Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)
Then when the client recieves the data, they un-encrypt the key with
their
private key, and then un-encrypt the data.
Firstly, is this approach secure?
If you implement it correctly, this is the “standard” approach
snip
This isn’t something I’ve got a lot of experience of, but…
It’s worth pointing out that you probably wouldn’t send the lump of XML
above. If you do this, you’ll have to get your software to manage
encryption, decryption, key sharing, and lots of other fluf that I doubt
you care about.
What you’d probably do instead is simply communicate over a secure
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it’s setting up a secure socket, or perhaps checks that the socket
creation parameter it’s been given results in a secure socket. Something
like that.
As the first poster said, I think it’s likely that:
Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)
Great Thanx for your input. I’ll have a read of these thread asap.
data encrypted with AES using the un-encrypted key
socket, and pretty much forget about encryption. Your program may be
entirely oblivious to it, in fact, or may be a little aware in that it
knows it’s setting up a secure socket, or perhaps checks that the socket
creation parameter it’s been given results in a secure socket. Something
like that.
I thought about just doing the communication over ssl, but I want to
ensure that the correct client is requesting the data. At this stage
I’m still early in my thought processes on exactly how to achieve
this.
It’s important that only the correct client, obtain the data. Also it
is important that the client is who they say they are, and not just
someone who setup an account claiming to be someone else. Hence my
interest in using their certificates and encrypting using their public
key, so only they can unencrypt.
My current thinking is that when a client signs up for an account, use
their digital certificate and domain to confirm their identity, and
then in the future they can request data from the site. I don’t need
to go over ssl, because by encrypting with their own public key, only
they can get the data.
At least this is my undestanding at the moment, but I have to read the
posts from Jan yet.
Maybe instead of using PGP to encrypt, you may want to use stardard
PKI (X.509 certificates etc.) - just choose which one is more
convenient to you and/or your users (although I assume OpenSSL
supports the X.509 better)
Great Thanx for your input. I’ll have a read of these thread asap.
I did find these threads prior to posting. I’m still no clearer on
how to implement.
I did look at OpenSSL and there does not seem to be any documentation
to speak of. Also there does not seem to be any useable tutorial that
I could identify on the net for this library.
I do need to read up on PKI X.509 certificates though.
I did find these threads prior to posting. I’m still no clearer on
how to implement.
I did look at OpenSSL and there does not seem to be any documentation
to speak of. Also there does not seem to be any useable tutorial that
I could identify on the net for this library.
I do need to read up on PKI X.509 certificates though.
I generally look for documentation for the underlying library when the
docs about the bindings aren’t so good. OpenSSL is based on SSL as far
as I know, and that ought to be pretty well documented!
If you’re on a unix like machine, you should be able to play about with
SSL and SSH (secure shell, it runs over a secure socket) and get a feel
for how they work (I’ve got a keys files in the folder: ~/.ssh). My
advice would be to put Ruby to one side and understand the layer below
it.
Sorry if I’m advising on how to suck eggs [best boiled, in my opinion]
Cheers,
Benjohn
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
