Overview

In this section:

PGP encryption uses public key cryptography and includes a system which binds the public keys to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations at a later time. Current versions of PGP encryption include both alternatives through an automated key management server.

iWay Service Manager supports standard OpenPGP, as specified in RFC 2440. The support includes decrypting incoming messages and encrypting outgoing messages using simple PGP and key pair (public key) PGP.

With simple encryption, a message is encrypted with a symmetric key encoded by a pass phrase. A pass phrase is simply a long password, such as reality must take precedence over public relations. Both parties must know the secret pass phrase. The decryption system enables the pass phrase to be configured with the decryptor, or taken from some other source such as a header field on the incoming document itself. Exposing the pass phrase in the document itself eliminates secrecy, but does prevent casual viewers from examining the content of documents.

Key Pair Encryption

Key pair encryption eliminates the need for the shared pass phrase. Also called asymmetric encryption or public key/private key encryption, this eliminates the need for the shared pass phrase. The sender of the message must know in advance the public key of the receiver, which can be obtained from a commercial source or, in standard PGP, generated by a local tool. The public key is exported by the recipient to the sender(s) either by sending a file that the sender can import into his public key ring, or by publishing it to a secure server, such as ldap://keyserver.pgp.com. The sender imports the public key from the server into his public key ring. At the same time that the public key is prepared, the private key is also prepared, and stored in the secret key ring.

The sender, using the public key of the recipient, encodes the session key. The recipient uses the private key to decode the session key. This eliminates the need to share the secret pass phrase, however it is more complicated to configure and use.

Digital Signature

A signature confirms the identity of the sender of an email. It confirms that an email has not been tampered/altered during transmission.

For signing, an algorithm that does work is to use a public key algorithm to encrypt only the signature. In particular, the hash value is encrypted using the private key of the signer, and anybody can check the signature using the public key. The signed document can be sent using any other encryption algorithm including none if it is a public document. If the document is modified the signature check will fail, but this is precisely what the signature check is supposed to catch. The Digital Signature Standard (DSA) is a public key signature algorithm that works just as described. DSA is the primary signing algorithm used in GnuPG.

Supported algorithms include:

Algorithm

Description

none

Text is not encrypted.

cast5

128-bit key as per RFC 2144. This is the default.

blowfish

128-bit key, 16 rounds. A symmetric block cipher like DES and IDEA. Generally fast.

safer

SAFER-SK 128-bit, 13 rounds, using a secure key schedule. It does not operate with blocks, unlike IDEA and DES.

triple DES

DES-EDE, 168-bit key derived from 192 bits.

idea

A DES-like block cipher algorithm that uses a 128-bit key length to encrypt successive 64-bit blocks of plain text.
x
Supported Components

This section lists and describes the iWay components that are supported by the iWay PGP extension.

Preparser

com.ibi.preparsers.PGPDecrypt (Incoming documents)

The PGPDecrypt preparser decrypts an incoming message into the original unencrypted format.

Preemitter

com.ibi.preemit.PGPEncrypt (Outgoing Documents)

The PGPEncrypt preemitter encrypts an outgoing message into an encrypted XML document. This must be the last premitter in a chain, since a channel cannot process the encrypted document unless it is decrypted by a preparser first.

Service

com.ibi.agents.PGPEncrypt (Outgoing Documents)

The PGPEncrypt service also performs the same functionality as the preemitter. It encrypts outgoing documents. Like the preemitter, it needs to be the last component in the channel before the emitter, since the document would be in encrypted form. It also provides the same parameters as the preemitter.
Top of page
x
Encrypting Outgoing Documents

Outgoing documents can be encrypted in PGP using the PGP preemitter. The following table lists and describes the available parameters:

Parameter

Type

Description

Pass Phrase or Alias

Text

For simple encryption, this is the agreed upon pass phrase. For key pair, this is the public key alias of the recipient. Can be an SREG() or XPATH() specification. The form of an alias depends upon the key ring that is used.

Public Key Ring

Path

Full path to the public key ring. Used for key pair encryption.

Secret Key Ring

Path

Full path to the secret key ring. Used for key pair encryption.

Armor

Boolean

If set, an armored message is generated. For most purposes, armoring should be set ON.

Algorithm

Enumeration

The algorithm that is used. Select one of the following:

  • none
  • cast5
  • blowfish
  • safer
  • triple DES
  • IDEA

FingerPrint

TEXT(Hex Decimal Number)

Fingerprint of the Encryption Hex Decimal Key.

Note: The FingerPrint parameter is helpful when selecting a specific key from a list of available keys. If the FingerPrint parameter is not used, then the first available encryption keys for the encryption of data is used.

pub   1024D/584E38E6 2009-02-26
   Key fingerprint = 5E1F 0BEC A314 6379 EBA4  97EA 9925 772A 584E 38E6
uid     elgam (iway) <elgam@ibi.com>
sub  3008g/8D86CFF8 2009-02-26
   Key fingerprint = 2109 1680 A87E DA48 BF84  AA9A 237E D723 8D86 CFF8
sub   1088R/992532D9 2009-03-17
   Key fingerprint = 4389 BD56 9B53 A7BB AD60  AACE 8008 85F2 9925 32D9
x
Listing Multiple Sub Keys

Type the following command at the command prompt:

gpg --fingerprint --fingerprint elgam
(iway) <elgam@ib.com>

where:

elgam (iway) <elgam@ib.com>

Is the alias being used.

The following is a sample listing of multiple sub keys:

pub   1024D/584E38E6 2009-02-26
   Key fingerprint = 5E1F 0BEC A314 6379 EBA4  97EA 9925 772A 584E 38E6
uid          elgam (iway) <elgam@ib.com>
sub   3008g/8D86CFF8 2009-02-26
   Key fingerprint = 2109 1680 A87E DA48 BF84  AA9A 237E D723 8D86 CFF8
sub    1088R/992532D9 2009-03-17
   Key fingerprint = 4389 BD56 9B53 A7BB AD60  AACE 8008 85F2 9925 32D9
Top of page
x
Decrypting Incoming Documents

Any incoming document can be PGP-encoded. Decoding is performed using the PGPDecode preparser. The decryptor works with either simply encoded or key pair encoded messages. The pass phrase, used for simple decryption, can be specified directly, or as the content of a special register. The following table lists and describes the available parameters:

Parameter

Type

Description

Decrypt method

Pass phrase or key pair

Selects the form of decryption to be used.

Pass Phrase

Text

For simple encryption, this is the agreed upon pass phrase. For key pair decryption, this value is ignored.

Key Phrase

Text

Phrase used to unlock the secret key ring. Used for key pair encryption.

Public Key Ring

Path

Full path to the public key ring. Used for key pair encryption.

Secret Key Ring

Path

Full path to the secret key ring. Used for key pair encryption.
iWay Software