Re: Remote signing of large files

Boyd Stephen Smith Jr. wrote:
On Thursday 04 December 2008, "Magnus Therning" <magnus@xxxxxxxxxxxx> wrote
about 'Remote signing of large files':
I'd feel a bit more safe if the
signing could be done on a separate server. However, the built files
are large and I don't want to introduce a bottle neck by transfering
all files back and forth over the network.

In any case, you'd only have to send big files in one direction, the
detached signatures should be relatively small.

True, but with large files it still is too much time spent sending files
over the network.

So, my idea was to somehow separate the two steps that GnuPG performs
under the hood when signing, creating the message digest (hash) and
the signing of this message digest. I've found `--print-md` which
looks promising, but there doesn't seem to be any `--sign-md`.

A detached signature is, mathematically, the message digest run thorough
the encrypt() function. [Encrypting with the private key allows anyone
with the public key to decrypt to the digest "plaintext" which they can
compare to a locally calculated message digest, thus verifying the
signature. They can also be assured that the signature is from the owner
of the private key, or that the private key has been compromised.]

So, you might try --encrypt'ing the output of --print-md.

AFAIU it wouldn't work:

1. Encrypting is actually using a symmetric algorithm for the bulk of
the data and asymmetric crypto is only used to encrypt the symmetric
key. In any case I don't think I can get `--encrypt` to use the private
key.

2. AFAIU signing always signs a message digest, no matter what type of
data I stick in. So signing the output of `--print-md` wouldn't do
since verification would require a manual step.

/M

--
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus@therning.org Jabber: magnus@therning.org
http://therning.org/magnus

Haskell is an even 'redder' pill than Lisp or Scheme.
-- PaulPotts

Attachment: signature.asc
Description: OpenPGP digital signature

Relevant Pages

  • Re: Location of users private key in PKI solution
    ... It sounds as though I should design the system so that the client ... signing/verification technology incorporated into the server. ... Presumably the steps in signing will be as follows: ... > The private key is typically located on the users machine. ...
    (microsoft.public.security)
  • Re: Location of users private key in PKI solution
    ... It sounds as though I should design the system so that the client ... signing/verification technology incorporated into the server. ... Presumably the steps in signing will be as follows: ... > The private key is typically located on the users machine. ...
    (microsoft.public.win2000.security)
  • Re: Remote signing of large files
    ... about 'Remote signing of large files': ... the signing of this message digest. ... [Encrypting with the private key allows anyone ... of the private key, or that the private key has been compromised.] ...
    (Debian-User)
  • Re: Remote signing of large files
    ... signing could be done on a separate server. ... detached signatures should be relatively small. ... the signing of this message digest. ... of the private key, or that the private key has been compromised.] ...
    (Debian-User)
  • Re: Remote signing of large files
    ... about 'Remote signing of large files': ... the signing of this message digest. ... the encrypt() function. ... of the private key, or that the private key has been compromised.] ...
    (Debian-User)
Loading