Re: How to encrypt using public certificate\key

2017-09-18 Thread Peter Lebbing 
On 07/09/17 12:58, shaarang tyagi wrote:
> I am trying to understand the encryption process and the all the input
> that is required to perform encryption.
> 
> So according to this RFC, section 2.1:

If you want to learn about what makes an OpenPGP message, gpg
--list-packets is very useful:

$ echo Talking to myself | gpg -r pe...@digitalbrains.com -e | gpg
--list-packets

And now you see which packets make up a message encrypted to me.

> https://tools.ietf.org/html/rfc4880#section-2.1
> 
> There can be 2 sources for encryption key, either a session
> key(generated randomly) or a shared pass phrase (key is derived from
> this phrase) ?

Well, in a sense that's correct, but it's missing an important point.

What GnuPG does is:

- Create a random session key, unique for each encrypted message. This
is what the data is encrypted with.
- For each public key the data is encrypted to, include a Public-Key
Encrypted Session Key Packet[1] (PKESK), which is the session key
encrypted to a specific public key.
- If decryption by passphrase is requested (--symmetric), also create a
Symmetric-Key Encrypted Session Key Packet[2] (SKESK), which allows to
decrypt the session key with the passphrase.

RFC 4880 section 2.1 indeed also mentions a different method where the
passphrase is used to derive the key to encrypt the data, rather than
using a random session key. This is possible if the data is preceded by
a single SKESK that specifies how to derive the key from the passphrase,
as in section 5.3 [2]. But this type of data is never produced by GnuPG,
to my knowledge.

So /the/ method, the single method, to create an encrypted message is to
generate a random session key which is used to encrypt the data. Then
get that session key to your recipient, be that by public key or by
shared passphrase.

Finally, multiple passphrases that all decrypt the data (multiple SKESK
packets) are permitted, but I don't think GnuPG can create such messages
(I'm not sure).

> gpg -e -u "Sender User Name" -r "Receiver User Name" somefile

What you /should/ do is put all options before the command; that way the
command line is unambiguous and gpg will always catch your meaning. "-e"
is the command, and "somefile" is the command argument. So:

$ gpg -u "Sender User Name" -r "Receiver User Name" -e somefile

When you include options after the command, it might work, but it
requires guesswork on the part of gpg, so you should avoid it.

> Which method does this command uses exactly? 

It encrypts the data with a random session key, and encrypts the session
key to the public key belonging to "Receiver User Name". To be exact,
the first public key it finds in its keyring that matches "Receiver User
Name". Which one is the first, you don't know, so it's best to make sure
only one key matches what you give.

And the command line contains useless cruft, as it specifies a signing
key, but doesn't request signing of the data. So the "-u" argument is
silently ignored as not relevant but not harmful either. If there is
only one private key, it's never necessary to specify it by "-u".

> It does message encryption with a given username's certificate's pub
> key?(Is this a third method which is not mentioned in that RFC ) ?

No, there's no third method to decrypt data, it's either encrypted to a
public key, or a passphrase unlocks it, or both. Okay, I guess that does
make three ;-).

> Also, Where can i find all the commands for all the possibilities using
> different key sources?

Either the man page if you're on a UNIXy OS:

$ man gpg

Or the Texinfo documentation which is on the web[3] and can also be read
on UNIXy OSes by:

$ info gnupg

(or a different info reader, I usually use "pinfo").

The Texinfo manual has more than the man page, and is also a lot easier
to navigate. But they are mostly reference manuals, you'll still need
other documentation to get you started.

Let me point out, as you're perusing the OpenPGP RFC, that there is even
another method[4] to encrypt data[5] to a passphrase defined there, but
it's deprecated. As it should be, no salting!, obsolete cipher:

> [...] If no packets of these types precede the encrypted data,
> the IDEA algorithm is used with the session key calculated as the MD5
> hash of the passphrase, though this use is deprecated.

Just ignore this, it's ancient. If somebody sends you such messages,
please page them or send them a fax, requesting them to come over to the
21st century. It's not that scary on most days.

And there is more such stuff in the RFC. If it says something like
"deprecated" or SHOULD NOT or something, you can probably skip it.

HTH,

Peter.

