LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-11-2013, 12:18 PM   #16
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49

Quote:
Originally Posted by sundialsvcs View Post
I'm quite confused by this thread. To send a message to someone, you need to know their public key. Only they, with their private key, can decrypt it.
Yes, I know.

Quote:
Originally Posted by sundialsvcs View Post
Message-signing requires knowledge of the signer's public key. Successful decryption of the message signature indicates that the possessor of the corresponding private key must have created that signature.
Yes, I know.

Quote:
Originally Posted by sundialsvcs View Post
However ... the concept of what you are wanting to do is not a good one, and I daresay that PayPal would put the kabosh on your account if they caught wind of it. The notification should, yes, be encrypted (so that eavesdroppers can't detect whether a notification succeeded or failed), but it should not contain detailed information. The technician should have to log-in himself to see details.
There will be no account information emailed in this way, but the information is still sensitive IMHO. The point is to notify developers when exceptions occur in the code. The script in question is not a payment form and users never enter their payment information into our site. They enter their payment information into paypal's site and the script I'm dealing with is an Instant Payment Notification (IPN) page.

Quote:
Originally Posted by sundialsvcs View Post
Software support for Privacy-Enhanced Mail (PEM) is not hard to come by, e.g. in Perl or any other "real" programming-language tool. If you're for example trying to pony something up with bash-scripting, you're going about this the wrong way.
I appreciate your input and generally agree with your assessment that using shell scripting is a bad way to do things. It is my understanding that PEM has been all but abandoned due to its reliance on a centralized CA. And I must protest your assertion that Perl is any more "real" than PHP. PHP also has a library for gnupg and OpenSSL. The failure here is all mine and not that of the language used. At this point, I'm mostly confused about the difference between keys and certificates and how to identify what format I'm looking at and how to translate them, etc.

I hope everyone will bear with me until I can get a more specific (and answerable) question here.
 
Old 03-12-2013, 11:47 PM   #17
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023
Quote:
b) there would be no need for any sensitive keys or anything on the server -- just my public key.
This is in fact exactly the case

IOW, on the recipient's end (ie you / your mates home systems ) you generate a Public/Private keypair, then just import ONLY the Public key(s) into the server.
Have the keyring owned by the Apache user and that's it.

If you're only worried about in-transit encryption, you could (but not normally!) share your private key with your mates ie only 1 Public/Private pair for the whole system.

Hope that clarifies things somewhat.

PS I could be wrong, but I don't think sundialsvcs was saying php is not a real lang; more that you should stick to a lang like php, Perl etc that has bindings for gpg, which bash does not.
FYI though, I had to do something similar for some investment bank some time ago and found an oddity at the time viz:
using the gpg extensions from Perl to create the encrypted file at my end would result in a file that was unusable at the other end using PGP (not gpg) on MSwin, but shelling out to call the gpg prog directly created files that could be read by the target system.
Given that Perl was simply using the API of the same installed gpg SW, it was very odd...


EDIT: PS, for a completely lateral approach, why not just have the system dump the actual error (with sensitive info) in the dev's local acct on the server, either by cp'ing or local emailing, and then have the external email just be an alert, possibly with a classification hint eg class1 => emergency, class2 => urgent etc etc..
Skip all the encryption stuff entirely.

Last edited by chrism01; 03-13-2013 at 03:33 AM. Reason: Add lateral non-encrypt soln
 
Old 03-14-2013, 10:04 AM   #18
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by chrism01 View Post
This is in fact exactly the case
I'm pretty excited about it.

Quote:
Originally Posted by chrism01 View Post
IOW, on the recipient's end (ie you / your mates home systems ) you generate a Public/Private keypair, then just import ONLY the Public key(s) into the server.
I'm aware that this is how it works, but the devil is in the details. For starters, there appear to be public keys and then public key certificates and there's PEM format and there's X.509 format, etc., etc. I'm working on this today, but my experience in the past has been to acquire a public key via key server and that also seems like an extra step -- keep in mind that I might be explaining this whole key-generation process to very non-technically-minded people.

Quote:
Originally Posted by chrism01 View Post
Have the keyring owned by the Apache user and that's it.
I've been thinking through how to import a key into a key ring belonging to apache. I was originally thinking it might be accomplished via PHP script with gnupg_addencryptkey but the documentation over there is pretty skimpy -- and, unless I'm mistaken, the parameter to specify the key is just a fingerprint which suggests the key must already by in the keyring.

I'm guessing I would need to manually run gpg commands as root on the server to import keys into the apache user's keyring?

Quote:
Originally Posted by chrism01 View Post
If you're only worried about in-transit encryption, you could (but not normally!) share your private key with your mates ie only 1 Public/Private pair for the whole system.
I would like to create some PHP tools for the general case -- namely that I can choose from a variety of public keys to deliver messages. I'm aware that everyone who gets their hands on the private key (and its passphrase, if applicable) will be privy to the messages sent and expect key distribution to any groups will depend on the circumstances of deployment and server performance constraints, etc. E.g., the server may be under intense load so re-encrypting a single message five times for five recipients may present an unnecessary strain.

