Endpoint Encryption

 View Only

  • 1.  1080 No Private Key

    Posted Feb 23, 2015 10:31 PM
    Hi,
     
    I refer to a comment made by a Symantec staff in an earlier post:
      file.pgp:verify (3093:data is encrypted to subkey ID 0x73357D11)
      file.pgp:verify (3044:subkey ID 0x73357D11 belongs to 0xCF73E89C Jon Test <jt@eng.pgp.com>)
      file.pgp:verify (1080:no private key could be found for decryption)
     
      This tells you that you at least have the corresponding public key in your keyring.
     
    Unfortunately, there was no mention of what "1080: no private key could be found for decryption" refers to apart from the obvious fact that it is looking for a private key but can't find it.
     
    If private keyring has been specified in the "pgp --decrypt" command, what does it mean when the "1080" message is thrown?
     
    Thanks in advance.
     
    ~des


  • 2.  RE: 1080 No Private Key

    Broadcom Employee
    Posted Feb 26, 2015 10:12 AM

    Hi,

    To be able to decrypt the file we obviously need a private part.

    I would verify via pgp -l command if you have got a full keyring (key pair available) like below ( mind word - 'pair' and key ID as oposite to just a public portion of the key with word 'pub' )

    [root@keys1 bin]# ./pgp -l
     Alg  Type Size/Type Flags   Key ID     User ID
    ----- ---- --------- ------- ---------- -------
    *RSA4 pair 2048/2048 [-----] 0xD373AF0B user3 <user3@ag.dom>
    1 key found

    and then I would use again command like below (just an example of the decryption process)

    [root@keys1 bin]# ./pgp --decrypt "testfiletoencrypt.txt.txt.pgp" --recipient 0xD373AF0B --passphrase "user3pass" -v
    pgp:decrypt (3157:current local time 2014-11-25T10:24:42+01:00)
    /root/.pgp/pubring.pkr:open keyrings (1006:public keyring)
    /root/.pgp/secring.skr:open keyrings (1007:private keyring)
    Decoding file testfiletoencrypt.txt.txt.pgp... 100% (372B)
    testfiletoencrypt.txt.txt.pgp:decrypt (0:output file testfiletoencrypt.txt.txt)
    [root@keys1 bin]#

    which means that the private key specified exists it has been used to decrpyt the file.

    HTH



  • 3.  RE: 1080 No Private Key

    Posted Feb 26, 2015 05:28 PM

    Hi HTH,

    Thanks for your reply on this.

    As it turns out, I suspect that the incorrect key was used to encrypt the files. I've raised the issue with the sender and they've re-sent a 2nd set of encrypted files which i was then able to decrypt (with no change from my side).

    If "--private-keyring" and "--public-keyring" has been specified in "pgp --decrypt" command, is that the equivalent of the "key pair" that you were mentioning about. I'm assuming it is as I'm able to decrypt the files without registering the key pair. And if it is, how do I create this "key pair"?

    My current method, while it is able to decrypt the file, would chuck out a "3037:cannot verify signature" message and result with a "3090:operation failed, unknown error" message.

     

    ~des

     



  • 4.  RE: 1080 No Private Key

    Broadcom Employee
    Posted Mar 10, 2015 04:41 AM

    Hi,

     

    Have a look into this KB:

     

    HOW TO: Use PGP Command Line to Create and Manage PGP Keys

    http://www.symantec.com/docs/HOWTO41935

     

    Key-pair can be created this way for example:

     

    C:\Program Files\PGP Corporation\PGP Command Line>pgp --gen-key testkey@ag.dom -
    -key-type rsa --encryption-bits 2048 --passphrase testpass


    C:\Users\Administrator.WIN-QRTSQM73FFM\Documents\PGP\pubring.pkr:generate key (0
    :file created successfully)
    C:\Users\Administrator.WIN-QRTSQM73FFM\Documents\PGP\secring.skr:generate key (0
    :file created successfully)
    testkey@ag.dom:generate key (2078:non-standard user ID)
    Acquiring entropy from system state....done
    Generating key testkey@ag.dom
    progress..........................******* ......................................
    ................................******** done
    0x5362ECF4:generate key (0:key successfully generated)
    Acquiring entropy from system state....done
    Generating subkey
    progress.....******** .............******* done
    0xA5860B75:generate key (0:subkey successfully generated)

     

    C:\Program Files\PGP Corporation\PGP Command Line>pgp -l
     Alg  Type Size/Type Flags   Key ID     User ID
    ----- ---- --------- ------- ---------- -------
    *RSA4 pair 2048/2048 [VI---] 0x5362ECF4 testkey@ag.dom
    1 key found

    C:\Program Files\PGP Corporation\PGP Command Line>

     

    So when you create a keypair, the keys are automatically signed. Similarly, when you import a key and once you are sure a key belongs to the correct person, you can sign that person’s public key, indicating that you have verified the key.
     

    Look into this KB please for the signing part:

    Unable to trust public key with PGP Command Line
    http://www.symantec.com/docs/TECH149450

    pgp --sign-key <user> --signer <signer> --sig-type <type> --passphrase <pass> [options]

    Example:

    pgp --sign-key "Bob Smith" --signer "alice@example.com" --sigtype exportable --passphrase "A1ice*cam3r0n"
    0x6245273E:sign key (0:certified user ID Bob Smith

    <bob@example.com>)

    Signs Bob’s key with an exportable signature.

     

    So verification of signature is taken place during the decryption process. In your case verification is failing showing "3037:cannot verify signature" and then proceed further (if there are no other errors) it is finally showing error code "3090:operation failed, "unknown error" which relates to "3037 verification signature" although you are still able to decrypt the file. Just sign the public key of the recipient with your key and you should not have this error anymore.

     

    HTH