[1] 
[2] 
[3] 
[4] 

[5] Okay, that puts "is there a third method to encrypt" into a
different light again :-)

-- 
I use the GNU Privacy Guard (GnuPG) in c

Re: How to encrypt using public certificate\key

2017-09-07 Thread shaarang tyagi 
Hello Peter,

I am trying to understand the encryption process and the all the input that
is required to perform encryption.

So according to this RFC, section 2.1:

https://tools.ietf.org/html/rfc4880#section-2.1

There can be 2 sources for encryption key, either a session key(generated
randomly) or a shared pass phrase (key is derived from this phrase) ?

So there is a command i found somewhere , to use with command line GnuPG,
to do encryption:

gpg -e -u "Sender User Name" -r "Receiver User Name" somefile

Which method does this command uses exactly?
It does message encryption with a given username's certificate's pub
key?(Is this a third method which is not mentioned in that RFC ) ?

Also, Where can i find all the commands for all the possibilities using
different key sources?

Best Regards,
Shaarang




On Wed, Sep 6, 2017 at 8:25 PM, shaarang tyagi 
wrote:

> Hello Peter,
>
> Thanks a lot to you for clarifying this in a paragraph otherwise i would
> have to read a whole lot of things to understand that i am trying to
> connect 2 totally differet things!
> I will go through the pdf and may have more question(s).
>
> Thanks again!
> Shaarang
>
> On Sep 6, 2017 8:05 PM, "Peter Lebbing"  wrote:
>
> Hello Shaarang,
>
> On 06/09/17 16:13, shaarang tyagi wrote:
> > I am talking about OpenPGP, i want to encrypt a file that follows
> > openpgp standard [...]
>
> > I was encrypting by selecting a certificate which i had imported , i had
> > also imported its root ca, so certificate chain was fully there but
> > encryption failed.
>
> "Root CA", "certificate chain" and your earlier "PEM public key" tell me
> you are using certificates from the Cryptographic Message Syntax
> ecosystem (to which S/MIME belongs also). These are not OpenPGP
> certificates/public keys, and it is simply impossible to encrypt an
> OpenPGP message to them. You will need to ask your peer for their
> OpenPGP certificate (also called "public key")  before you can send them
> an OpenPGP encrypted message.
>
> They are two completely separate and incompatible ecosystems. It just so
> happens that GnuPG does have some support for CMS as well, through the
> gpgsm binary.
>
> More about starting with OpenPGP is in The GNU Privacy Handbook[1]. That
> guide is pretty outdated, though, so don't take its word for gospel.
>
> HTH,
>
> Peter.
>
> [1] 
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread shaarang tyagi 
Hello Peter,

I am talking about OpenPGP, i want to encrypt a file that follows openpgp
standard so but when i tried with the windows version of Gnupg , i was
getting an error "configuration not correct" (the error was more or less
similar) .
I was encrypting by selecting a certificate which i had imported , i had
also imported its root ca, so certificate chain was fully there but
encryption failed.
Also my certificate does not show up in "openpgp certificates" list , so i
am wondering that maybe the problem is that there is some specific "type"
of certificate is required, although my certificate has "file encryption"
present in its type!

Best Regards,
Shaarang
Show quoted text


On Sep 6, 2017 6:59 PM, "Peter Lebbing"  wrote:

> On 06/09/17 06:37, shaarang tyagi wrote:
> > I have a situation where I need to use GnuPG from command line and
> > encrypt a file using a public certificate or PEM public key
>
> First of all, are we talking about OpenPGP, S/MIME, or both? I notice
> you say PEM public key, which implies the X.509 and S/MIME ecosystem,
> but GnuPG is more commonly used for the OpenPGP ecosystem. The "gpgsm"
> binary of GnuPG does do S/MIME, though.
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread shaarang tyagi 
Hello Peter,

Thanks a lot to you for clarifying this in a paragraph otherwise i would
have to read a whole lot of things to understand that i am trying to
connect 2 totally differet things!
I will go through the pdf and may have more question(s).

Thanks again!
Shaarang

On Sep 6, 2017 8:05 PM, "Peter Lebbing"  wrote:

Hello Shaarang,

On 06/09/17 16:13, shaarang tyagi wrote:
> I am talking about OpenPGP, i want to encrypt a file that follows
> openpgp standard [...]

