PGP Key without Subkey
Created: 20 Dec 2012 | 15 comments
Hi
my company uses several public keys sent by External customers to encrypt customer data
Some new starters in the team have the standard PGP Desktop version 8.1 installed and one of the customer keys (only one out of is not working on the new installations
On examination the key that is not working is an RSA Public Key without a Subkey (all other keys have a subkey)
This key is working on 2 existing team members computers which have either bespoke versions of PGP Desktop (we do not know what was done)
My question is how can this key work without a Subkey ?
and is there anything that can be done to the stanard version to make this key work ?
Appreciate any help I can get
Chris
Discussion Filed Under:
Comments 15 Comments • Jump to latest comment
Not all keys generated use subkeys, depending on when it was made, what type of key it is etc. RSA keys before v4 didnt use subkeys, its possible this is one of those.
http://www.cstl.com
Thanks Alex ,
is there something extra that needs to be done to a Key without a Subkey to make it appear in the Key selection dialog screen when I right mouse click on a file in Explorer ?
(it has been signed , like all other 8 keys)
thanks
Chris
If current/recent versions of PGP indicate the key is an RSA key, it is a v4 key and needs to have an encryption subkey for currenet/recent versions of PGP to encrypt to it. Current/recent PGP versions will identify those old v3 RSA keys that did not use subkeys as Legacy RSA keys. If someone deletes an RSA key's encryption subkey, it becomes a sign only key, and you cannot encrypt to it. The owner of the key needs to either add an encryption subkey to the existing key, or generate a new key for you to use in encryption to him/her.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
thanks ,
that is what I had assumed from the Manual and searchign the forums , nice to have it confirmed
Is there any way to explain why 2 existing installations that indicate PGP version 8.1 are able to encrypt with this RSA key (the PGP screens indicate RSA key) ?
chris
You may want to take a look at the key on those machines; they might have a copy of the key before the subkey was deleted. If so, you can resolve the problem by exporting the key from one of those machines and then importing it to your other machines. If your use of the key is only on your oldest versions of PGP, it might possibly be related to those older versions not recognizing the key as a sign only key, and treating it as a v3 RSA key (encrypting to the RSA master key), but I wouldn't have thought this would occur as recent as PGP 8.1.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Hi Tom
I have just checked the key version and everyone is using the same key.
We have also been testing other users keyrings on different machines and the problem is definately machine related rather than key related.
The machines that do not see this RSA key are the newest installation (and also have PGP command line installed)
The machines that can see the RSA key are the existing installations (and do not have PGP command line)
All machines indicate 8.1
Is there any way of testing /checking if this is an older version other than the version number
thanks
Chris
Does this mean that you have confirmed that this particular key does not have an encryption subkey on any of these machines. I'm confused as to what you mean by "checked the key version."
When you say "see the RSA key," do you mean that it presents the key as being available for decryption?
So, the machines that can encrypt to this key, do not have PGP command line installed?
If the problem is only on machines with both PGP Desktop and PGP Command Line installed, are both PGP versions using the same keyrings?
Are both PGP command line, and PGP Desktop using version 8.1?
What operating system are you using?
If the software reports being 8.1, it should be. You can also export a key, opened the exported key in Notepad, and see what version is reported there. This will show what version of PGP exported the key.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Does this mean that you have confirmed that this particular key does not have an encryption subkey on any of these machines. I'm confused as to what you mean by "checked the key version."
Apologies , On ALL machines this key does not have an encryption subkey
Everyone has imported the same key from a central location onto their personal keyrings
When you say "see the RSA key," do you mean that it presents the key as being available for decryption?
The RSA is not visible in the Key Selection Dialog screen
So, the machines that can encrypt to this key, do not have PGP command line installed?
correct
If the problem is only on machines with both PGP Desktop and PGP Command Line installed, are both PGP versions using the same keyrings?
Are both PGP command line, and PGP Desktop using version 8.1?
Both PGP versions are using the same Keyring
Command line version 9.8
Desktop version 8.1
What operating system are you using?
Windows XP Professional SP3
I'm thinking that the problem is related to the different versions using the same keyrings, and the more recent command line version not being able to encrypt to sign only RSA keys, while the older 8.1 version being able to. I suspect that PGP Desktop 8.1 would be able to use the key if it uses its own keyrings. Your can test this by changing the keyrings setting to a different folder, letting PGP then create new keyrings at that location, and importing the key from the location it was originally imported from (not from the current keyring).
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Hi Tom
I would have to agree that the versions are causing the problem but I think it might be the recognition of the key.
I created a new Keyring from within PGP desktop (v8.1) and imported the offending key into this new keyring. I also imported a RSA key whichs has a Subkey and works on all machines as a control
I then changed PGP Desktop to use this keyring as it's default.
Still when I attempted to encrypt the control key was displayed and the offending key was not
Could the mere installation of PGP command line have upgraded DLL's that PGP desktop uses which means that PGP 8.1 will no longer recognise RSA keys without Subkeys regardless of which keyring is being used by the different applications ??
FYI The offending key shows "Version: SecureBlackbox 7 (PGPBlackbox)" when I open the key in notepad
This is a possibility. If this is the problem, it might possibly be resolvable by reinstalling PGP Desktop. This might replace the command line dll with the desktop dll, but this won't always occur because sometimes a newer file version will not be replaced by an older one. I would suggest that the likely resolution to all this would be to replace the aging 8.1 version (such as downloading the current Trial and upgrading to it); but this wouldn't let you encrypt to a sign only key, because recent versions are designed to not do this. I guess you could look at PGP DLLs from a single install of both versions on different machines, look for matching PGP DLL names, and if finding any that are the same, make the desired substitution on a current machine.
So the person exporting this key for you is doing so from an Open PGP compliant software install. I doubt this is the problem, but it does introduce a possibility since sometimes "official" PGP and Open PGP compliant software are a little out of step regarding the addition or implementation of features.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
I have been able to identitfy which Dll's have the newer version on the various machines ( there are 6 dll's/exe in the Windows|system 32)
but I think the decision is going to be made to stick with the situation as it stands and not risk corrupting any installations.
I believe the customer in question (who exported this key) is moving to a different setup sometime next year so the problem will probably resolve itself !!
I deeply appreciate all your help on this matter
thanks
Chris
I would suggest asking the individual to add an encryption subkey, and quess the individual would not have a problem with this.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Another thought - if you place the PGP 8.1 DLLs in the same folder as the PGP 8.1 executables, seems like they will be used by PGP 8.1 instead of the Command Line DLLs it will use in Windows|system 32
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Please let me know if you tried this - I believe it will work for you.
If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.
Search the Knowledge Base
Would you like to reply?
Login or Register to post your comment.