In this section: |
PGP encryption uses public key cryptography and includes a system which binds the public keys to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations at a later time. Current versions of PGP encryption include both alternatives through an automated key management server.
iWay Service Manager supports standard OpenPGP, as specified in RFC 2440. The support includes decrypting incoming messages and encrypting outgoing messages using simple PGP and key pair (public key) PGP.
With simple encryption, a message is encrypted with a symmetric key encoded by a pass phrase. A pass phrase is simply a long password, such as reality must take precedence over public relations. Both parties must know the secret pass phrase. The decryption system enables the pass phrase to be configured with the decryptor, or taken from some other source such as a header field on the incoming document itself. Exposing the pass phrase in the document itself eliminates secrecy, but does prevent casual viewers from examining the content of documents.
Key Pair Encryption
Key pair encryption eliminates the need for the shared pass phrase. Also called asymmetric encryption or public key/private key encryption, this eliminates the need for the shared pass phrase. The sender of the message must know in advance the public key of the receiver, which can be obtained from a commercial source or, in standard PGP, generated by a local tool. The public key is exported by the recipient to the sender(s) either by sending a file that the sender can import into his public key ring, or by publishing it to a secure server, such as ldap://keyserver.pgp.com. The sender imports the public key from the server into his public key ring. At the same time that the public key is prepared, the private key is also prepared, and stored in the secret key ring.
The sender, using the public key of the recipient, encodes the session key. The recipient uses the private key to decode the session key. This eliminates the need to share the secret pass phrase, however it is more complicated to configure and use.
Digital Signature
A signature confirms the identity of the sender of an email. It confirms that an email has not been tampered/altered during transmission.
For signing, an algorithm that does work is to use a public key algorithm to encrypt only the signature. In particular, the hash value is encrypted using the private key of the signer, and anybody can check the signature using the public key. The signed document can be sent using any other encryption algorithm including none if it is a public document. If the document is modified the signature check will fail, but this is precisely what the signature check is supposed to catch. The Digital Signature Standard (DSA) is a public key signature algorithm that works just as described. DSA is the primary signing algorithm used in GnuPG.
Supported algorithms include:
Algorithm |
Description |
---|---|
none |
Text is not encrypted. |
cast5 |
128-bit key as per RFC 2144. This is the default. |
blowfish |
128-bit key, 16 rounds. A symmetric block cipher like DES and IDEA. Generally fast. |
safer |
SAFER-SK 128-bit, 13 rounds, using a secure key schedule. It does not operate with blocks, unlike IDEA and DES. |
triple DES |
DES-EDE, 168-bit key derived from 192 bits. |
idea |
A DES-like block cipher algorithm that uses a 128-bit key length to encrypt successive 64-bit blocks of plain text. |
This section lists and describes the iWay components that are supported by the iWay PGP extension.
Preparser
com.ibi.preparsers.PGPDecrypt (Incoming documents)
The PGPDecrypt preparser decrypts an incoming message into the original unencrypted format.
Preemitter
com.ibi.preemit.PGPEncrypt (Outgoing Documents)
The PGPEncrypt preemitter encrypts an outgoing message into an encrypted XML document. This must be the last premitter in a chain, since a channel cannot process the encrypted document unless it is decrypted by a preparser first.
Service
com.ibi.agents.PGPEncrypt (Outgoing Documents)
The PGPEncrypt service also performs the same functionality as the preemitter. It encrypts outgoing documents. Like the preemitter, it needs to be the last component in the channel before the emitter, since the document would be in encrypted form. It also provides the same parameters as the preemitter.
Outgoing documents can be encrypted in PGP using the PGP preemitter. The following table lists and describes the available parameters:
Parameter |
Type |
Description |
---|---|---|
Pass Phrase or Alias |
Text |
For simple encryption, this is the agreed upon pass phrase. For key pair, this is the public key alias of the recipient. Can be an SREG() or XPATH() specification. The form of an alias depends upon the key ring that is used. |
Public Key Ring |
Path |
Full path to the public key ring. Used for key pair encryption. |
Secret Key Ring |
Path |
Full path to the secret key ring. Used for key pair encryption. |
Armor |
Boolean |
If set, an armored message is generated. For most purposes, armoring should be set ON. |
Algorithm |
Enumeration |
The algorithm that is used. Select one of the following:
|
FingerPrint |
TEXT(Hex Decimal Number) |
Fingerprint of the Encryption Hex Decimal Key. |
Note: The FingerPrint parameter is helpful when selecting a specific key from a list of available keys. If the FingerPrint parameter is not used, then the first available encryption keys for the encryption of data is used.
pub 1024D/584E38E6 2009-02-26 Key fingerprint = 5E1F 0BEC A314 6379 EBA4 97EA 9925 772A 584E 38E6 uid elgam (iway) <elgam@ibi.com> sub 3008g/8D86CFF8 2009-02-26 Key fingerprint = 2109 1680 A87E DA48 BF84 AA9A 237E D723 8D86 CFF8 sub 1088R/992532D9 2009-03-17 Key fingerprint = 4389 BD56 9B53 A7BB AD60 AACE 8008 85F2 9925 32D9
Type the following command at the command prompt:
gpg --fingerprint --fingerprint elgam
(iway) <elgam@ib.com>
where:
Is the alias being used.
The following is a sample listing of multiple sub keys:
pub 1024D/584E38E6 2009-02-26 Key fingerprint = 5E1F 0BEC A314 6379 EBA4 97EA 9925 772A 584E 38E6 uid elgam (iway) <elgam@ib.com> sub 3008g/8D86CFF8 2009-02-26 Key fingerprint = 2109 1680 A87E DA48 BF84 AA9A 237E D723 8D86 CFF8 sub 1088R/992532D9 2009-03-17 Key fingerprint = 4389 BD56 9B53 A7BB AD60 AACE 8008 85F2 9925 32D9
Any incoming document can be PGP-encoded. Decoding is performed using the PGPDecode preparser. The decryptor works with either simply encoded or key pair encoded messages. The pass phrase, used for simple decryption, can be specified directly, or as the content of a special register. The following table lists and describes the available parameters:
Parameter |
Type |
Description |
---|---|---|
Decrypt method |
Pass phrase or key pair |
Selects the form of decryption to be used. |
Pass Phrase |
Text |
For simple encryption, this is the agreed upon pass phrase. For key pair decryption, this value is ignored. |
Key Phrase |
Text |
Phrase used to unlock the secret key ring. Used for key pair encryption. |
Public Key Ring |
Path |
Full path to the public key ring. Used for key pair encryption. |
Secret Key Ring |
Path |
Full path to the secret key ring. Used for key pair encryption. |
iWay Software |