Endpoint Encryption

 View Only
Expand all | Collapse all

importing open source key pairs

  • 1.  importing open source key pairs

    Posted Oct 03, 2014 03:18 PM

    I'm unable to decrypt a file on HP UX but am able to decrypt on IBM AIX using the same exact same PGP command line version and the exact same key pair imported on the exact same file.

    The key pair was generated from IPSwitch so it's open source.  Version, BCPG v1.46

    If I generate my own key pair on HP UX I can encrypt and decrypt just fine - it's just with this imported key pair that it's not decrypting.  Again same process on AIX decrypts without issues.

    --dump-packets is successful and identical between servers

    Verbose debug output from unsuccessful decrypt

     

    /inbound> pgp --decrypt ABCFILE.txt.pgp --passphrase XXXXXX --debug --verbose
    pgp:decrypt (3157:current local time 2014-10-03T14:02:00-05:00)
    /XXXXX/.pgp/pubring.pkr:open keyrings (1006:public keyring)
    /XXXXX/.pgp/secring.skr:open keyrings (1007:private keyring)
    Decoding ABCFILE.txt.pgp...
     armor header
    ABCFILE.txt.pgp:decrypt (3188:Version, BCPG v1.46)
     begin lex event
     file is encrypted
     file is asymmetrically encrypted
     trying passphrase
    ABCFILE.txt.pgp:decrypt (3090:operation failed, encrypted session key is bad)
    Decode complete

     

    Any help would be appreciated.

     

    Regards

    Brad

     



  • 2.  RE: importing open source key pairs

    Posted Oct 06, 2014 09:02 AM

    Hi Brad,

    I don't think HPUX is supported:

    http://www.symantec.com/docs/TECH205637

     

     



  • 3.  RE: importing open source key pairs

    Posted Oct 06, 2014 10:23 AM

    I'm on 10.2.1 which does support HPUX.

     

    http://www.symantec.com/business/support/index?page=content&id=DOC5551

     



  • 4.  RE: importing open source key pairs

    Posted Oct 06, 2014 10:27 AM

    Can you paste the output of --list-key-details KeyNameHere from both OS's?  It's possible HPUX is reading the key differently.

     

     



  • 5.  RE: importing open source key pairs

    Posted Oct 06, 2014 10:36 AM

    Both output is identical:

     

    ----------AIX----------

    Key Details: ABCKEY <ABCKEY>
         Key ID: 0x760B47BF (0x846E6F08760B47BF)
           Type: RSA (v4) key pair
           Size: 1024
       Validity: Invalid
          Trust: Never (Not axiomatic)
        Created: 2012-08-29
        Expires: Never
         Status: Active
         Cipher: Blowfish
         Cipher: CAST5
         Cipher: IDEA
         Cipher: TripleDES
           Hash: SHA-1
           Hash: MD5
           Hash: RIPEMD-160
           Hash: Unknown 0x05
       Compress: Zip (Absent)
          Photo: No
      Revocable: Yes
          Token: No
      Keyserver: Absent
        Default: No
        Wrapper: No
     Prop Flags: Sign user IDs
     Prop Flags: Sign messages
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
     Ksrv Flags: Absent
     Feat Flags: Absent
      Notations: None
          Usage: Sign user IDs
          Usage: Sign messages

      Subkey ID: 0xD48CCB6E (0x3E6829F9D48CCB6E)
           Type: RSA (v4) subkey pair
           Size: 1024
        Created: 2012-08-29
        Expires: Never
         Status: Active
      Revocable: Yes
          Token: No
          X.509: No
     Prop Flags: Encrypt communications
     Prop Flags: Encrypt storage
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
      Notations: None
          Usage: Encrypt communications
          Usage: Encrypt storage
          Usage: PGP NetShare
          Usage: PGP WDE
          Usage: PGP ZIP
          Usage: PGP Messaging

            ADK: None

        Revoker: None

    2 keys found

     

    ----------HP----------

     

    Key Details: ABCKEY <ABCKEY>
         Key ID: 0x760B47BF (0x846E6F08760B47BF)
           Type: RSA (v4) key pair
           Size: 1024
       Validity: Invalid
          Trust: Never (Not axiomatic)
        Created: 2012-08-29
        Expires: Never
         Status: Active
         Cipher: Blowfish
         Cipher: CAST5
         Cipher: IDEA
         Cipher: TripleDES
           Hash: SHA-1
           Hash: MD5
           Hash: RIPEMD-160
           Hash: Unknown 0x05
       Compress: Zip (Absent)
          Photo: No
      Revocable: Yes
          Token: No
      Keyserver: Absent
        Default: No
        Wrapper: No
     Prop Flags: Sign user IDs
     Prop Flags: Sign messages
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
     Ksrv Flags: Absent
     Feat Flags: Absent
      Notations: None
          Usage: Sign user IDs
          Usage: Sign messages

