The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GnuPG.. what programs to use?

Discussion in 'General Discussion' started by haze, Sep 26, 2002.

  1. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I'm rather a bit stumped when it comes to this. A customer was using PGP on his previous web host, and is wanting to use the GnuPG feature available inside cPanel. How exatly does this work? What client side software does he need to download? I have tried looking at the gnupg web site, but im still lost. Can anyone help shed some light on this subject?
     
  2. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:b4abaa6607][i:b4abaa6607]Originally posted by iminteractive[/i:b4abaa6607]

    I'm rather a bit stumped when it comes to this. A customer was using PGP on his previous web host, and is wanting to use the GnuPG feature available inside cPanel. How exatly does this work? What client side software does he need to download? I have tried looking at the gnupg web site, but im still lost. Can anyone help shed some light on this subject?[/quote:b4abaa6607]
    GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures and includes an advanced key management facility which is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. As such, it is aimed to be compatible with PGP from NAI Inc.

    The client can use PGP from NAI or free GnuPG software.
    The best free software for Windows is [b:b4abaa6607]WinPT[/b:b4abaa6607] (Windows Privacy Tray) you can download WinPT from http://WinPT.org
    Windows Privacy Tray or WinPT is a Graphic User Interface (GUI) for GnuPG. Non-expert users can’t use GnuPG due to its command line interface and much required knowledge but WinPT lets these users use the implemented GnuPG by experts

    [b:b4abaa6607]How GnuPG can save the privacy?[/b:b4abaa6607]

    GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair

    Encrypting and decrypting documents

    A public and private key each have a specific role when encrypting and decrypting documents. A public key may be thought of as an open safe. When a correspondent encrypts a document using a public key, that document is put in the safe, the safe shut, and the combination lock spun several times. The corresponding private key is the combination that can reopen the safe and retrieve the document. In other words, [b:b4abaa6607]only the person who holds the private key can recover a document encrypted using the associated public key.[/b:b4abaa6607]

    The procedure for encrypting and decrypting documents is straightforward with this mental model. If you want to encrypt a message to Mike, you encrypt it using Mike's public key, and he decrypts it with his private key. If Mike wants to send you a message, he encrypts it using your public key, and you decrypt it with your private key.


    [b:b4abaa6607]There is a compatibility issue with GnuPG and PGP[/b:b4abaa6607] if you want to encrypt a message with GnuPG so that PGP is able to decrypt it:
    It depends on the PGP version.
    • PGP 2.x
    You can't do that because PGP 2.x normally uses IDEA which is not supported by GnuPG as it is patented (see 3.3), but if you have a modified version of PGP you can try this:
    • gpg --rfc1991 --cipher-algo 3des ...
    Please don't pipe the data to encrypt to gpg but provide it using a filename; otherwise, PGP 2 will not be able to handle it.
    As for conventional encryption, you can't do this for PGP 2.
    • PGP 5.x and higher
    You need to provide two additional options:
    • --compress-algo 1 --cipher-algo cast5
    You may also use &3des& instead of &cast5&, and &blowfish& does not work with all versions of PGP 5. You may also want to put:
    compress-algo 1
    into your ~/.gnupg/options file - this does not affect normal GnuPG operation.
    This applies to conventional encryption as well.
     
  3. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [b:06d6a727dd]Legal Issues

    Never forget to fulfill the LAW[/b:06d6a727dd]

    Widespread use of the most interesting cryptographic algorithms and of cryptography in general has been severely hampered by legal issues:

    [b:06d6a727dd]In certain countries, the use of cryptography by the public is illegal, such as in France, or subject to governmental license. But even in countries where the public use of cryptography is legal, two major issues remain: US export controls and patents. [/b:06d6a727dd]

    Read more at : http://www.vii.org/crypto/legal.htm


    [b:06d6a727dd]Also if you distribute Cryptography softwares or information online you have to report the point of distribution to the authorities. Refer to your attorney.[/b:06d6a727dd]

    [b:06d6a727dd]Export Controls[/b:06d6a727dd]
    The US government considers encryption to be a dangerous technology, it is subject to the same export regulations and restrictions as munitions are. Programs containing cryptography need export approval, which is only granted if the exported software is crippled by removing the cryptographic routines altogether or reducing the key sizes to about 40 bits, which makes brute force search easy for the US government but for anyone else too...

    This is not an issue for developers not residing in the US, if they can export their software from their home country, they will be able to import it to the crucial US market, as no import restrictions to the US exist. Yet, the difficulty to obtain sample code on cryptography --- which is often exclusively available from US internet sites to US residents only --- does not make the development of cryptographic software outside of the US any easier.


    [b:06d6a727dd]Patents[/b:06d6a727dd]
    Most modern cryptographic techniques are covered by patents:

    DES is patented in the US but royalty free.

    IDEA is patented in Switzerland and other countries and is royalty free only for few types of non-commercial use such as academic research.

    All public key algorithms are patented in the US, and all of the important patents have been acquired by Public Key Partners (PKP).

    Programmers wanting to sell their software in the US and use public key cryptography need to license toolkits from PKP or related companies such as RSADSI. As these toolkits cannot be exported from the US because of the export controls mentioned above, there is no simple way developers living outside of the US can sell their public key cryptography software on the US market without getting in conflict with either US export control or patent law.
     
Loading...

Share This Page