Re: Remote signing of large files

To: debian-user@lists.debian.org
Subject: Re: Remote signing of large files
From: "Boyd Stephen Smith Jr." <bss03@volumehost.net>
Date: Sat, 6 Dec 2008 16:05:42 -0600
Message-id: <[🔎] 200812061605.42872.bss03@volumehost.net>
In-reply-to: <[🔎] 493AC5A7.2050105@therning.org>
References: <[🔎] e040b520812040426i32e6c288r44115d36ee5c918@mail.gmail.com> <[🔎] 200812051911.13722.bss03@volumehost.net> <[🔎] 493AC5A7.2050105@therning.org>

On Saturday 06 December 2008, Magnus Therning <magnus@therning.org> wrote 
about 'Re: Remote signing of large files':
>Boyd Stephen Smith Jr. wrote:
>> Please don't CC me on replies, unless I request one.  It is against
>> debian-* list policy.
>
>Sure, and ditto!
>
>> On Friday 2008 December 05 15:49, you wrote:
>>> Boyd Stephen Smith Jr. wrote:
>>>> So, you might try --encrypt'ing the output of --print-md.
>>>
>>> AFAIU it wouldn't work:
>>>
>>> 1. Encrypting is actually using a symmetric algorithm for the bulk of
>>> the data and asymmetric crypto is only used to encrypt the symmetric
>>> key.  In any case I don't think I can get `--encrypt` to use the
>>> private key.
>>
>> That's only true in active protocols with a handshake, e.g. SSL or TLS.
>>  The only reason active protocols do this is because symmetric ciphers
>> are generally faster.
>>
>> For "offline" encryption, using an asymmetric keys directly works fine.
>>  If you encrypt something with gpg it uses the public key of the chosen
>> recipient or their public subkey designated for encryption.
>
>Please refer to section 2.1 of RFC2440 and you'll see the GnuPG indeed
>does use a "session key" for symmetric encryption which is encrypted
>with the public key and sent with the message.  I imagine this helps a
>lot when encrypting the same message for more than one recipient.

Bah, well, never read that RFC, but that works, too.

It's certainly possible to encrypt using the public/private key directly, 
but I guess the command-line tool may not have that functionality.

Reading the manpage certainly gives a different impression.  
Since --encrypt --symmetric is used for encrypting with a symmetric key, I 
would expect --encrypt by itself to be *not* using a symmetric key.

>Sure, i can always resort to modify gpg or write a custom tool that
>combines crypto primitives in a way that solves the problem I have.  In
>this case that's not an option though, due to other requirements
>(backwards compatibility, etc) requires that I use only a standard,
>non-modified GnuPG.

In any case, while what you want is definitely possible, your constraint 
that a particular, unmodified version of a particular tool be used severly 
limits you.  I doubt what you want can be done simply with the gpg tool.
-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Remote signing of large files
  - From: "Magnus Therning" <magnus@therning.org>
- Re: Remote signing of large files
  - From: "Boyd Stephen Smith Jr." <bss03@volumehost.net>
- Re: Remote signing of large files
  - From: Magnus Therning <magnus@therning.org>

Prev by Date: Re: Bashism (Was: Locale testing)
Next by Date: Re: Bashism (Was: Locale testing)
Previous by thread: Re: Remote signing of large files
Next by thread: Re: Remote signing of large files
Index(es):
- Date
- Thread