*
The moose likes Security and the fly likes PGPPublicKeyRingCollection doubts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "PGPPublicKeyRingCollection doubts" Watch "PGPPublicKeyRingCollection doubts" New topic
Author

PGPPublicKeyRingCollection doubts

Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Actually I am trying to move my application using GNUPG tool to Bouncy castle (bcprov-jdk15on-147.jar). I am really new to Bouncy Castle. Please clear my doubt whether there would be only a single PGPPublicKeyRingCollection and PGPSecretKeyRingCollection?
And how will they be stored as? Will all the public key and secret keys belonging to different clients will be stored in the same PGPPublicKeyRingCollection and PGPSecretKeyRingCollection respectively. Also if there are any tutorials or examples, please share the link as I am in urgent need of it.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

It is not obvious to me what you are asking but BouncyCastle treat the pubring.gpg file as a collection of key rings. I have never been quite sure why any particular public key is slotted into a given slot. For the most part is does not matter since, to find a particular public key, one just iterates though each key ring in the collection and then through each key in the key ring. The secring file is treated similarly. The distribution gives examples of how to access keys.

There is nothing in the BC PGP code that forces the keys to be stored in files. I have all my public keys stored as BLOBs in a MySQL database so that I can access them by client ID. I just load the BLOBs as an InputStream into a PGPPublicKeyRingCollection .

I'm a little concerned about "secret keys belonging to different clients". For security only your clients should have access to their secret keys. You should never ever ever have any secret key apart from your own since if you have a copy then your client could plausibly deny any transaction authorized using the private keys!

Edit : I just realized that you asked about BC PGP a few days ago in http://www.coderanch.com/t/600289/Security/Bouncy-Castle-Decryption-password but for some reason failed to follow up on my reply.

Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
"The secring file is treated similarly. The distribution gives examples of how to access keys. "

This means that your are saying that we can use PGPSecretKeyRingCollection to store all the secret key in a single collection file as public key collection file.

But later you are saying that "I m a little concerned about "secret keys belonging to different clients". For security only your clients should have access to their secret keys. You should never ever ever have any secret key apart from your own since if you have a copy then your client could plausibly deny any transaction authorized using the private keys!"

If we can store all the secret keys in the collection file as per first paragraph, then I could not understand what you trying to say by second paragraph. Please clear my doubts.


Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Bouncy Developer wrote:"The secring file is treated similarly. The distribution gives examples of how to access keys. "

This means that your are saying that we can use PGPSecretKeyRingCollection to store all the secret key in a single collection file as public key collection file.


Correct - but since you should only have your own secret PGP keys this is no big deal. I have just 4 PGP secret keys all my own; one each for of my email addresses. I don't hold any of my clients' secret PGP keys because they should only be known to my clients or they are no longer secret!


But later you are saying that "I m a little concerned about "secret keys belonging to different clients". For security only your clients should have access to their secret keys. You should never ever ever have any secret key apart from your own since if you have a copy then your client could plausibly deny any transaction authorized using the private keys!"

If we can store all the secret keys in the collection file as per first paragraph, then I could not understand what you trying to say by second paragraph. Please clear my doubts.


What I am saying once again is that you should not have access to any of you clients' PGP secret keys; only your clients should have access to their PGP secret keys. This is fundamental to any public key encryption system and PGP is no exception.
Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Thanks for the reply.

You mean to say that the secret key are always stored at the client location and we do not have access to it due to security reason.

But does this mean that the PGPSecretKeyRingCollection that we have in the application consist of the PGPPrivatekeys?
And PGPPrivateKey is the encoded form of the Secret key. Is it?
Please clear my doubt.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Rakesh Megharaj wrote:Thanks for the reply.

You mean to say that the secret key are always stored at the client location and we do not have access to it due to security reason.


Yes - most definitely. I will go even further - the PGP key pair should be generated by the client and stored on his system with a backup that only he can access. If my clients' lose their PGP secret key they can never access their encrypted files so keeping the key secure and backed up is very important.


But does this mean that the PGPSecretKeyRingCollection that we have in the application consist of the PGPPrivatekeys?
And PGPPrivateKey is the encoded form of the Secret key. Is it?


In essence yes BUT BUT BUT but you should not have a copy of your clients' PGP secret keys so the collection should only be a collection of your PGP secret keys.
Rakesh Megharaj
Greenhorn

Joined: Dec 13, 2012
Posts: 12
Thanks Richard.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Richard Tookey wrote: you should not have a copy of your clients' PGP secret keys so the collection should only be a collection of your PGP secret keys.


Yes, a secret key is secret. You dont' share it, you don't give copies to anyone else. Its a secret.

I'm not sure why you'd even have a "collection" of secret keys (plural). Most use cases have one RSA key pair for each person. You can happily send the public key to anyone you like, or even post it to a webpage or key-server. If you go out to the MIT server, you will see my PGP key from the early 1990s.

SSH works exactly the same way, since it too uses RSA.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: PGPPublicKeyRingCollection doubts
 
Similar Threads
packages and CLASSPATH
The "this" keyword and the constructor.
Need help in understanding JMockit Usage
where to start on assignment
Online working - Java technical writing jobs