Re: FW: File encryption with smime
--- Buicliu, Ion VSA:EX [EMAIL PROTECTED] wrote: Thank you Girish, I understand now. The combination: encrypt with public key - decrypt with private works. What we are trying to do is to place an encrypted file on our ftp server for a specific user. The ftp server is behind a firewall, and the user can access and see only its account, and they are supposed to get the file and decrypt it. As far as we are concerned, we'd like to make sure that the file on our ftp server is as safe as possible. This can work if only that user has the private key to decrypt the file. I would like to hear any suggestions to make this file transfer as secure as possible. The problem with PKI is not so much what is possible and what is not. It is only a question of how cleverly you design the solution such that it causes the least inconvenience to users at the same time ensuring the best possible security. Let me suggest a possible solution to you. It is not scalable and elegant but at least it can give you what you want. You have to generate a keypair for each user with the genrsa command. Make sure the user's private keys are protected with a well chosen passphrase or USB dongle or something. Anyway you can distribute the private keys to the users in a secure out of band mechanism. I am assuming they are colocated in which case you could do it physically. Or else the remote users can generate their own keypairs and you could obtain their public keys in which case you might have to go in for certificates since you have to ensure that the public key really belongs to the user... Now, you have to store the files corresponding to each user encrypted with the public key of that particular user. For instance, File meant for A is encrypted with A's public key File meant for B is encrypted with B's public key and so on. Now, the user just goes ahead, downloads the file , decrypts it with his private key and you are set. Since a file encrypted with a public key can be decrypted only with the corresponding private key this guarantees good security as long as the user's private keys are not compromised. Of course, you could go for some creative combos like having two private keys for one public key with simple X-ORing and so on ... Remember what I told you is just a conceptual overview of how things could be. SMIME might be suited for this. Hope this helps. All the best! regards, Girish __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FW: FW: File encryption with smime
What we are trying to do is to place an encrypted file on our ftp server for a specific user. The ftp server is behind a firewall, and the user can access and see only its account, and they are supposed to get the file and decrypt it. As far as we are concerned, we'd like to make sure that the file on our ftp server is as safe as possible. This can work if only that user has the private key to decrypt the file. I would like to hear any suggestions to make this file transfer as secure as possible. The problem with PKI is not so much what is possible and what is not. It is only a question of how cleverly you design the solution such that it causes the least inconvenience to users at the same time ensuring the best possible security. Let me suggest a possible solution to you. It is not scalable and elegant but at least it can give you what you want. You have to generate a keypair for each user with the genrsa command. Make sure the user's private keys are protected with a well chosen passphrase or USB dongle or something. Anyway you can distribute the private keys to the users in a secure out of band mechanism. I am assuming they are colocated in which case you could do it physically. Or else the remote users can generate their own keypairs and you could obtain their public keys in which case you might have to go in for certificates since you have to ensure that the public key really belongs to the user... Now, you have to store the files corresponding to each user encrypted with the public key of that particular user. For instance, File meant for A is encrypted with A's public key File meant for B is encrypted with B's public key and so on. Now, the user just goes ahead, downloads the file , decrypts it with his private key and you are set. Since a file encrypted with a public key can be decrypted only with the corresponding private key this guarantees good security as long as the user's private keys are not compromised. Of course, you could go for some creative combos like having two private keys for one public key with simple X-ORing and so on ... Remember what I told you is just a conceptual overview of how things could be. SMIME might be suited for this. Thank you again Girish. This is what I do and it works well except for 2 things: 1. why is the public cert (.cert) file needed for decryption, shouldn't be enough to have the private key (.key) for that? 2. how to put a 'well chosen password' on the private key? With the -passout and what arguments? Here is what I did, and it worked: Create private and public keys: openssl genrsa -out test.key 1024 openssl req -new -key test.key -out test.csr openssl x509 -req -days 30 -in test.csr -signkey test.key -out test.cert Encrypt: openssl smime -encrypt -des3 -binary test.cert File File.enc Decrypt: openssl smime -decrypt -in File.enc -inkey test.key -recip test.cert File.out My final question: is des3 a high enough level of encryption (168 bits)? Should we go higher, and if yes, what is recommended? Thank you. Ion Buicliu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FW: File encryption with smime
