Hello,

I have implemented GnuPG on my shopping cart. The cart is sending the message out correctly but I am unable to decrypt the message. This is a standard feature that comes with the cart so I am confident the message is being sent encrypted.

My question, is there a way to send the message out where it self decrypts when downloaded? I receive these emails and I then forward them to another user that then places the orders.

I have read all the forums I can find, the gnu site and many of the how to guides too. I have seen this demonstrated when I enrolled on the cyber alert email list from Homeland Security. They send it out GnuPG encrypted and when I open the email it is decrypted. I never loaded anything to make that happen. I am presently using Entourage on a Mac.

If need be, I can load a plugin but the other person is on an IBM PC and the
company won't permit any software to be loaded on their system. They have OE 6 they use for an email client.

Please tell me how GnuPG needs to be setup and anything else I need to get this application working.

I really need some direction so I can get my cart implemented.

Thanks,

Randal

If the file is being encrypted with GnuPG, you just need to use GnuPG and the appropriate decryption key to decrypt it. What is your definition of "self-decrypts"? There is a thunderbird plugin called enigmail that can open GPG emails for you.

I am using a Mac with Entourage and when I signed up with cyber alerts I received the following email without installing anything on my system:

***********


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Cyber Security Alert SA05-221A archive

Microsoft Windows and Internet Explorer Vulnerabilities

Original release date: August 9, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer

For more complete information, refer to the Microsoft Security
Bulletin Summary for August, 2005.


Overview

Microsoft has released updates that address critical
vulnerabilities in Windows and Internet Explorer.


Solution

Apply Updates

Microsoft has released security updates for Windows and Internet
Explorer. To obtain the updates, visit the Microsoft Update web
site. US-CERT also recommends enabling Automatic Updates.


Description

Microsoft Security Bulletins for August, 2005 address
vulnerabilities in Windows and Internet Explorer. These
vulnerabilities may allow an attacker to take control of your
computer or cause it to crash. For more technical information, see
US-CERT Technical Cyber Security Alert TA05-221A.


References

* Microsoft Security Bulletin Summary for August, 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx>

* US-CERT Vulnerability Note VU#965206 -
<http://www.kb.cert.org/vuls/id/965206>

* US-CERT Vulnerability Note VU#959049 -
<http://www.kb.cert.org/vuls/id/959049>

* US-CERT Vulnerability Note VU#998653 -
<http://www.kb.cert.org/vuls/id/998653>

* US-CERT Vulnerability Note VU#490628 -
<http://www.kb.cert.org/vuls/id/490628>

* US-CERT Vulnerability Note VU#220821 -
<http://www.kb.cert.org/vuls/id/220821>

* US-CERT Technical Cyber Security Alert TA05-221A -
<http://www.us-cert.gov/cas/techalerts/TA05-221A.html>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate>

* Microsoft Update Overview -
<http://www.microsoft.com/technet/prodtechnol/microsoftupdate/defa
ult.mspx>
_________________________________________________________________

Feedback can be directed to the US-CERT Technical Staff.
_________________________________________________________________

This document is available at

<http://www.us-cert.gov/cas/alerts/SA05-221A.html>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

August 9, 2005: Initial release

Last updated August 9, 2005

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQvkzAhhoSezw4YfQAQIbAQf/WAX5AghmyO6jws4CaOUzvAxupY4j/Yvy
GTP602Z8/NYn1mspiOcd0rOtm4DIp/4EpJuYggULNC7CRkcusKqE5dtUqIR4VUG3
nR4zgUHG1MTTi0/TqF+f8EI3lY/j07zKwNhAvbElf1MAeV6XqXCo7jVAPwUm2w5t
cb9XTUh3UdA/kq4K8vCF7dh4wjqlCHJBSuNfyBmVQTSdgttHJxXclvhwPuTlLPFs
+A4rQR7FiTXRN3Tj0sHW/zW7xCDs07h1+vsiI7jpCuAk9JD40xWwb3BiX5ex7y5N
zcHkvfazshEypmfdt2N3McGIiqIh58hyBbqd1uUT8b+qaBXVrm8djg==
=VjB4
-----END PGP SIGNATURE-----

*********************

So, I was hoping there was a way to send an encrypted message and then when it is downloaded it would be decrypted. The place where I need to send the encrypted emails won't permit any software to be installed on their system. If need be though, I am sure the key could be loaded into their OE 6 mail client.