Quote:
Originally Posted by chrism01 View Post
Hope that clarifies things somewhat.
I appreciate your input -- helps me think it through.

Quote:
Originally Posted by chrism01 View Post
PS I could be wrong, but I don't think sundialsvcs was saying php is not a real lang; more that you should stick to a lang like php, Perl etc that has bindings for gpg, which bash does not.
I think we all agree on this point. My original post was before I had located the gnupg PECL extension for PHP. I had seen a script on the IBM website (wtf!?) that was using the exec commands and whatnot. I'm not above doing that if I must but certainly don't want to unless I absolutely have to. As it turns out, it looks like I'll need at least some BASH scripting for the key import business -- at the very least a command entered manually to set up keyring circumstances.

Quote:
Originally Posted by chrism01 View Post
FYI though, I had to do something similar for some investment bank some time ago and found an oddity at the time viz:
using the gpg extensions from Perl to create the encrypted file at my end would result in a file that was unusable at the other end using PGP (not gpg) on MSwin, but shelling out to call the gpg prog directly created files that could be read by the target system.
Given that Perl was simply using the API of the same installed gpg SW, it was very odd...
I've already encountered a bit of this oddness in trying to encrypt using openssl and got a failure. NB I have been posting about this same problem on phpbuilder.com.


Quote:
Originally Posted by chrism01 View Post
EDIT: PS, for a completely lateral approach, why not just have the system dump the actual error (with sensitive info) in the dev's local acct on the server, either by cp'ing or local emailing, and then have the external email just be an alert, possibly with a classification hint eg class1 => emergency, class2 => urgent etc etc..
Skip all the encryption stuff entirely.
Well there is in fact all kinds of logging and data entry and whatnot that gets handled on the server but the real advantage of the encrypt-and-email approach is that I would receive a convenient notification with all the relevant detail instead of having to copy some unique id from my email, open an SSH terminal, connect to the server (possibly having to type the password to my ssh cert), then remember where the log file is located, type "tail -f blah blah blah" or "grep unique_id /path/to/file" or whatever. It would certainly be nice to give the overworked forearms a bit of rest, don't you think?
 
Old 03-14-2013, 01:26 PM   #19
sneakyimp
Member
 
Registered: Dec 2004
Posts: 791

Original Poster
Rep: Reputation: 49
Quote:
Originally Posted by sneakyimp
it looks like I'll need at least some BASH scripting for the key import business -- at the very least a command entered manually to set up keyring circumstances.
I was mistaken about needing BASH to import a key.
 
Old 03-14-2013, 08:33 PM   #20
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023Reputation: 2023
Surely the dev(s) are going to have to login to the server to fix the problem, inc research the root cause anyway?
As I pointed out, the server would dump the sensitive stuff into the local dev's personal acct; no need to go searching all over the place.
Just create a log dir for each dev under their home dir and have the server dump a copy of errors there.
You should still keep the std logs wherever as the definitive log (eg for backing up / avail to any dev if reqd)

Generating keys is a strictly one off affair, done manually, then just stick the Public keys on the server.

Re key generation, importing, this is the guide I used http://www.gnupg.org/gph/en/manual.html

Quote:
E.g., the server may be under intense load so re-encrypting a single message five times for five recipients may present an unnecessary strain.
Unless you are sending very(!) large msgs, this is not a problem. Its a bit of an urban myth on modern systems...
 
Old 03-15-2013, 09:31 AM   #21
GreenScuba
LQ Newbie
 
Registered: Mar 2013
Distribution: Red Hat
Posts: 9

Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
Surely the dev(s) are going to have to login to the server to fix the problem, inc research the root cause anyway?
As I pointed out, the server would dump the sensitive stuff into the local dev's personal acct; no need to go searching all over the place.
Just create a log dir for each dev under their home dir and have the server dump a copy of errors there.
You should still keep the std logs wherever as the definitive log (eg for backing up / avail to any dev if reqd)

Generating keys is a strictly one off affair, done manually, then just stick the Public keys on the server.

Re key generation, importing, this is the guide I used http://www.gnupg.org/gph/en/manual.html


Unless you are sending very(!) large msgs, this is not a problem. Its a bit of an urban myth on modern systems...
Actually, the payload is encrpyted once with a randomly generated symetric key. That key is encrypted with the public key of a recipient. A message going to 10 recipients will have the payload encrypted once with a set of 10 PKI encrpytions of the key needed to decrypt the payload. That's a bit of simplification, but has the gist of it.
 
Old 03-15-2013, 06:35 PM   #22
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,257

Rep: Reputation: 1077Reputation: 1077Reputation: 1077Reputation: 1077Reputation: 1077Reputation: 1077Reputation: 1077Reputation: 1077
I certainly didn't intend to "besmirch PHP." I use it fairly constantly too.

And, hey ... ... I also didn't mean any insult to anybody out there. Just tryin' to contribute. Just sayin', and 'nuff said, but .. if I need to "eat crow" it sure tastes good.

Last edited by sundialsvcs; 03-15-2013 at 09:49 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 08:33 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' itsecx@gmail.com Linux - Server 10 10-04-2010 01:19 PM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 03:20 AM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 06:00 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 01:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration