Singing with certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Singing with certificate

Rory Vieira
Hi,

For our customers we make backups (like everyone else).
However, legal restrictions apply to the specific branche we work in. We
are required to encrypt the data.

In the past I was using simple DES3 encryption, but now I would like to
use the customers secure certificate to encrypt the data with (like email).
The customer has a .p12 certificate that they install in Windows. I
first need to export the public key from that in a usuable format. Then
I want to encrypt the data on the fly (as I did in the past).

My command to encrypt using DES was:
tar -cvzf - <what> 2>/dev/null | openssl des3 -salt -k <pass> | dd
of=<tar-file> 2>/dev/null

Now I'm looking for the command to use their public key :)

Thanks in advance...

--
Rory Vieira
Deno Software B.V.

rory dot vieira at deno-software dot nl
http colon slash slash www deno-software dot nl

Kanaaldijk 5a
5683CR Best

T. +31 (0)499-374220
F. +31 (0)499-374294

-----

Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen.

-----

The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages.

-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Stephen P Palmer

What key are you singing in?



Rory Vieira <[hidden email]>
Sent by: [hidden email]

04/20/2006 09:34 AM

Please respond to
[hidden email]

To
[hidden email]
cc
Subject
Singing with certificate





Hi,

For our customers we make backups (like everyone else).
However, legal restrictions apply to the specific branche we work in. We
are required to encrypt the data.

In the past I was using simple DES3 encryption, but now I would like to
use the customers secure certificate to encrypt the data with (like email).
The customer has a .p12 certificate that they install in Windows. I
first need to export the public key from that in a usuable format. Then
I want to encrypt the data on the fly (as I did in the past).

My command to encrypt using DES was:
tar -cvzf - <what> 2>/dev/null | openssl des3 -salt -k <pass> | dd
of=<tar-file> 2>/dev/null

Now I'm looking for the command to use their public key :)

Thanks in advance...

--
Rory Vieira
Deno Software B.V.

rory dot vieira at deno-software dot nl
http colon slash slash www deno-software dot nl

Kanaaldijk 5a
5683CR Best

T. +31 (0)499-374220
F. +31 (0)499-374294

-----

Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen.

-----

The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages.

-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Rory Vieira
Stephen,

>What key are you singing in?
>  
>
I'm not sure what you mean...
The customer get's a .p12 certificate from the branche organisation
which they install in Windows.
I still need to extract the public key from that though. I'll probably
need windows to export it to DER format (eg cert.cer).
The exported public key should be used for encryption, so they can
decode with the private key...

I do appologize for the inproper subject... It should've been
'Encrypting with certificate'...

Cheers,

--
Rory Vieira
Deno Software B.V.

rory dot vieira at deno-software dot nl
http colon slash slash www deno-software dot nl

Kanaaldijk 5a
5683CR Best

T. +31 (0)499-374220
F. +31 (0)499-374294

-----

Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen.

-----

The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages.

-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Bernhard Fröhlich-2
In reply to this post by Rory Vieira
Rory Vieira wrote:

> Hi,
>
> For our customers we make backups (like everyone else).
> However, legal restrictions apply to the specific branche we work in.
> We are required to encrypt the data.
>
> In the past I was using simple DES3 encryption, but now I would like
> to use the customers secure certificate to encrypt the data with (like
> email).
> The customer has a .p12 certificate that they install in Windows. I
> first need to export the public key from that in a usuable format.
> Then I want to encrypt the data on the fly (as I did in the past).
>
> My command to encrypt using DES was:
> tar -cvzf - <what> 2>/dev/null | openssl des3 -salt -k <pass> | dd
> of=<tar-file> 2>/dev/null
>
> Now I'm looking for the command to use their public key :)
>
> Thanks in advance...
As far as I know there is no tool in openssl you can just drop in to use
a public key to encrypt a stream. If someone knows better please tell.

There is the smime-tool which can encrypt files, but I don't think this
is what you want/need.
One way to work around this problem (other than writing your own tool)
might be a sequence of shell commands which may work like this:

    * Generate a key from /dev/random and store it in a file
    * Use this key to do openssl des3 ... like you did before
    * Encrypt the key using openssl smime with you client's certificate
    * Delete the unencrypted key (this might not be as trivial as it
      sounds if secutity requirements are high)

This way your customer could use the reverse procedure (decrypt key with
openssl smime and decrypt data with the key) to recover the data.

Hope it helps,
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Stewart Dean-2
In reply to this post by Rory Vieira
C'mon guys, lighten up.  It's a joke, a pun.....see in music, there are
keys....the key of F has one flat, the key of D has two sharps, etc.  
Don't have your head so far down in the nuts and bolts.......time for a
vacation....and leave your email and cellphone behind.

