xxxxxxxx.ca
* 0x839EC13A ultimate complete ***@xxxxxxxx.ca
c ultimate ***@xxxxxxxx.ca
undefined (KeyID: 0xAE1788F7)

The signed public key that I've brought in is undefined and doesn't
have a userid (other than its interna key of AE1788F7).

Needless to say this doesn't allow my UNIX machine to decrypt a file
destined for my Windows server.

If anyone sees anything obvious that I've missed, please let me know.

David W. Hodgins

2008-11-21 20:25:55 UTC

Permalink

Post by jgreuel
Needless to say this doesn't allow my UNIX machine to decrypt a file
destined for my Windows server.

In order for the unix machine to decrypt a file encrypted using the
windows server's public key, the unix machine must have a copy of the
secret key.

Export the private key from the windows server, and import it on the
unix machine.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

David E. Ross

2008-11-21 23:20:53 UTC

Permalink

Post by jgreuel

Post by David E. Ross

For transferring a key-pair from one host to another, see my
<http://www.rossde.com/PGP/key_mgmnt.html#xfer>.
If the issue is merely establishing a Web of trust between keys on
different hosts, then 1PW is correct. The key on one host must be
signed by the public key on the other host.

Hey David,
I had stumbled on your document at <http://www.rossde.com/PGP/
key_mgmnt.html#xfer> after my first post and used it as a guide.
1) I extracted my public key on the UNIX machine (which uses PGP),
2) then imported that public key onto my Windows server (running
GnuPG),
3) then signed that same public key on the Windows server,
4) then exported that signed public key
5) and imported it onto the UNIX machine
When I display the contents of the public ring and check the
Key ring: '/home/xxxxxxx/.pgp/pubring.pkr'
Type bits keyID Date User ID
DSS 2048/1024 0x839EC13A 2006/11/16 expires 2009/08/12
*** DEFAULT SIGNING KEY ***
sig? 0xAE1788F7 (Unknown signator, can't be
checked)
2 matching keys found.
KeyID Trust Validity User ID
undefined (KeyID: 0xAE1788F7)
The signed public key that I've brought in is undefined and doesn't
have a userid (other than its interna key of AE1788F7).
Needless to say this doesn't allow my UNIX machine to decrypt a file
destined for my Windows server.
If anyone sees anything obvious that I've missed, please let me know.

The "(Unknown signator, can't be checked)" means that the public key
with ID=0xAE1788F7 is not on the keyring. Are you sure that you did
each step indicated on my page.

Note that Windows and UNIX are "Two Dissimilar Computers". If you
indeed followed the steps indicated on my page for "Two Dissimilar
Computers With Removable Media", you might have run afoul of the
differences between Windows and UNIX with respect to end-of-line (EOL)
indicators. You might try my "Two Computers Without Removable Media"
method even if you do have removable media.

--
David E. Ross
<http://www.rossde.com/>

Q: What's a President Bush cocktail?
A: Business on the rocks.