This was what I was hoping for. If not, are there any other suggestions given the parameters I have outlined?

Thanks!

Randal

First off, the email you get from CERT is not encrypted, it's signed.

Secondly, you have to have some sort of decrypting software and key to decrypt an encrypted email or file. Can you decrypt the files locally? What key is the shopping cart system configured to encrypt with and to?

David,

Thanks for letting me know that it wasn't encrypted. That explains a great deal. I haven't been able to decrypt the files locally.

I am using the following public key for the software:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)

mQGiBELn4iIRBAC3Y9rNd5wUg3so1bGzr52PaZ6ceps/4pYGZPIe+Q6OrzKFFoRl
UaatI8xmUijLQSoC72MDoLV8qstQqnZz9ZgUnrgcefa0Bjpqvcoqwcmt6VJmqYwz
3DtoUx+uxEFvzbTLYQMDUuQBGq+IWmzES38izqNRkvxmA13hSuSESNk6vwCgkBhe
DnufOWqJiqqyc2I0KIeeghUEALZYtpVJ+IoTjwthW7ELlJTZkUJ8lyjKTwAUvfhH
/1f542OnmKbsVLN6wakSOHQLrdKVI5Y+DWyvGIme4jr5jRanUUZ7ii0vceWGFSG5
6E7aTcfSyTPjGsnVBCKWiEq4fRCFH97xqP+ZDzcyVa7ZQjLaJEjDGaaX/JCLGvZd
1Vq8A/sGSD6ktncsDvF3iklYH0DQtuebH4nTZ4WGTUzcHcVTOsabuL54dzcRew0d
QDmFH1dr4WEqm1hl0HNv34bwXuPweIzS/MgoLWNBMPT3zl8TRrXP/H601IJNFSJV
WEktp1+f6u7gRAVkeE2c0Dk+EdAaCnINGzegbO5MCpXQ+xoQdLRIUmFuZGFsIEou
IFdhdGtpbnMgKFJhbmRhbCBsb3ZlcyBEb25uYSEpIDxsb25nZGlzdGFuY2VAdGhl
aGVyYnNwbGFjZS5jb20+iFkEExECABkFAkLn4iIECwcDAgMVAgMDFgIBAh4BAheA
AAoJEGsahZaZAG2LbugAnjSv4WW/NgL1C0U6cwee5Qjf+YNbAJ44tnkGADKvgy3O
L1V0L+cCAW+k+rkBDQRC5+IjEAQAtx6QWnxYmTdDAqmQYzLgFNtJqwE2Kq/ZhVhE
zhltsos7IkaCLUfeevBy0DMW80JBxz6H3BGMS1Bx3MpUfsS8biqoZoJ8070e3aG3
aOPYrlrkN+4HWl6KeoqfTKWUScTUSr3W9ddi8/iuVmTcFwhrKWBt6KsHCCFKOl3t
h9OBofMAAwUD/0z/oOWDaWlPUUku36/NkFMnjiaMaNba5PLuABWEqvQDO1pQr3a9
kdhhmdYtur18tcg6Z28/9GdWWtIBj5YtjqrdkoEQXN7lI/NFbTW02p2Hd23VaihT
yg9/qKEt2bh2G6Mda+mTvVOPWLDEod+rAYpJWwrWgH+c85/tHZ44RVE+iEYEGBEC
AAYFAkLn4iMACgkQaxqFlpkAbYt29wCfe1WTkGsl5Uy1dBofy3HnKiSwLk0AoID+
mFfnMdvEa/gjOr/UytoWCYA4
=4Jh/
-----END PGP PUBLIC KEY BLOCK-----

