I'm trying to perform pgp encryption/decryption operations via Camel / Bouncy Castle PGP where I store the used keys in a JKS files and generate PGP keyrings on the fly from the public/private keys in the JKS stores (Camel only works with keyrings - it can't use keys direclty).
The problem comes when I need to perform an PGP encrypt operation where I only get a public key with which I should do the encryption and I don't have/need a private key. I checked the Bouncy Castle PGP API at http://www.bouncycastle.org/docs/pgdocs1.5on/index.html and found no way to generate a PGP public keyring without having at least one private key.
To be more specific - the only way to create a PGP keyring is to use the org.bouncycastle.openpgp.PGPKeyRingGenerator class but all its constructors need a (non null) PGPKeyPair argument which needs a PGP Public Key.
Is it possible at all to have a PGP public key ring without having a private key?
Thank you
Related
I don't understand why I should use the public key in signing JWT. The private key is there so that the JWT token cannot be forged, yes? But why additionally sign it with a public key? Are there any benefits? Because I don't understand it at all. After all, a JWT signed with a private key can be read without the public key. What is this public key for?
Signing a JWT means you take the cleartext, signing it with a key - either the private key from an RSA pair or a symmetric key, then add the signature to the JWT. The JWT itself is still readable without decrtypting the signature. But someone with the key can decrypt the signature and confirm the contents match the cleartext.
The advantage of using RSA over symmetric key is that anyone can verify the signature without them having to have a secret key. You can either pass the public key to the JWT recipient over a side channel, or if using OAuth2 it provides a URL to access public keys.
You would use the public key for encrypting, not signing. You encrypt with the recipient's public key so that only the recipient can decrypt it.
I am working on a basic-network project on Hyperledeger Fabric V-1.4.1. I have enrolled an admin and created a user using enrollAdmin.js and registerUser.js. A public Key and a private key is generated for user1. Now I want to use that private key to sign simple data and later verify using the public Key. I have tried using URSA node module which works fine with RSA keys generated through OpenSSL but isn't working with these two keys. Probably because these keys are not RSA, they are ECDSA keys. I have also read the documentation of the Crypto node module and it seems I need to have .pem files as keys to use in Crypto module. But In fabric, I have key files as -priv and -pub format.
Is there any node module that can encrypt decrypt using ECDSA keys?
Is there any specific way in hyperledger fabric to do this?
Or is there any other way I can do this thing? Please ask any questions if necessary.
Thank you.
The two formats you see
priv
pub
Are wallet formate of filestorage
Try to register an identity and enroll with fabric-CA by importing identity service then you will receive certificate and private key just put it in a file and mark the extension as pem and it will work
I have created one efi and signed with pesign using the docs -
UEFI secure boot :
https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm
https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
And booted with :
sudo qemu-system-x86_64 -L . -pflash /usr/share/qemu/OVMF.fd -hda fat:uefi_disk
uefi disk contains signed efi file
But to secure boot I need to have
DB
DBX
KEK
PK
so that I can enroll in OVMF secure boot
But in the tutorials, never got these how to generate.
Please suggest
In addition to generating keys for secure boot, one need to take care of signing the keys.
procedure for generating keys, signing and storing them to keystore is defined in detail here https://www.rodsbooks.com/efi-bootloaders/secureboot.html
Security keys can be categorised in 2 ways Private and Public and secure boot follow chain of root of trust for key addition PK=>KEK=>DB. Any changes in DB needs to be signed using KEK private key, changes in KEK needs to be signed by PK private key and changes in PK requires key to be signed by previous PK publik key's private key.
Generate PK pair and sign PK public key with private key. PK is a self signed key.
Generate KEK pair and sign KEK public key using PK private key
Generate DB key pair and sign DB public key using KEK private key
Generate DBX key pair and sign DBX key pair using KEK private key
Note : for replacing previous PK from BIOS, you will require an empty key signed by platform owner. Most BIOSs allow changing keys without verifying but ideally it should not be allowed. Whole purpose of secure boot is that things can be traced to root of trust and verified.
Apart from generating completely new set of keys, you can also use Machine Owner's Key MOK for registering a new key with secure boot.
Generate a key pair
sign your utility using private key(using sbsign)
add public key to MOK utility (using mokutility)
also described in link mentioned above
How do I verify a user's extended public key file's integrity (when downloading through a connection that lacks confidentiality and authentication) when I have their previous (now expired) public key in my keyring? Is their expired key sufficient information to verify the extended key? Consider the below scenario:
I have Bob's trusted public key in my keyring.
Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website.
I downloaded Bob's new public key file over http, and I want to verify it.
Is the new public key file signed with his old key in a verifiable way? How would I verify the integrity of the new key file utilizing his existing (expired) key in my keyring?
For a general scenario with a new key pair: If either the key itself is signed by his old key (this is the usual way to do such key changes) and/or the key file you downloaded is signed by his old key, you can verify and validate the signature anyway: all that happens is GnuPG indicating that the key already expired.
But you wrote
Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website
Extending the key's validity does not produce a different key. They key is identified by the tuple of public key and creation timestamp, which is hashed together to the fingerprint of the key. Short and long key IDs are derived from that. If all he did is indeed extend the validity of the key, simply import the key. The signature and trust you issued on that key are still valid.
If you wish you can compare at least the long key ID before importing, run
gpg --keyid-format 0xlong [key-file]
and compare with the key already in your key chain.
Anyway: don't simply trust keys in your key chain, but use signatures and trust instead. Lots of mail clients automatically fetch keys to verify signatures, you might have fetched some (unvalidated) keys for reading signatures issued on other keys, ...
If a public key is used to encrypt the private key, and the public key is known to everyone, what is stopping a hacker from intercepting the private key, then using the public key to decrypt it and then using the private key to decrypt and encoded message?
The way public/private key crypto works is that anyone can use the public key to encrypt a piece of data, but you need the private key (which the owner does not distribute) in order to decrypt that data.
It doesn't matter that the data being encrypted is the private key itself.