Endpoint Encryption

 View Only

  • 1.  failures in Sign verification.

    Posted Dec 24, 2015 07:51 AM

    Hi,

     

    One of our partner sends us the PGP signed files. it has shared its public key with us and we have added it in out public keyrings. the key can be seen by "pgp --list-keys" commnad in the keyring. 

    however when I see the details of the key using "pgp --list-key-details <keyID>", I suspect below is not correct with the key details:

     Type: RSA (v4) public key
           Size: 2048
       Validity: Invalid
          Trust: Never
        Created: 2015-12-03
        Expires: 2022-08-02
         Status: Active
         Cipher: CAST5 (Absent)
           Hash: SHA-1 (Absent)
       Compress: Zip (Absent)
          Photo: No
      Revocable: No
          Token: No
      Keyserver: Absent
        Default: No
        Wrapper: No
     Prop Flags: Absent
     Ksrv Flags: Absent
     Feat Flags: Absent
      Notations: None
          Usage: Sign user IDs
          Usage: Sign messages
          Usage: Encrypt communications
          Usage: Encrypt storage
          Usage: PGP NetShare
          Usage: PGP WDE
          Usage: PGP ZIP
          Usage: PGP Messaging

      Subkey ID: None

            ADK: None

        Revoker: None

    when I verify the messages sent by the partner signed with this key, I get below error log:

     

    [rt6000946:/apps/bfg/shared/pgp]> ./pgp --verify /tmp/RJCT_993642151c5036949node1

    /tmp/RJCT_993642151c5036949node1:verify (3042:suggested output file name ********)

    /tmp/RJCT_993642151c5036949node1:verify (3177:message signed by key ID *********)

    /tmp/RJCT_993642151c5036949node1:verify (3038:signing key *************)

    /tmp/RJCT_993642151c5036949node1:verify (3079:signing key invalid)

    /tmp/RJCT_993642151c5036949node1:verify (3040:signature created 2015-12-21T14:48:53+00:00)

    /tmp/RJCT_993642151c5036949node1:verify (3170:signature hash SHA-256)

    /tmp/RJCT_993642151c5036949node1:verify (3036:bad signature)

    /tmp/RJCT_993642151c5036949node1:verify (0:verify complete)

     

    However the sender claims that he can verify these files usign PGP Studio software at his end. I have hidden the key information from the above logs deliberately, however it matches with the key which partner has provided us and is present in our PGP public keyrings.

    Could you please suggest, what could be wrong in this case.

    Can it be due to preffered cipher and hash setting missing from the client's private key?

     



  • 2.  RE: failures in Sign verification.

    Posted Dec 28, 2015 05:41 PM

    Here are a couple things that could be going wrong....

    0.) Have you signed the public key after importing it into your keyring? Sometimes the error will occur if you do not trust the sender's public key. Signing it with your own key "pgp --sign-key KEYID" will trust the key, and it will no longer produce the signature error. 

    1.) The files may have been modified in transit. The signature serves two purposes... To ensure the files have NOT been modified, and to ensure they came from the person you are expecting them to come from. So, if the signature shows as invalid -- the files may have been modified in transit.

    2.) The hashing algorithm appears to be absent. Signatures will not work properly if there is not a proper hash algrithm. Ask the sender to send you what he sees for his key properties... what hash algorithm is there? It may be an outdated (no longer secure)  or non-standard hash algorithm. This would also affect the signature.

    If the issue is with #2, you can ask him to generate a new key using newer hashing algo's (SHA2, etc).. You may have better luck then.

     

    Best Regards,

    Phil