Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to implement PGP

Posted on 2001-06-14
9
Medium Priority
?
1,282 Views
Last Modified: 2008-02-01
My requirement is to implement Security in a scenario wherein the user(client may be web browser or any other desktop application) is downloading a document at its desktop and then uploading (may be after sometime) the document to webserver.The transfer of information is taking place in form of document. Can i implement security by using PGP.
I have gone through various sites of pgp including your company site, www.pgpi.org and  http://www.w3.org/Conferences/WWW4/Papers2/245.html.

I havenot been able to come across the product/application that is required to be implemented at the
ClientSide(i.e.it may be WebBrowser or any other application) or at the webserver side where the document is kept.
All i have seen some products(e-ppliance,E-Business Server, PGP VPN Suite etc.)
Or i have come across PGP-CCI on http://www.w3.org/Conferences/WWW4/Papers2/245.html.
Though it talks of some PGP-CCI application that interects with PGP API but it dosenot tell about the application.
Do we need to code some application on our own to use PGP API.I am also not sure of PGP APIs.
0
Comment
Question by:ssaluja
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6191196
Do you want to protect the document after it's been downloaded or only during transit.

If only during transit, just use an SSL-ized web server.

If you want to protect it afterwards too, then PGP is more appropriate.  You'll probably have to write your own code to call PGP to encrypt/signn the documents on the server and the client, though.  Unless you're using a client that PGP.com supports a plug-in for (like e-mailing the docs and using Outlook to read them).
0
 

Author Comment

by:ssaluja
ID: 6194779
The Project Requirement is such that i have to use PGP based security. The requirement of security is during tranist (downloading and uploading) of document between client(web browser or any other client application etc.) and webserver.Can we use implement security with PGP in this scenario.
If this is possible then please tell me how to implement it.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6195189
You can implement PGP in this scenario, but it is way overkill.  Simply running an SSL-ized web server would be much easier and still fit the bill.

Getting PGP to work minimally requires
1.  Distributing your PGP public key to all clients.
2.  Distributing PGP software to all clients.
3.  A back-end process that encrypts and signs the files.
4.  A front-end process that decrypts the files.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:ssaluja
ID: 6198613
Clarifications on The comments :
Pt no 2: Can you tell me which PGP software i have to distribute to all clients.Is it possible that the S/W gets downloaded the first time Client connects to the server.
Is this S/W a freeware.
Pt No 3: Please explain the back end process for encrypting and signing the files.
Pt no 4:  Please explain the front end process for decrypting the file

Can we use some open source to get these things done or we have to implement Software products for implementing PGP Security
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 6202442
o  You could use GNU Privacy Guard (http://www.gnupg.org), which is freeware, or you could use the commercial product from PGP.  I don't think there's a GPG port to Windows, though it's possible you could port it with Cygwin (www.cygwin.com) or something similar.  Commercial PGP costs $$$ for the client and $$$$ (or even $$$$$) for a server.

o I don't think downloading the software on first connection would work because web stuff assumes you're not allowed to do that sort of thing.
Making it work would mean loading special software on the machine,
which leads to a chicken an egg problem.

o The back-end process involves calling the PGP software of your choice to encrypt and sign the file before sending it on its way.  Details depend on which PGP implementation you pick, how your back end web apps work, etc.

o The front-end process involves calling the PGP software to decrypt and verify the signature of the file.  Again, details will vary.  But one concern is going to be how to call that software.  You can't easily do it from the web browser unless you have a PGP plugin (don't know of any) or write an ActiveX control (assuming IE).   Otherwise the user has to save the file and then manually invoke the PGP program on it.

o Also you'll need to distribute your keys to all users, which isn't necessarily trivial.

All in all, PGP is a really really really really bad idea for what you want.  Use HTTPS/SSL.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6249979
as I understand the comments so far, I agree with   chris_calabrese suggestions, especially that SSL should do it.
But I know that SSL cannot guarantee for the content, just think of a man-in-the-middle-attack (using a fake server), hard to do but it can ...
In such a situation PGP might be a solution if the keys have been exchanged and prooved using a trusted media before.

I've setup a test site using PGP signatures for any requested URL. It's probably not exactly what ssaluja wants, but very close to it. 'Cause all this stuff is not yet idiot-prooved, I won't post the link here.

ssaluja,  chris_calabrese, if you're interested in this, please ask support@experts-exchange.com for my email, and we can exchange more informations.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 8451581
Upon review of the comments here, I am recommending this disposition:

        points to chris_calabrese

Please post a comment if you disagree.

DanRollins -- EE database cleanup volunteer
0
 

Expert Comment

by:SpideyMod
ID: 8492520
per recommendation.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What we learned in Webroot's webinar on multi-vector protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question