When I send the test email from the cart it looks like this

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.1 (GNU/Linux)

hQEOA9xZIYw38E05EAQAgQPKTHkxuEyVpJScQE/VgUSiTV2kDGTU+g8CFvVPkFam
NXlfn/3dgWfgPf3V28S327G5LVfoXARAcSiEDHMbp7HJsHWzaUN1iYcD1OtQDCa+
79gizsZ8r17vCyr10H70BbM+MEdO0Q6mjMnpfto9AoPFtg2+Ic4EomLi16HeSBwE
AKcKDoNr9fFZTUeAbCyu8dLBL5RVZx0st9+DDCNGoaMtHq92O9gzM3ksoNm9Vfgt
S96803ORn2KRAywrora7BiYoxzqkUKVg4u8rboPRJbBS+ORjj9l7VvhFozVS3Tgo
S/xP45nasja/XoB/CWm0VHiT/ZTYWRi3GBXxJ/lwxov50m4BqhHeEcXWRNcYCJ/g
Z8RTHSAN9OgCTO6wWW+d1r+nj7MC8lh6pmhby2rYJBuoMjjB4Pf9psknbCmhOVwk
ucRtUL2e2n5k+Jg8UAeVWraCD4IL5mABud4hWoXuPcm4IA4qSU/eR79Ocr12oySL
XA==
=Vi8F
-----END PGP MESSAGE-----

Is this sending out an encrypted message? You have me wondering since the other one doesn't happen to be.

I can send you both keys if you want me to or I can PM you with the details if you prefer.

Randal

Yes, that is an encrypted email. Look at the difference in headers:
CERT:
Your email:
Note the absence of the word signed. Signed messages just allow you to verify that the email really came from CERT.

If you have the matching private key for that public key, you should be able to decrypt the message using gnupg.

I have the matching private key so where do I put it to decrypt it. I have access to an OE 6 mail client will that do it? Or, I have access to a Mac Entourage email client.

I have both key blocks so when I know where to put it I should be able to proceed.

Thanks,

Randal

You'll need to import the key into your gpg keyring. You can do this with "gpg --import" and then supply it the public and private keys.

I went into SSH and typed in gpg --import and now it is 24 minutes later and it still looks like this:

********************

Changes to system files may affect your warranty and
discharge Ensim from any further obligation to provide
customer with warranty services or support hereunder
*********************************************************
[root@sv1 root]# gpg --import

It is never coming back with the pound sign so I suspect something is wrong. Should it take this long?

I appreciate all your help.

Randal

You need to paste in the keys now and then press Ctrl-D.

Doing this on the linux server I get the following message:

***************
gpg: key 99006D8B: "Randal J. Watkins (Randal loves Donna!) <longdistance@theherbsplace.com>" not changed
gpg: key 99006D8B: already in secret keyring
gpg: Total number processed: 2
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1

Is that the right place to do it? Or, should I be doing this on the Mac?

Thanks

Update:

I went ahead and imported it on the Mac and got the following message.

key 99006D8B: public key "Randal J. Watkins (Randal loves Donna!) <longdistance@theherbsplace.com>" imported
gpg: key 99006D8B: secret key imported
gpg: Total number processed: 2
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

Now what do I do to decrypt that message that I showed you earlier?

You are really helping, I appreciate your taking the time to give me this direction.

Randal

It really depends on what email client you're using on the mac. I'll look into entourage. For an easy test, do the following:
Then copy/paste the contents of the email and press Ctrl-D again.

Dave,

That worked and I had installed some plugin for Entourage and using the plugin it now works. Seems I had to load gpg to the Mac and import the keys before it could work.

Thanks for all your help.

Randal

No problem. Glad you got it working.