Solved

How to implement PGP

Posted on 2001-06-14
9
1,267 Views
Last Modified: 2008-02-01
My requirement is to implement Security in a scenario wherein the user(client may be web browser or any other desktop application) is downloading a document at its desktop and then uploading (may be after sometime) the document to webserver.The transfer of information is taking place in form of document. Can i implement security by using PGP.
I have gone through various sites of pgp including your company site, www.pgpi.org and  http://www.w3.org/Conferences/WWW4/Papers2/245.html.

I havenot been able to come across the product/application that is required to be implemented at the
ClientSide(i.e.it may be WebBrowser or any other application) or at the webserver side where the document is kept.
All i have seen some products(e-ppliance,E-Business Server, PGP VPN Suite etc.)
Or i have come across PGP-CCI on http://www.w3.org/Conferences/WWW4/Papers2/245.html.
Though it talks of some PGP-CCI application that interects with PGP API but it dosenot tell about the application.
Do we need to code some application on our own to use PGP API.I am also not sure of PGP APIs.
0
Comment
Question by:ssaluja
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6191196
Do you want to protect the document after it's been downloaded or only during transit.

If only during transit, just use an SSL-ized web server.

If you want to protect it afterwards too, then PGP is more appropriate.  You'll probably have to write your own code to call PGP to encrypt/signn the documents on the server and the client, though.  Unless you're using a client that PGP.com supports a plug-in for (like e-mailing the docs and using Outlook to read them).
0
 

Author Comment

by:ssaluja
ID: 6194779
The Project Requirement is such that i have to use PGP based security. The requirement of security is during tranist (downloading and uploading) of document between client(web browser or any other client application etc.) and webserver.Can we use implement security with PGP in this scenario.
If this is possible then please tell me how to implement it.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6195189
You can implement PGP in this scenario, but it is way overkill.  Simply running an SSL-ized web server would be much easier and still fit the bill.

Getting PGP to work minimally requires
1.  Distributing your PGP public key to all clients.
2.  Distributing PGP software to all clients.
3.  A back-end process that encrypts and signs the files.
4.  A front-end process that decrypts the files.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:ssaluja
ID: 6198613
Clarifications on The comments :
Pt no 2: Can you tell me which PGP software i have to distribute to all clients.Is it possible that the S/W gets downloaded the first time Client connects to the server.
Is this S/W a freeware.
Pt No 3: Please explain the back end process for encrypting and signing the files.
Pt no 4:  Please explain the front end process for decrypting the file

Can we use some open source to get these things done or we have to implement Software products for implementing PGP Security
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 50 total points
ID: 6202442
o  You could use GNU Privacy Guard (http://www.gnupg.org), which is freeware, or you could use the commercial product from PGP.  I don't think there's a GPG port to Windows, though it's possible you could port it with Cygwin (www.cygwin.com) or something similar.  Commercial PGP costs $$$ for the client and $$$$ (or even $$$$$) for a server.

o I don't think downloading the software on first connection would work because web stuff assumes you're not allowed to do that sort of thing.
Making it work would mean loading special software on the machine,
which leads to a chicken an egg problem.

o The back-end process involves calling the PGP software of your choice to encrypt and sign the file before sending it on its way.  Details depend on which PGP implementation you pick, how your back end web apps work, etc.

o The front-end process involves calling the PGP software to decrypt and verify the signature of the file.  Again, details will vary.  But one concern is going to be how to call that software.  You can't easily do it from the web browser unless you have a PGP plugin (don't know of any) or write an ActiveX control (assuming IE).   Otherwise the user has to save the file and then manually invoke the PGP program on it.

o Also you'll need to distribute your keys to all users, which isn't necessarily trivial.

All in all, PGP is a really really really really bad idea for what you want.  Use HTTPS/SSL.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6249979
as I understand the comments so far, I agree with   chris_calabrese suggestions, especially that SSL should do it.
But I know that SSL cannot guarantee for the content, just think of a man-in-the-middle-attack (using a fake server), hard to do but it can ...
In such a situation PGP might be a solution if the keys have been exchanged and prooved using a trusted media before.

I've setup a test site using PGP signatures for any requested URL. It's probably not exactly what ssaluja wants, but very close to it. 'Cause all this stuff is not yet idiot-prooved, I won't post the link here.

ssaluja,  chris_calabrese, if you're interested in this, please ask support@experts-exchange.com for my email, and we can exchange more informations.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 8451581
Upon review of the comments here, I am recommending this disposition:

        points to chris_calabrese

Please post a comment if you disagree.

DanRollins -- EE database cleanup volunteer
0
 

Expert Comment

by:SpideyMod
ID: 8492520
per recommendation.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month3 days, 17 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question