Re: Remote signing of large files
- From: "Boyd Stephen Smith Jr." <bss03@xxxxxxxxxxxxxx>
- Date: Fri, 5 Dec 2008 19:11:08 -0600
Please don't CC me on replies, unless I request one. It is against debian-*
list policy.
On Friday 2008 December 05 15:49, you wrote:
Boyd Stephen Smith Jr. wrote:
On Thursday 04 December 2008, "Magnus Therning" <magnus@xxxxxxxxxxxx>
wrote
about 'Remote signing of large files':
So, my idea was to somehow separate the two steps that GnuPG performs
under the hood when signing, creating the message digest (hash) and
the signing of this message digest. I've found `--print-md` which
looks promising, but there doesn't seem to be any `--sign-md`.
A detached signature is, mathematically, the message digest run thorough
the encrypt() function. [Encrypting with the private key allows anyone
with the public key to decrypt to the digest "plaintext" which they can
compare to a locally calculated message digest, thus verifying the
signature. They can also be assured that the signature is from the owner
of the private key, or that the private key has been compromised.]
So, you might try --encrypt'ing the output of --print-md.
AFAIU it wouldn't work:
1. Encrypting is actually using a symmetric algorithm for the bulk of
the data and asymmetric crypto is only used to encrypt the symmetric
key. In any case I don't think I can get `--encrypt` to use the private
key.
That's only true in active protocols with a handshake, e.g. SSL or TLS. The
only reason active protocols do this is because symmetric ciphers are
generally faster.
For "offline" encryption, using an asymmetric keys directly works fine. If
you encrypt something with gpg it uses the public key of the chosen recipient
or their public subkey designated for encryption.
2. AFAIU signing always signs a message digest, no matter what type of
data I stick in. So signing the output of `--print-md` wouldn't do
since verification would require a manual step.
Um, sort of. sign(data, privkey) == encrypt(digest(data), privkey), by
definition. So, you should be able to take the output of --print-md,
then --encrypt it, specifying your private key. It's a bit more complex then
that, because of data encoding issues, but it should be possible with the
command-line tools. If not, it's definitely possible with some custom C
code -- I forget what the C binding for gpg are called, but you'll probably
need that and libgcrypt.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss03@xxxxxxxxxxxxxx ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.org/ \_/
Attachment:
pgpNXxapzBUJn.pgp
Description: PGP signature
- Follow-Ups:
- Re: Remote signing of large files
- From: Magnus Therning
- Re: Remote signing of large files
- References:
- Remote signing of large files
- From: Magnus Therning
- Re: Remote signing of large files
- From: Boyd Stephen Smith Jr.
- Re: Remote signing of large files
- From: Magnus Therning
- Remote signing of large files
- Prev by Date: Re: question about a linux embedded router i have
- Next by Date: Re: where is postgresql-8.3's packager's instructions?
- Previous by thread: Re: Remote signing of large files
- Next by thread: Re: Remote signing of large files
- Index(es):
Relevant Pages
|
Loading
