Re: makecert EnvelopedData 'bad key'

From: magister (MBaskey2003_at_yahoo.com)
Date: 11/18/03 

Date: 17 Nov 2003 17:20:25 -0800

> > I think maybe I don't even need the server to decrypt anything, but
> > rather 3 clients. Client A submits some encrypted files with
> > signiture (with options to allow either just client B or both client B
> > and C to decrypt) , client B validate signature, and cosign data, and
> > can always decrypt everything (admin) (may also decrypt and reencrypt
> > for client C), client C can verify cosignature from client B and
> > signature from client A and decrypt and thus process files in the
> > workflow.
> >
> > I am not sure I would have a symetric key encryption, because I am
> > basically in a safe intranet environment, but still must ensure that
> > documents can be pass confidentially and only for certains eyes only.
> > I would think asymetric where client A's file are encrypted with the
> > public key of client B and sign with their own (client A's) private
> > key is what I am looking for. However if the file was intended for
>
> You can only encrypt (or sign) a small amount of data with RSA asymmetric
> cipher .. typically ~ (key size -11), so for standard 1024 bit (128 bytes),
> you can only encrypt 117 bytes of data! That is why you need symmetric
> cipher.
> If you want confidentiality, you need encryption (over the wire with SSL,
> persistent on desktop or server via file encryption of some sort).

Yes I think perhaps I could use asymetric encryption to generate a
session key to use for symetric encryption or perhaps use the one way
hash value available in the
Request.ServerVariables("HTTP_Authentication") in a NT
challenge/response setup. Of course if I could setup SSL with just
makecert that would sure make my day.....is there a way to setup SSL
with makecert?

> > client B and C then is there a way to encrypt the same file with 2
> > public keys, or perhaps I could have client B as the master key
> > holder, and essentially owns the private key of client C as well as
> > its own.
> >
> > I know my question is getting more complex, and perhaps a bit
> > convuluted, hopefully however some logic does come through in my
> > explaination. Perhaps also you can see some flaw in it. Anyway if
> > there is a more comprehensive resource on using makecert that you know
> > of it would help me, even just knowing that what I explain above is
> > possible, it would be a great help. The scant info on msdn and the
> > varied responses on usenet postings gives me very little to go on.
>
> The best (and only detailed) overview of makecert and related is:
> http://msdn.microsoft.com/library/default.asp?url=/workshop/security/authcode/signing.asp

A bit more verbose, thanks, still lacking though, not exactly
comprehensive but I have come to expect that from ms, will have to
spend some more time doing trial and error to figure this out. As long
as the solution is there then it will be worth it.

> > Although from a non-Java background, I also am finding CAPICOM to have
> > the potential I need to make a really nice secure workflow oriented
> > web app, if I could only work out these certs. Unfortunately
> > Certificate Services is not a possibility, but my impression is that
> > makecert will do.
>
> CAPICOM's strength is ability to very easily handle CryptoAPI certificate
> stores, and generate and verify standard CMS/SignedData, EnvelopedData
> and Authenticode SignedCode. It does not have functionality to generate certs
> or keypairs explicitly.

Yes so no way to install trusted certs in code, probably for the
better, yet it would keep my intranet users from having to do too many
fancy things on their pcs. Perhaps I can just lump them into a trusted
domain and run shell scripts through IE.

> > Also concerning the makecert command that you did provide me, how can
> > I make that certificate appear as trusted.....? Surely if this is for
> > my local intranet I do not have to pay Verisign?
> >
> If you generate a "self-signed" certificate, (using -r switch), then you can easily
> make it trusted by importing the certificate to the Root certificate store (after
> exporting it, say, from your CU MY cert store). Since the Subject is the same
> as the Issuer, this will provide trust ladder validation, even though the certs
> are in fact the same :-)

Of course....makes perfect sense now, so easy to let these things
confuse you.

Many Thanks,
Matt

Relevant Pages

  • RE: Cannot decrypt files encrypted using Crypto API on a different
    ... previous message which uses the recipien't public key.) ... KEK (key encryption key) to protect the session key. ... embedded into your client app and server code). ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ...
    (microsoft.public.platformsdk.security)
  • Re: username and Password sent as clear text strings
    ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
    (Pen-Test)
  • Re: username and Password sent as clear text strings
    ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
    (Pen-Test)
  • Re: XP wireless questions ...setting encryption
    ... I never use the Linksys software for drivers. ... 802.1x authentication is only used with WPA encryption. ... wireless network. ... The manufacturers client program ...
    (alt.internet.wireless)
  • Re: recovering encrypted files with encryption key via network cli
    ... I can disable simple file sharing on the client, which is XP pro and get ... In XP Pro ... that I can do a clean reinstall of windows on the faulty system. ... EFS encryption option) on the hard disk of the faulty system. ...
    (microsoft.public.windowsxp.help_and_support)
Quantcast