Solved

How to implement PGP

Posted on 2001-06-14
9
1,223 Views
Last Modified: 2008-02-01
My requirement is to implement Security in a scenario wherein the user(client may be web browser or any other desktop application) is downloading a document at its desktop and then uploading (may be after sometime) the document to webserver.The transfer of information is taking place in form of document. Can i implement security by using PGP.
I have gone through various sites of pgp including your company site, www.pgpi.org and  http://www.w3.org/Conferences/WWW4/Papers2/245.html.

I havenot been able to come across the product/application that is required to be implemented at the
ClientSide(i.e.it may be WebBrowser or any other application) or at the webserver side where the document is kept.
All i have seen some products(e-ppliance,E-Business Server, PGP VPN Suite etc.)
Or i have come across PGP-CCI on http://www.w3.org/Conferences/WWW4/Papers2/245.html.
Though it talks of some PGP-CCI application that interects with PGP API but it dosenot tell about the application.
Do we need to code some application on our own to use PGP API.I am also not sure of PGP APIs.
0
Comment
Question by:ssaluja
9 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6191196
Do you want to protect the document after it's been downloaded or only during transit.

If only during transit, just use an SSL-ized web server.

If you want to protect it afterwards too, then PGP is more appropriate.  You'll probably have to write your own code to call PGP to encrypt/signn the documents on the server and the client, though.  Unless you're using a client that PGP.com supports a plug-in for (like e-mailing the docs and using Outlook to read them).
0
 

Author Comment

by:ssaluja
ID: 6194779
The Project Requirement is such that i have to use PGP based security. The requirement of security is during tranist (downloading and uploading) of document between client(web browser or any other client application etc.) and webserver.Can we use implement security with PGP in this scenario.
If this is possible then please tell me how to implement it.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6195189
You can implement PGP in this scenario, but it is way overkill.  Simply running an SSL-ized web server would be much easier and still fit the bill.

Getting PGP to work minimally requires
1.  Distributing your PGP public key to all clients.
2.  Distributing PGP software to all clients.
3.  A back-end process that encrypts and signs the files.
4.  A front-end process that decrypts the files.
0
 

Author Comment

by:ssaluja
ID: 6198613
Clarifications on The comments :
Pt no 2: Can you tell me which PGP software i have to distribute to all clients.Is it possible that the S/W gets downloaded the first time Client connects to the server.
Is this S/W a freeware.
Pt No 3: Please explain the back end process for encrypting and signing the files.
Pt no 4:  Please explain the front end process for decrypting the file

Can we use some open source to get these things done or we have to implement Software products for implementing PGP Security
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 14

Accepted Solution

by:
chris_calabrese earned 50 total points
ID: 6202442
o  You could use GNU Privacy Guard (http://www.gnupg.org), which is freeware, or you could use the commercial product from PGP.  I don't think there's a GPG port to Windows, though it's possible you could port it with Cygwin (www.cygwin.com) or something similar.  Commercial PGP costs $$$ for the client and $$$$ (or even $$$$$) for a server.

o I don't think downloading the software on first connection would work because web stuff assumes you're not allowed to do that sort of thing.
Making it work would mean loading special software on the machine,
which leads to a chicken an egg problem.

o The back-end process involves calling the PGP software of your choice to encrypt and sign the file before sending it on its way.  Details depend on which PGP implementation you pick, how your back end web apps work, etc.

o The front-end process involves calling the PGP software to decrypt and verify the signature of the file.  Again, details will vary.  But one concern is going to be how to call that software.  You can't easily do it from the web browser unless you have a PGP plugin (don't know of any) or write an ActiveX control (assuming IE).   Otherwise the user has to save the file and then manually invoke the PGP program on it.

o Also you'll need to distribute your keys to all users, which isn't necessarily trivial.

All in all, PGP is a really really really really bad idea for what you want.  Use HTTPS/SSL.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6249979
as I understand the comments so far, I agree with   chris_calabrese suggestions, especially that SSL should do it.
But I know that SSL cannot guarantee for the content, just think of a man-in-the-middle-attack (using a fake server), hard to do but it can ...
In such a situation PGP might be a solution if the keys have been exchanged and prooved using a trusted media before.

I've setup a test site using PGP signatures for any requested URL. It's probably not exactly what ssaluja wants, but very close to it. 'Cause all this stuff is not yet idiot-prooved, I won't post the link here.

ssaluja,  chris_calabrese, if you're interested in this, please ask support@experts-exchange.com for my email, and we can exchange more informations.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 8451581
Upon review of the comments here, I am recommending this disposition:

        points to chris_calabrese

Please post a comment if you disagree.

DanRollins -- EE database cleanup volunteer
0
 

Expert Comment

by:SpideyMod
ID: 8492520
per recommendation.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now