| [reply] |
Of course it isn't a question about perl because it would apply to pgp encryption however you were doing it. But what you are doing is pretty much the way that most people will use PGP encryption, as long as you are the only person who has the private key then it is as secure as the encryption method is
/J\
| [reply] |
I then give the public key file to my clients and use a script to encrypt a file on thier computers and send it to my server where it is decrypted using my secring file.
The file encryption should be pretty secure, there might be problems with your file transfer, though. How do you get the script to send the file to your server?
I would probably use ssh or scp for that (and give every client a different key for logging in to your machine).
| [reply] |
Thanks for the responses. I am actualy reading in the text from a file then posting the encrypted data to a cgi on my web server.
| [reply] |
Well, the weakest part in the chain would probably be the authentication on the CGI script, since unless you're using ssl the HTTP request itself is not encrypted. (I don't suppose you want just anyone to post stuff to the CGI?)
It's probably a minor issue, but it could open you up to relatively easy DDOS attacks (depending on the maximum size of the posted data, which IP addresses you allow to connect, etc)
| [reply] |
It seems to me that the client is just keeping encrypted information around. Why not just store the decrypted file on your server and send some sort of HASH of the file (such as SHA1, MD5, etc.) to the client as a "key". When they want to view the file they send you their "key" and are able to view the file.
The beauty of this method is that there is no chance of somebody "decrypting" the file contents since it is just a hash. The downside, however, is that now you take on the burden of storing those files locally...
Another thing you might want to consider. If you are worried about security, it may not be the best thing to decrypt on the client and then send it to the server. If someone set up a smart packet or network sniffer then they could hypothetically sniff your networks and read the decrypted packets as they pass...
just some thoughts, I hope this is helpful. | [reply] |
You are using the basic form of public key cryptographic. The sender knows your public key, cyphers the message with it and sends you a message that only you can decrypt. It is as standard as it goes and if someone recovers your private key from analysing the traffic then pgp has serious problems. I don't know how difficult it would be for someone intercepting your traffic to get the public key though. This means I would not personally use this procedure to authenticate clients, but someone more knowledgable might cast some light on this aspect.
If you have enough control on the server, you could do something similar (and even better) using ssl with client authentication, by giving clients your server's certificate and only allowing your clients' certificate (or better a different certificate for every client) on your server.
Cheers
Antonio
The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket
| [reply] |