Rory Vieira wrote:

> Stephen,
>
>> What key are you singing in?
>>  
>>
> I'm not sure what you mean...
> The customer get's a .p12 certificate from the branche organisation
> which they install in Windows.
> I still need to extract the public key from that though. I'll probably
> need windows to export it to DER format (eg cert.cer).
> The exported public key should be used for encryption, so they can
> decode with the private key...
>
> I do appologize for the inproper subject... It should've been
> 'Encrypting with certificate'...
>
> Cheers,
>

--
====
Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York  12504  
[hidden email]  voice: 845-758-7475, fax: 845-758-7035

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

brianmas
Quoting Stewart Dean <[hidden email]>:

> C'mon guys, lighten up.  It's a joke, a pun.....see in music, there are
> keys....the key of F has one flat, the key of D has two sharps, etc.
> Don't have your head so far down in the nuts and bolts.......time for a
> vacation....and leave your email and cellphone behind.

the posters native language is not english it seems but Dutch. (.nl email
address)


>
> Rory Vieira wrote:
> > Stephen,
> >
> >> What key are you singing in?
> >>
> >>
> > I'm not sure what you mean...
> > The customer get's a .p12 certificate from the branche organisation
> > which they install in Windows.
> > I still need to extract the public key from that though. I'll probably
> > need windows to export it to DER format (eg cert.cer).
> > The exported public key should be used for encryption, so they can
> > decode with the private key...
> >
> > I do appologize for the inproper subject... It should've been
> > 'Encrypting with certificate'...
> >
> > Cheers,
> >
>
> --
> ====
> Stewart Dean, Unix System Admin, Henderson Computer Resources
> Center of Bard College, Annandale-on-Hudson, New York  12504
> [hidden email]  voice: 845-758-7475, fax: 845-758-7035
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Wes Kussmaul
In reply to this post by Rory Vieira

>> What key are you singing in?
>
> I'm not sure what you mean...

Some of us got it.

--
Wes Kussmaul
CIO
The Village Group
738 Main Street
Waltham, MA 02451

781-647-7178


My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure.

                         P.K. Iggy
                         _How I Like Fixed The Internet_
                           (Tales from the Great Infodepression of 2009
                           and the prosperity that followed)



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Rory Vieira
In reply to this post by Bernhard Fröhlich-2
Bernhard Froehlich wrote:

> Rory Vieira wrote:
>
>> Hi,
>>
>> For our customers we make backups (like everyone else).
>> However, legal restrictions apply to the specific branche we work in.
>> We are required to encrypt the data.
>>
>> ...
>>
>> Thanks in advance...
>
> As far as I know there is no tool in openssl you can just drop in to
> use a public key to encrypt a stream. If someone knows better please
> tell.
>
> There is the smime-tool which can encrypt files, but I don't think
> this is what you want/need.
> One way to work around this problem (other than writing your own tool)
> might be a sequence of shell commands which may work like this:
>
>    * Generate a key from /dev/random and store it in a file
>    * Use this key to do openssl des3 ... like you did before
>    * Encrypt the key using openssl smime with you client's certificate
>    * Delete the unencrypted key (this might not be as trivial as it
>      sounds if secutity requirements are high)
>
> This way your customer could use the reverse procedure (decrypt key
> with openssl smime and decrypt data with the key) to recover the data.
>
> Hope it helps,
> Ted
> ;)
>
This is great. So much thanks from me (and my customers LOL).
This is just what I needed. Shame I couldn't come up with it myself :D

Cheers,

--
Rory Vieira
Deno Software B.V.

rory dot vieira at deno-software dot nl
http colon slash slash www deno-software dot nl

Kanaaldijk 5a
5683CR Best

T. +31 (0)499-374220
F. +31 (0)499-374294

-----

Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen.

-----

The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages.

-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Rory Vieira
In reply to this post by brianmas
Guys,

>>C'mon guys, lighten up.  It's a joke, a pun.....see in music, there are
>>keys....the key of F has one flat, the key of D has two sharps, etc.
>>Don't have your head so far down in the nuts and bolts.......time for a
>>vacation....and leave your email and cellphone behind.
>>    
>>
>the posters native language is not english it seems but Dutch. (.nl email
>address)
>  
>
I am indeed dutch... that's a fact...
That doesn't mean I don't understand LOL...

Yes... I'm in need of vacation indeed ;)

Cheers,

--
Rory Vieira
Deno Software B.V.

rory dot vieira at deno-software dot nl
http colon slash slash www deno-software dot nl

Kanaaldijk 5a
5683CR Best

T. +31 (0)499-374220
F. +31 (0)499-374294

-----

Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen.

-----

The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages.

-----

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Singing with certificate

Dr. Stephen Henson
In reply to this post by Rory Vieira
On Fri, Apr 21, 2006, Rory Vieira wrote:

> Bernhard Froehlich wrote:
>
> >Rory Vieira wrote:
> >
> >>Hi,
> >>
> >>For our customers we make backups (like everyone else).
> >>However, legal restrictions apply to the specific branche we work in.
> >>We are required to encrypt the data.
> >>
> >>...
> >>
> >>Thanks in advance...
> >
> >As far as I know there is no tool in openssl you can just drop in to
> >use a public key to encrypt a stream. If someone knows better please
> >tell.
> >
> >There is the smime-tool which can encrypt files, but I don't think
> >this is what you want/need.
> >One way to work around this problem (other than writing your own tool)
> >might be a sequence of shell commands which may work like this:
> >
> >   * Generate a key from /dev/random and store it in a file
> >   * Use this key to do openssl des3 ... like you did before
> >   * Encrypt the key using openssl smime with you client's certificate
> >   * Delete the unencrypted key (this might not be as trivial as it
> >     sounds if secutity requirements are high)
> >
> >This way your customer could use the reverse procedure (decrypt key
> >with openssl smime and decrypt data with the key) to recover the data.
> >
> >Hope it helps,
> >Ted
> >;)
> >
> This is great. So much thanks from me (and my customers LOL).
> This is just what I needed. Shame I couldn't come up with it myself :D
>

A refinement of this would be to use 'openssl rand' to create the key and the
'rsautl' utility to encrypt and decrypt it using the appropriate public and
private key.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]