      Subkey ID: 0xD48CCB6E (0x3E6829F9D48CCB6E)
           Type: RSA (v4) subkey pair
           Size: 1024
        Created: 2012-08-29
        Expires: Never
         Status: Active
      Revocable: Yes
          Token: No
          X.509: No
     Prop Flags: Encrypt communications
     Prop Flags: Encrypt storage
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
      Notations: None
          Usage: Encrypt communications
          Usage: Encrypt storage
          Usage: PGP NetShare
          Usage: PGP WDE
          Usage: PGP ZIP
          Usage: PGP Messaging

            ADK: None

        Revoker: None

    2 keys found



  • 6.  RE: importing open source key pairs

    Posted Oct 06, 2014 12:33 PM

    After importing the keypair, did you set trust for the imported key?  It seems odd that it is showing Never trust on both, but the AIX one is working...  I suppose if it were created opn the AIX box, it would be implicit trust, and may be misreporting here.

    Also, both show as Invalid.  I believe you may have posted the HPUX results twice on accident.  You shouldn't be able to do anything with a key that shows as Invalid with no trust.  They should be trusted as follows before the keypair will be valid:
    pgp --set-trust ABCKEY --trust implicit

    After you do that, it should recognize the keypair as being your personal private (implicitly trusted) keypair, and it should be able to decrypt.



  • 7.  RE: importing open source key pairs

    Posted Oct 06, 2014 02:06 PM

    My understanding was the key will still function for both encryption and decryption operations without setting trust or signing the imported key pair.  So without trusting or signing the key on either platform it still works on AIX and still does not work on HPUX.  Also the output was correctly copied from each platform for command list-key-details.  It was just identical output.  

    The key pair did not originate from the AIX platform - it originated from IPSwitch WS_FTP pro.

    I can successfully export a keypair generated on AIX and import into HPUX and use it for encryption and decryption operations.  I just can't do it on HPUX using this open source key pair.

    However, just to make sure the trust wasn't the issue I went ahead and followed your recommendation to set implicit trust and it still did not resolve the issue.

    Here is the new output from list-key-details from HPUX and it now shows implicit trust and comlpete validity.

    Key Details: ABCKEY <ABCKEY>
         Key ID: 0x760B47BF (0x846E6F08760B47BF)
           Type: RSA (v4) key pair
           Size: 1024
       Validity: Complete
          Trust: Implicit (Axiomatic)
        Created: 2012-08-29
        Expires: Never
         Status: Active
         Cipher: Blowfish
         Cipher: CAST5
         Cipher: IDEA
         Cipher: TripleDES
           Hash: SHA-1
           Hash: MD5
           Hash: RIPEMD-160
           Hash: Unknown 0x05
       Compress: Zip (Absent)
          Photo: No
      Revocable: Yes
          Token: No
      Keyserver: Absent
        Default: No
        Wrapper: No
     Prop Flags: Sign user IDs
     Prop Flags: Sign messages
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
     Ksrv Flags: Absent
     Feat Flags: Absent
      Notations: None
          Usage: Sign user IDs
          Usage: Sign messages

      Subkey ID: 0xD48CCB6E (0x3E6829F9D48CCB6E)
           Type: RSA (v4) subkey pair
           Size: 1024
        Created: 2012-08-29
        Expires: Never
         Status: Active
      Revocable: Yes
          Token: No
          X.509: No
     Prop Flags: Encrypt communications
     Prop Flags: Encrypt storage
     Prop Flags: PGP NetShare
     Prop Flags: PGP WDE
     Prop Flags: PGP ZIP
     Prop Flags: PGP Messaging
      Notations: None
          Usage: Encrypt communications
          Usage: Encrypt storage
          Usage: PGP NetShare
          Usage: PGP WDE
          Usage: PGP ZIP
          Usage: PGP Messaging

            ADK: None

        Revoker: None

    Thanks for your help - let me know if you have any more suggestions.

     



  • 8.  RE: importing open source key pairs

    Posted Oct 06, 2014 06:21 PM

    I have been searching through old cases/bugs looking for something specific related to your issue, and I did find another instance of a different version of PGP Command Line not functioning correctly on HPUX.  I am looking into it further, and I will try to update you if I discover anything pertinent.



  • 9.  RE: importing open source key pairs

    Posted Oct 08, 2014 05:25 PM

    Anyone have any updates or anything else I can try here?



  • 10.  RE: importing open source key pairs
    Best Answer

    Posted Oct 08, 2014 06:12 PM

    Finally figured it out.  I ended up changing the passphrase on the keypair that was imported successfully into AIX and would successfully decrypt and then exporting that keypair from AIX and importing that into HPUX.  Now I can decrypt the original encrypted files on both systems using the new passphrase.

    Not sure of the root cause here though.  Perhaps something to do with the way the key pair was exported from IPswitchs WSFTP pro.

     

    Thanks for your assistance in helping to troubleshoot this.



  • 11.  RE: importing open source key pairs

    Posted Oct 08, 2014 07:17 PM

    Thank you for figuring out a workaround!  Backline is looking into the case I mentioned previously for a root cause, but I don't think anything has been found yet.  Maybe this information will help steer them towards a fix.