Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Vendor cannot decrypt my file

Created: 16 May 2013 | 4 comments

Hi,

I encrypted a file but the bank said they got this error when trying to decrypt it - "The user has cancelled the current operation or the operation has been cancelled because of the BATCHMODE option."  Did I do something wrong or is the problem on the bank's side.  I am on PGP command line version 9.

Here is how I encrypted the file:

> pgp -vvv -esat test-pgp.txt -r ecgddd -u 0x39XXXFBA --passphrase "xxxxxxxxxx"
pgp:encrypt (3157:current local time 2013-05-14T14:02:10-07:00)
/home/jkw0/.pgp/pubring.pkr:open keyrings (1006:public keyring)
/home/jkw0/.pgp/secring.skr:open keyrings (1007:private keyring)
0x0YYY9D67:encrypt (1030:key added to recipient list)
0x39XXXFBA:encrypt (1050:key added as signer)
test-pgp.txt:encrypt (3048:data encrypted with cipher IDEA)
Encoding test-pgp.txt... 100% (0.0KB)
test-pgp.txt:encrypt (0:output file test-pgp.txt.asc)

> pgp  -vvv --verify test-pgp.txt.asc --passphrase "xxxxxxxxxx"
pgp:verify (3157:current local time 2013-05-16T09:47:13-07:00)
/home/jkw0/.pgp/pubring.pkr:open keyrings (1006:public keyring)
/home/jkw0/.pgp/secring.skr:open keyrings (1007:private keyring)
test-pgp.txt.asc:verify (3142:data is encrypted to key ID 0x0YYY9D67)
test-pgp.txt.asc:verify (3143:key belongs to 0x0YYY9D67 ecgddd <pgpadmin@yourbank.com>)
test-pgp.txt.asc:verify (1080:no private key could be found for decryption)
 

 

Operating Systems:

Comments 4 CommentsJump to latest comment

dfinkelstein's picture

What you are doing looks fine:

You are encrypting the file "test-pgp.txt" to the user "ecgddd". You are signing the file as the user 0x39XXXFBA.  You are specifying text mode, and requesting the output be ascii armored

The error message the bank is seeing is not one that comes from PGP Command Line (or at least, any recent version from PGP Corporation/Symantec).  It sounds like they are running their program in BATCHMODE but perhaps the program needs some sort of user interaction which isn't being provided in BATCHMODE.  (Say, perhaps the key's passphrase is needed.)

Regards,

 

--------

David Finkelstein

Symantec R&D

jkw0's picture

Thanks for the reply David.

This bank requires our keypair to be valid for no more than 2 years.  We encrypted and sent them files everyday for the past 2 years without any problem.  The old key expired last week and this is what we did to generate the new key 0x39XXXFBA.

1) pgp --gen-key "Big Bank <my-id@my-comp.com>" --key-type dh --bits 2048 --passphrase "xxxxxxxxxx" --expiration-days 720 

2) pgp --remove-key-pair 0xEA12345 --force  (remove the old keypair)

3) pgp --export 0x39XXXFBA.  Send the output file to the bank with fingerprint.

4) pgp --sign-key 0x0YYY9D67 --signer 0x39XXXFBA --passphrase "xxxxxxxxxx" (their public key never expires, so we're signing their old key)

They were trying to decrpt my test file manually when they got the BATCHMODE error message.  That's not what they normally do.  I think we can assume they make a mistake somewhere.  The thing is they keep saying "I think it has to do with how you are signing the file (the command), and not so much the key itself, but I’m not sure."

See anything wrong on our side?  At this point, both sides are not sure what to do.

Thanks for your help and anyone who can provide input.

Johnny

 

Nag's picture

Hi I am new to PGP,

I followed strating 3 steps

1) pgp --gen-key "Big Bank <my-id@my-comp.com>" --key-type dh --bits 2048 --passphrase "xxxxxxxxxx" --expiration-days 720 

2) pgp --remove-key-pair 0xEA12345 --force  (remove the old keypair)

3) pgp --export 0x39XXXFBA.  Send the output file to the bank with fingerprint.

But I would like to cross check the newly encrypted file by decrypting it. So after Step 3 do I need to follow some other steps..?

and

why do we require below steps? if not done what will happen?

4) pgp --sign-key 0x0YYY9D67 --signer 0x39XXXFBA --passphrase "xxxxxxxxxx" (their public key never expires, so we're signing their old key)

dfinkelstein's picture

I don't see that you are doing anything wrong.  Hm.  Have they signed your new key, so that it is considered trusted?  Perhaps that is where their workflow is breaking down.

 

--------

David Finkelstein

Symantec R&D