Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

old vs new gnupg - encrypting files

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


juice.qr at gmail

Jul 25, 2012, 7:37 AM

Post #1 of 7 (223 views)
Permalink
old vs new gnupg - encrypting files
Hi,

I have a problem with encrypting some text files with gpg,
We recently upgraded our old encrypt/decrypt server (old 32 bit rhel4 box)
to a new amazon linux 64 bit server on aws.

I moved the gpg keyring to the new server and can encrypt files just fine
with the keys on the public keyring, no problems. We have one public key
however that the end user (that we send the encrypted files to) is saying
they can't decrypt when we encrypt with their key on the new server.

I've tried encrypting the same file (md5sum matches) on the old server and
new server, and the encrypted file size differs by 1 or 2 bytes on the new
server. As expected, the md5sums of the encrypted file on old and new
server also don't match.

I thought the problem might have something to do with how the new server
doesn't have ELG-E in its cipher list, only ELG, but another person has
since told me that shouldn't matter.


key details on new server,
########################
pub 1024D/96765440 created: 1998-10-06 expires: never usage: SCA
trust: ultimate validity: ultimate
sub 2048g/0840DAA8 created: 1998-10-06 expires: never usage: E
[ultimate] (1). XYZ Corp (XYZ)


[ultimate] (1). XYZ Corp (XYZ)
Cipher: CAST5, 3DES, [1]
Digest: SHA1
Compression: ZIP, Uncompressed
########################

key details on old server,
########################
pub 1024D/96765440 created: 1998-10-06 expires: never trust: u/u
sub 2048g/0840DAA8 created: 1998-10-06 expires: never
(1). XYZ Corp (XYZ)

pub 1024D/96765440 created: 1998-10-06 expires: never trust: u/u
(1). XYZ Corp (XYZ)
Cipher: CAST5, 3DES, [1]
Digest: SHA1
Compression: ZIP, Uncompressed
#######################





########################
Old server gpg --version:

-bash-3.00$ gpg --version
gpg (GnuPG) 1.2.6
Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB, BZIP2

########################
New server gpg --version:

-bash-4.1$ gpg --version
gpg (GnuPG) 2.0.18
libgcrypt 1.4.5
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html
>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Thanks,
Chris


mailinglisten at hauke-laging

Jul 25, 2012, 9:33 AM

Post #2 of 7 (217 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Am Mi 25.07.2012, 10:37:54 schrieb Chris Clifton:

> I moved the gpg keyring to the new server and can encrypt files just fine
> with the keys on the public keyring, no problems. We have one public key
> however that the end user (that we send the encrypted files to) is saying
> they can't decrypt when we encrypt with their key on the new server.

Have you tried encrypting the file to the other one and your own key
simultaneously? That might allow a better comparison of the difference between
the two systems.

Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
Attachments: signature.asc (0.54 KB)


juice.qr at gmail

Jul 25, 2012, 9:48 AM

Post #3 of 7 (212 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Forgive me, can you elaborate on 'encrypting the file to the other one and
your own key' ?

Thanks,
Chris

On Wed, Jul 25, 2012 at 12:33 PM, Hauke Laging <
mailinglisten [at] hauke-laging> wrote:

> Am Mi 25.07.2012, 10:37:54 schrieb Chris Clifton:
>
> > I moved the gpg keyring to the new server and can encrypt files just fine
> > with the keys on the public keyring, no problems. We have one public key
> > however that the end user (that we send the encrypted files to) is saying
> > they can't decrypt when we encrypt with their key on the new server.
>
> Have you tried encrypting the file to the other one and your own key
> simultaneously? That might allow a better comparison of the difference
> between
> the two systems.
>
> Hauke
> --
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


mailinglisten at hauke-laging

Jul 25, 2012, 10:16 AM

Post #4 of 7 (214 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Am Mi 25.07.2012, 12:48:57 schrieb Chris Clifton:
> Forgive me, can you elaborate on 'encrypting the file to the other one and
> your own key' ?

You can give several recipients. The data is encrypted symmetrically (by AES
e.g.) by a random key. This random key is asymmetrically encrypted to all
recipients (or even to a passphrase). Thus an additional recipient increases
the size of the resulting file slightly only.

gpg --recipient 0x12345678 --recipient 0x87654321 --encrypt ./my/file

See --encrypt-to.

This way you can check whether you can decrypt the data yourself at least.

Furthermore it would have been a lot more useful to get the full error message
of your recipient instead of a simple "cannot".


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
Attachments: signature.asc (0.54 KB)


juice.qr at gmail

Jul 25, 2012, 10:47 AM

Post #5 of 7 (212 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Got it, I will try that next. Thanks.

On Wed, Jul 25, 2012 at 1:16 PM, Hauke Laging <mailinglisten [at] hauke-laging
> wrote:

> Am Mi 25.07.2012, 12:48:57 schrieb Chris Clifton:
> > Forgive me, can you elaborate on 'encrypting the file to the other one
> and
> > your own key' ?
>
> You can give several recipients. The data is encrypted symmetrically (by
> AES
> e.g.) by a random key. This random key is asymmetrically encrypted to all
> recipients (or even to a passphrase). Thus an additional recipient
> increases
> the size of the resulting file slightly only.
>
> gpg --recipient 0x12345678 --recipient 0x87654321 --encrypt ./my/file
>
> See --encrypt-to.
>
> This way you can check whether you can decrypt the data yourself at least.
>
> Furthermore it would have been a lot more useful to get the full error
> message
> of your recipient instead of a simple "cannot".
>
>
> Hauke
> --
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
>


juice.qr at gmail

Jul 25, 2012, 2:17 PM

Post #6 of 7 (215 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Ok,

I encrypted the file in question on the new server with :

gpg -vvve -r xxx -r YYY -o filename.dat.pgp filename.dat

Where xxx is the problematic key and YYY is our key, and I was able to
decrypt the file using my private key with no problems.

Not sure if that gives us any more info. I can decrypt with our key at
least.

Thanks,
Chris


On Wed, Jul 25, 2012 at 1:16 PM, Hauke Laging <mailinglisten [at] hauke-laging
> wrote:

> Am Mi 25.07.2012, 12:48:57 schrieb Chris Clifton:
> > Forgive me, can you elaborate on 'encrypting the file to the other one
> and
> > your own key' ?
>
> You can give several recipients. The data is encrypted symmetrically (by
> AES
> e.g.) by a random key. This random key is asymmetrically encrypted to all
> recipients (or even to a passphrase). Thus an additional recipient
> increases
> the size of the resulting file slightly only.
>
> gpg --recipient 0x12345678 --recipient 0x87654321 --encrypt ./my/file
>
> See --encrypt-to.
>
> This way you can check whether you can decrypt the data yourself at least.
>
> Furthermore it would have been a lot more useful to get the full error
> message
> of your recipient instead of a simple "cannot".
>
>
> Hauke
> --
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
>


mailinglisten at hauke-laging

Jul 25, 2012, 3:48 PM

Post #7 of 7 (211 views)
Permalink
Re: old vs new gnupg - encrypting files [In reply to]
Am Mi 25.07.2012, 17:17:15 schrieb Chris Clifton:

> Where xxx is the problematic key and YYY is our key, and I was able to
> decrypt the file using my private key with no problems.

Do the same on the other system and have a look at the resulting encrypted
files via

gpg -v --list-packets filename.dat.pgp

and check for differences in the outputs. I don't have a real idea yet what
could be the problem but perhaps we are lucky with this general checking.


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
Attachments: signature.asc (0.54 KB)

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.