How to implement PGP

My requirement is to implement Security in a scenario wherein the user(client may be web browser or any other desktop application) is downloading a document at its desktop and then uploading (may be after sometime) the document to webserver.The transfer of information is taking place in form of document. Can i implement security by using PGP.
I have gone through various sites of pgp including your company site, www.pgpi.org and  http://www.w3.org/Conferences/WWW4/Papers2/245.html.

I havenot been able to come across the product/application that is required to be implemented at the
ClientSide(i.e.it may be WebBrowser or any other application) or at the webserver side where the document is kept.
All i have seen some products(e-ppliance,E-Business Server, PGP VPN Suite etc.)
Or i have come across PGP-CCI on http://www.w3.org/Conferences/WWW4/Papers2/245.html.
Though it talks of some PGP-CCI application that interects with PGP API but it dosenot tell about the application.
Do we need to code some application on our own to use PGP API.I am also not sure of PGP APIs.
ssalujaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
chris_calabreseConnect With a Mentor Commented:
o  You could use GNU Privacy Guard (http://www.gnupg.org), which is freeware, or you could use the commercial product from PGP.  I don't think there's a GPG port to Windows, though it's possible you could port it with Cygwin (www.cygwin.com) or something similar.  Commercial PGP costs $$$ for the client and $$$$ (or even $$$$$) for a server.

o I don't think downloading the software on first connection would work because web stuff assumes you're not allowed to do that sort of thing.
Making it work would mean loading special software on the machine,
which leads to a chicken an egg problem.

o The back-end process involves calling the PGP software of your choice to encrypt and sign the file before sending it on its way.  Details depend on which PGP implementation you pick, how your back end web apps work, etc.

o The front-end process involves calling the PGP software to decrypt and verify the signature of the file.  Again, details will vary.  But one concern is going to be how to call that software.  You can't easily do it from the web browser unless you have a PGP plugin (don't know of any) or write an ActiveX control (assuming IE).   Otherwise the user has to save the file and then manually invoke the PGP program on it.

o Also you'll need to distribute your keys to all users, which isn't necessarily trivial.

All in all, PGP is a really really really really bad idea for what you want.  Use HTTPS/SSL.
0
 
chris_calabreseCommented:
Do you want to protect the document after it's been downloaded or only during transit.

If only during transit, just use an SSL-ized web server.

If you want to protect it afterwards too, then PGP is more appropriate.  You'll probably have to write your own code to call PGP to encrypt/signn the documents on the server and the client, though.  Unless you're using a client that PGP.com supports a plug-in for (like e-mailing the docs and using Outlook to read them).
0
 
ssalujaAuthor Commented:
The Project Requirement is such that i have to use PGP based security. The requirement of security is during tranist (downloading and uploading) of document between client(web browser or any other client application etc.) and webserver.Can we use implement security with PGP in this scenario.
If this is possible then please tell me how to implement it.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
chris_calabreseCommented:
You can implement PGP in this scenario, but it is way overkill.  Simply running an SSL-ized web server would be much easier and still fit the bill.

Getting PGP to work minimally requires
1.  Distributing your PGP public key to all clients.
2.  Distributing PGP software to all clients.
3.  A back-end process that encrypts and signs the files.
4.  A front-end process that decrypts the files.
0
 
ssalujaAuthor Commented:
Clarifications on The comments :
Pt no 2: Can you tell me which PGP software i have to distribute to all clients.Is it possible that the S/W gets downloaded the first time Client connects to the server.
Is this S/W a freeware.
Pt No 3: Please explain the back end process for encrypting and signing the files.
Pt no 4:  Please explain the front end process for decrypting the file

Can we use some open source to get these things done or we have to implement Software products for implementing PGP Security
0
 
ahoffmannCommented:
as I understand the comments so far, I agree with   chris_calabrese suggestions, especially that SSL should do it.
But I know that SSL cannot guarantee for the content, just think of a man-in-the-middle-attack (using a fake server), hard to do but it can ...
In such a situation PGP might be a solution if the keys have been exchanged and prooved using a trusted media before.

I've setup a test site using PGP signatures for any requested URL. It's probably not exactly what ssaluja wants, but very close to it. 'Cause all this stuff is not yet idiot-prooved, I won't post the link here.

ssaluja,  chris_calabrese, if you're interested in this, please ask support@experts-exchange.com for my email, and we can exchange more informations.
0
 
DanRollinsCommented:
Upon review of the comments here, I am recommending this disposition:

        points to chris_calabrese

Please post a comment if you disagree.

DanRollins -- EE database cleanup volunteer
0
 
SpideyModCommented:
per recommendation.

SpideyMod
Community Support Moderator @Experts Exchange
0
All Courses

From novice to tech pro — start learning today.