Thank you Girish, I understand now. The combination: encrypt with public key - decrypt with private works. What we are trying to do is to place an encrypted file on our ftp server for a specific user. The ftp server is behind a firewall, and the user can access and see only its account, and they are supposed to get the file and decrypt it. As far as we are concerned, we'd like to make sure that the file on our ftp server is as safe as possible. This can work if only that user has the private key to decrypt the file. I would like to hear any suggestions to make this file transfer as secure as possible. Ion Buicliu --- Buicliu, Ion VSA:EX [EMAIL PROTECTED] wrote: I am trying to do the following: - create a private and public key (self-signed certificate) - encrypt a file and place on an ftp server - the client will pick up the file and decrypt it using the PUBLIC key Here is what I did to create the certificate: openssl genrsa -out sfu.key 1024 openssl req -new -key sfu.key -out sfu.csr openssl x509 -req -days 30 -in sfu.csr -signkey sfu.key -out sfu.cert Then encrypt: openssl smime -encrypt -des3 -binary sfu.cert bfile bfile.enc At this stage I was thinking that I would pass the public cert (sfu.cert) to the user and ask them to do the decryption like this: openssl smime -decrypt -inkey sfu.cert vsvic3f03.enc vsvic3f03.out This doesn't work. The error is: unable to load signing key file This is what works, using the private key: openssl smime -decrypt -inkey sfu.key vsvic3f03.enc vsvic3f03.out This is not what I want. How can I encrypt a file, have it safe on a public site (for ftp) and have the client use a public key to decrypt it? I am afraid you are doing things against the recommendations of public key crypto. If you really want the client use a public key to decrypt it, then remember that what you have is a signature and that you are merely verifying it. Since public key is public. OTOH, if you want to do public key decryption then you could do first encrypt with the client's public key... Since I am not quite clear what is it that you want to accomplish, I can only tell you this much that if you encrypt with public key, you decrypt with private key and vice versa. regards, Girish I am a bit new at this, so I am eager to learn as much as possible about it. Thank you. Ion Buicliu mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
File encryption with smime
Title: File encryption with smime I am trying to do the following: - create a private and public key (self-signed certificate) - encrypt a file and place on an ftp server - the client will pick up the file and decrypt it using the PUBLIC key Here is what I did to create the certificate: openssl genrsa -out sfu.key 1024 openssl req -new -key sfu.key -out sfu.csr openssl x509 -req -days 30 -in sfu.csr -signkey sfu.key -out sfu.cert Then encrypt: openssl smime -encrypt -des3 -binary sfu.cert bfile bfile.enc At this stage I was thinking that I would pass the public cert (sfu.cert) to the user and ask them to do the decryption like this: openssl smime -decrypt -inkey sfu.cert vsvic3f03.enc vsvic3f03.out This doesn't work. The error is: unable to load signing key file This is what works, using the private key: openssl smime -decrypt -inkey sfu.key vsvic3f03.enc vsvic3f03.out This is not what I want. How can I encrypt a file, have it safe on a public site (for ftp) and have the client use a public key to decrypt it? I am a bit new at this, so I am eager to learn as much as possible about it. Thank you. Ion Buicliu mailto:[EMAIL PROTECTED]
Re: File encryption with smime
--- Buicliu, Ion VSA:EX [EMAIL PROTECTED] wrote: I am trying to do the following: - create a private and public key (self-signed certificate) - encrypt a file and place on an ftp server - the client will pick up the file and decrypt it using the PUBLIC key Here is what I did to create the certificate: openssl genrsa -out sfu.key 1024 openssl req -new -key sfu.key -out sfu.csr openssl x509 -req -days 30 -in sfu.csr -signkey sfu.key -out sfu.cert Then encrypt: openssl smime -encrypt -des3 -binary sfu.cert bfile bfile.enc At this stage I was thinking that I would pass the public cert (sfu.cert) to the user and ask them to do the decryption like this: openssl smime -decrypt -inkey sfu.cert vsvic3f03.enc vsvic3f03.out This doesn't work. The error is: unable to load signing key file This is what works, using the private key: openssl smime -decrypt -inkey sfu.key vsvic3f03.enc vsvic3f03.out This is not what I want. How can I encrypt a file, have it safe on a public site (for ftp) and have the client use a public key to decrypt it? I am afraid you are doing things against the recommendations of public key crypto. If you really want the client use a public key to decrypt it, then remember that what you have is a signature and that you are merely verifying it. Since public key is public. OTOH, if you want to do public key decryption then you could do first encrypt with the client's public key... Since I am not quite clear what is it that you want to accomplish, I can only tell you this much that if you encrypt with public key, you decrypt with private key and vice versa. regards, Girish I am a bit new at this, so I am eager to learn as much as possible about it. Thank you. Ion Buicliu mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]