> I was encrypting by selecting a certificate which i had imported , i had
> also imported its root ca, so certificate chain was fully there but
> encryption failed.

"Root CA", "certificate chain" and your earlier "PEM public key" tell me
you are using certificates from the Cryptographic Message Syntax
ecosystem (to which S/MIME belongs also). These are not OpenPGP
certificates/public keys, and it is simply impossible to encrypt an
OpenPGP message to them. You will need to ask your peer for their
OpenPGP certificate (also called "public key")  before you can send them
an OpenPGP encrypted message.

They are two completely separate and incompatible ecosystems. It just so
happens that GnuPG does have some support for CMS as well, through the
gpgsm binary.

More about starting with OpenPGP is in The GNU Privacy Handbook[1]. That
guide is pretty outdated, though, so don't take its word for gospel.

HTH,

Peter.

[1] 

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread Mario Castelán Castro 
On 05/09/17 23:37, shaarang tyagi wrote:
> I have a situation where I need to use GnuPG from command line and encrypt
> a file using a public certificate or PEM public key, please note that I
> will not have the private key at this point and encryption needs to be done
> only using public key.
> 
> Let me know if this is possible or not.

You can use the “gpgsm” to operate over X.509 certificates (this covers
your use case).

-- 
Do not eat animals; respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread Peter Lebbing 
Hello Shaarang,

On 06/09/17 16:13, shaarang tyagi wrote:
> I am talking about OpenPGP, i want to encrypt a file that follows
> openpgp standard [...]

> I was encrypting by selecting a certificate which i had imported , i had
> also imported its root ca, so certificate chain was fully there but
> encryption failed.

"Root CA", "certificate chain" and your earlier "PEM public key" tell me
you are using certificates from the Cryptographic Message Syntax
ecosystem (to which S/MIME belongs also). These are not OpenPGP
certificates/public keys, and it is simply impossible to encrypt an
OpenPGP message to them. You will need to ask your peer for their
OpenPGP certificate (also called "public key")  before you can send them
an OpenPGP encrypted message.

They are two completely separate and incompatible ecosystems. It just so
happens that GnuPG does have some support for CMS as well, through the
gpgsm binary.

More about starting with OpenPGP is in The GNU Privacy Handbook[1]. That
guide is pretty outdated, though, so don't take its word for gospel.

HTH,

Peter.

[1] 

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unsubscriing (was: How to encrypt using public certificate\key)

2017-09-06 Thread Peter Lebbing 
On 06/09/17 14:56, BRUCE KAPITO via Gnupg-users wrote:
> Can you please cease and desist sending me emails.  I did not sign up
> for this

*Someone* managed to subscribe your e-mail address, which is usually not
possible without being able to read mail addressed to your e-mail
address (and thus should usually just be you).

Anyway: you're asking your peers, who cannot help you. You can help
yourself by following the link at the bottom of every mail you receive
through the mailing list:

> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Note you will need to use the exact e-mail address that was subscribed.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread BRUCE KAPITO via Gnupg-users 
 Can you please cease and desist sending me emails.  I did not sign up for this
On Wednesday, September 6, 2017, 8:33:40 AM EDT, shaarang tyagi 
 wrote:  
 
 Hello,
I have a situation where I need to use GnuPG from command line and encrypt a 
file using a public certificate or PEM public key, please note that I will not 
have the private key at this point and encryption needs to be done only using 
public key.
Let me know if this is possible or not.
Best Regards,Shaarang___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
  ___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to encrypt using public certificate\key

2017-09-06 Thread Peter Lebbing 
On 06/09/17 06:37, shaarang tyagi wrote:
> I have a situation where I need to use GnuPG from command line and
> encrypt a file using a public certificate or PEM public key

First of all, are we talking about OpenPGP, S/MIME, or both? I notice
you say PEM public key, which implies the X.509 and S/MIME ecosystem,
but GnuPG is more commonly used for the OpenPGP ecosystem. The "gpgsm"
binary of GnuPG does do S/MIME, though.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to encrypt using public certificate\key

2017-09-06 Thread shaarang tyagi 
Hello,

I have a situation where I need to use GnuPG from command line and encrypt
a file using a public certificate or PEM public key, please note that I
will not have the private key at this point and encryption needs to be done
only using public key.

Let me know if this is possible or not.

Best Regards,
Shaarang
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users