Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Netshare and Specific PGP Key Type DH/DSS Not Allowed

Created: 16 Mar 2011 | 11 comments

Running PGP Desktop Corporate 10.1.1 and finding that when I've defined a Netshare, I cannot add a user's PGP key to the authorized list of users if it was generated as a DH/DSS type.  Netshare only appears to allow keys generated as RSA to be added.

This was noted in release notes for 10.0.x to have been resolved.

Is anyone else still seeing this problem?  I don't want to have to generate a new key pair to get around this problem.

Thanks,

Rick

Comments 11 CommentsJump to latest comment

UlrichW's picture

Would it be possible for you to post the details of the error you're seeing (ideally screenshot of the error message you're seeing and excerpts from the client logs)?

v205608@gmail.com's picture

Don't appear to be able to post a screen shot through this interface.  The specific error message is "One or more user keys cannot be used with NetShare".  There are no messages in the log file.  Any user with a RSA key works fine.  Only throws the error when attempting to add a user to a NetShare and their specific key type is DH/DSS.

UlrichW's picture

The issue doesn't appear to be related to DH/DSS. I was just able to succesfully add a DH/DSS user with Desktop 10.0.2. There's probably something else about the key that's preventing it from being used.

I'll do some more research from my side to see what can cause this message. If you happen to be motivated to do so, it would help if you could see if there's anything you can identify on your side (e.g., if you could try another DH/DSS key that was created at a different time to see if that works).

UlrichW's picture

Can you check your key properties to see what key usage flags are set? Netshare will prevent you from using the key if the netshare key usage flag is not enabled (unless you have a key with no usage properties at all).

v205608@gmail.com's picture

You hit the nail right on the head.  It appears that my key generated for doddrw@gmail.com (which you can find on the pgp keyserver) has all the key usage properties checked.  Interestly though in the properties screen, there is no key icon in the usage column for the subkey.  When you open the subkey, all the key usage items are checked.  You don't seem to be able to change any of them though.  I added another subkey for encryption to this keypair and it added the icon for the key usage flags.  After doing so, I can add this user to a NetShare.

It appears that since the first subkey doesn't show the icon for the usage column that PGP is not recognizing that the usage flags are set.  Do you know of anyway to resolve that or should I just leave the other subkey there.  I'm mainly worried about altering anything that would invalidate the keypair such that anything I have previously encrypted with it will no longer be accessible.

Thanks,

Tom Mc's picture

As long as you don't delete the old subkey, it will remain available for use.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

v205608@gmail.com's picture

The question now is whether the old subkey is really broken and can it be fixed?

emlowe's picture

The old subkey appears to be missing the ability to encrypt. That is why your key wasn't appearing in any lists, because the software was determining the key cannot be used for encryption. The new subkey has the correct flags:

Hashed Sub: key flags(sub 27)(4 bytes)

Flag - This key may be used to encrypt communications

Flag - This key may be used to encrypt storage

You can put your public key into pgpdump.net to look at the packets.

How did you create your key originally - which version of PGP or GPG did you use?

Tom Mc's picture

I'm guessing it is fair to assume that the subkey is not expired and that the Created date is prior to the current date (and that your computer date is set correctly)?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

sibble-comp's picture

Stuck in the same boat here.....

Can't use any of my 3 keys to be added to a new Netshare folder I created (my first). I am not seeing anywhere to find the flags in question.  These keys have been with me for many years, one of them started out back with the first commercial PGP product back, the others are more recent DH/DSS ones. Keys are not expired nor have bad dates on them.

What to do...?

Edit: found the flags, for all keys and subkeys, netshare is checked along with wde, zip and messaging, and works fine for those 3.

P.S. Nice to see you are still around Tom Mc

sibble-comp's picture

Gave up on old keys, generated a new one, signed it with old keys, applied to netshare, all is good.