File Share Encryption

 View Only

  • 1.  keys smaller than 1024 bits are not supported

    Posted Nov 24, 2011 07:25 AM

    Hello,

    I tried to import a cached S/MIME key. First I got the answer "There were errors importing the cached key into the system."

    In Admin Log the following entries appeared:

     

    - Cannot import cached key [CachedKey:36989ee5-ba0c-47f3-be98-2338208cf531]

    - Not importing user "User Name <user.name@domain.com>" (KeyID: 0x217004B3) because keys smaller than 1024 bits are not supported

     

    I analysed the key and noticed that the key size is only 512 bit.

    Does anyone have an idea to import the key inspite of the minimum requirement? How can I disable the validation of the key size?

    We are using PGP Universal version 3.1.2 Build (9). Update to the latest version is planned..

     

    Regards,

    Christian



  • 2.  RE: keys smaller than 1024 bits are not supported

    Posted Nov 29, 2011 04:30 PM

    There is no way that I know of to do so, I have even looked at the PGP Universal Server command line options via SSH. I don't see any such option. This appears to be by design, as this is a security requirement.


    As a matter of fact, we generate 2048 bit keys for users on the PGP universal server by default. I would imagine if you regenerate those certificates to be larger that would allow you to import them. But I understand the implications of such a requirement.

    I also found this snippet in our PGP Universal Server Administrators guide:

    If you are going to regenerate your Organization Key, you should use a fairly high bit size, such as 2048. However, if you are going to be using X.509 certificates and S/MIME, be aware that many clients only support up to 1024 bits; thus you may want to use 1024 bits for maximum compatibility with S/MIME. All clients can be expected to support at least 4096 bits.



  • 3.  RE: keys smaller than 1024 bits are not supported

    Posted Dec 02, 2011 05:52 AM

    Thank you Ben for your response.

    Now I tried to import the corresponding key into PGP Desktop (10.1.1). I'm just wondering why it would be accepted by PGP Desktop and refused by Universal Server.

    Unfortunately I do not have any influence to that key because it is of one of our clients. So I cannot recreate the key. I told our client about the circumstances and now I'm waiting for a response. However we often receive signatures or keys with only key size of 512 bits. So I urgently need a way to use these keys in spite of the strict security requirements of Universal Server.

    In other cases I got some hints by Telephone Support of PGP. To solve a problem it was sometimes possible to disable or control a feature by inserting some XML data into the config. Maybe there is a similar way to disable the validation of the key size?

    Regards,

    Christian