Endpoint Encryption

 View Only
Back to discussions
Expand all | Collapse all

Netshare and Specific PGP Key Type DH/DSS Not Allowed

  • 1.  Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 16, 2011 08:09 AM

    Running PGP Desktop Corporate 10.1.1 and finding that when I've defined a Netshare, I cannot add a user's PGP key to the authorized list of users if it was generated as a DH/DSS type.  Netshare only appears to allow keys generated as RSA to be added.

    This was noted in release notes for 10.0.x to have been resolved.

    Is anyone else still seeing this problem?  I don't want to have to generate a new key pair to get around this problem.

    Thanks,

    Rick



  • 2.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 16, 2011 06:49 PM

    Would it be possible for you to post the details of the error you're seeing (ideally screenshot of the error message you're seeing and excerpts from the client logs)?



  • 3.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 16, 2011 10:28 PM

    Don't appear to be able to post a screen shot through this interface.  The specific error message is "One or more user keys cannot be used with NetShare".  There are no messages in the log file.  Any user with a RSA key works fine.  Only throws the error when attempting to add a user to a NetShare and their specific key type is DH/DSS.

     

     

     



  • 4.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 18, 2011 03:41 PM

    The issue doesn't appear to be related to DH/DSS. I was just able to succesfully add a DH/DSS user with Desktop 10.0.2. There's probably something else about the key that's preventing it from being used.

    I'll do some more research from my side to see what can cause this message. If you happen to be motivated to do so, it would help if you could see if there's anything you can identify on your side (e.g., if you could try another DH/DSS key that was created at a different time to see if that works).



  • 5.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 18, 2011 03:57 PM

    Can you check your key properties to see what key usage flags are set? Netshare will prevent you from using the key if the netshare key usage flag is not enabled (unless you have a key with no usage properties at all).



  • 6.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 20, 2011 10:06 PM

    You hit the nail right on the head.  It appears that my key generated for doddrw@gmail.com (which you can find on the pgp keyserver) has all the key usage properties checked.  Interestly though in the properties screen, there is no key icon in the usage column for the subkey.  When you open the subkey, all the key usage items are checked.  You don't seem to be able to change any of them though.  I added another subkey for encryption to this keypair and it added the icon for the key usage flags.  After doing so, I can add this user to a NetShare.

    It appears that since the first subkey doesn't show the icon for the usage column that PGP is not recognizing that the usage flags are set.  Do you know of anyway to resolve that or should I just leave the other subkey there.  I'm mainly worried about altering anything that would invalidate the keypair such that anything I have previously encrypted with it will no longer be accessible.

     

    Thanks,



  • 7.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 21, 2011 07:18 AM

    As long as you don't delete the old subkey, it will remain available for use.



  • 8.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 22, 2011 10:53 AM

    The question now is whether the old subkey is really broken and can it be fixed?



  • 9.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 22, 2011 11:27 AM

    I'm guessing it is fair to assume that the subkey is not expired and that the Created date is prior to the current date (and that your computer date is set correctly)?



  • 10.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Mar 22, 2011 04:53 PM

    The old subkey appears to be missing the ability to encrypt. That is why your key wasn't appearing in any lists, because the software was determining the key cannot be used for encryption. The new subkey has the correct flags:

    Hashed Sub: key flags(sub 27)(4 bytes)

    Flag - This key may be used to encrypt communications

    Flag - This key may be used to encrypt storage

     

    You can put your public key into pgpdump.net to look at the packets.

     

    How did you create your key originally - which version of PGP or GPG did you use?



  • 11.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Jun 10, 2011 12:02 AM

    Stuck in the same boat here.....

    Can't use any of my 3 keys to be added to a new Netshare folder I created (my first). I am not seeing anywhere to find the flags in question.  These keys have been with me for many years, one of them started out back with the first commercial PGP product back, the others are more recent DH/DSS ones. Keys are not expired nor have bad dates on them.

    What to do...?

    Edit: found the flags, for all keys and subkeys, netshare is checked along with wde, zip and messaging, and works fine for those 3.

    P.S. Nice to see you are still around Tom Mc



  • 12.  RE: Netshare and Specific PGP Key Type DH/DSS Not Allowed

    Posted Jun 10, 2011 12:38 AM

    Gave up on old keys, generated a new one, signed it with old keys, applied to netshare, all is good.