aspose file tools*
The moose likes Security and the fly likes Bouncy Castle Doubt: Decryption without password Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Bouncy Castle Doubt: Decryption without password" Watch "Bouncy Castle Doubt: Decryption without password" New topic
Author

Bouncy Castle Doubt: Decryption without password

Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Actually I am trying to move my application using GNUPG tool to Bouncy castle (bcprov-jdk15on-147.jar). Actually during decryption in GNUPG we are not using password, but in bouncy castle api we are suppose to pass password while decryption. Is there any option of decrypting a file without the password in bouncy castle?
Are GNUPG functionalities completely available in Bouncy Castle. Can you please provide me help as i am new to Bouncy Castle.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1044
    
  10

Bouncy Developer wrote:Actually I am trying to move my application using GNUPG tool to Bouncy castle (bcprov-jdk15on-147.jar).

It is not obvious to me whether or not you are still using PGP encryption but I assume that you are. If so then I hope you are also using jar bcpg-jdk15on-147.jar !

Actually during decryption in GNUPG we are not using password, but in bouncy castle api we are suppose to pass password while decryption. Is there any option of decrypting a file without the password in bouncy castle?
Are GNUPG functionalities completely available in Bouncy Castle. Can you please provide me help as i am new to Bouncy Castle.

Access to a PGP private key (needed for decryption) should require a password so if you are not using a password in GNUPG then either you have no password set or you have configured GNUPG so as to remember the password forever. Both approaches have serious negative security implications. I have not found anything important missing in the BC PGP library but I have not strayed far from the standard sign, encrypt, decrypt functionality and I have always required a password to access a PGP private key.




Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Actually the application which was using GNUPG tool, I am replacing it to use Bouncy Castle (with bcprov-jdk15on-147.jar in the lib folder). But as i analysed the existing application with GNUPG, it is actually not using any password, so what should i do now while migrating the application to use Bouncy Castle. Also there are many other issues on which i am having doubt. Can you please share me your email id so that I can discuss in details regarding the GNUPG compatiblity with Bouncy Castle as I am very new to this. Thanks for your prompt reply.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1044
    
  10

Giving you my email address is against the spirit of this being a forum since all interactions should be open to all.

I still see that having access to your clients' PGP secret keys as being a fundamental design flaw and, while not wishing to condone it, is almost trivial to create a script that uses GPG to add a password (the same one for each key maybe) to each PGP secret key. I would be interested to know what actions you take with your clients' PGP secret keys.
Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Sure Richard, point taken. I think i will need to discuss the approach of having dummy/default passwords for my application with the client.
Thanks.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Bouncy Castle Doubt: Decryption without password