| By Wayne Graham |
Article Rating: |
|
| September 15, 2004 12:00 AM EDT |
Reads: |
42,219 |
To allow your users to provide their own public key to your public keyring, the importKey() method is particularly useful. By passing the importKey() method the public key you are able to store it for use on your public key ring. If the key is invalid, an error data stream is returned:
badKey = gpg.importKey("not a key");
<cfoutput><pre>#badKey#</pre></cfoutput>
which generates the following message:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
If you would like to maintain your user's keys on the server, you can generate key pairs by invoking the newKey() method. This method takes several arguments: a real name, comment (helps differentiate people of the same name), e-mail address, expiration date (see comments for usage), and a passphrase. Again, since this method passes sensitive data, as do most methods in the GnuPG object, it is important to secure the transmission of that data via SSL. The newKey() method does take a few seconds to complete, as GnuPG implements complex mathematical algorithms to generate your public and secret keys.
Signing data is another important aspect of this wrapper. Signing allows others to verify that a data stream was not tampered with, be it a Web page, source file, image, or any other type of data stream. As with encrypt and decrypt, you utilize the sign/verify methods in the CFC.
signed = gpg.sign("Text to sign.", "passphrase");
verify = gpg.verify(signed);
The output from the verify variable will notify you if the signature matches the key ring. One potential use of this is to sign download files that you might host on your site. The examples included with this article show you how to create a file upload system that automatically signs files that you might have on your Web site for download. Also included, is a simple e-mail encryption example that allows you to quickly integrate encrypted e-mail into your existing ColdFusion e-mail application. Examples using this CFC and Java wrapper can be downloaded from www.sys-con.com/coldfusion/sourcec.cfm.
Conclusion
The CFC and Java wrappers for Gnu Privacy Guard make it nearly painless to integrate strong encryption into your programming projects. However, if you do not take the proper steps in encrypting transmission, or remain vigilant in your security implementation using strong key encryption methods as provided here, your work will be for naught. GnuPG does a very good job at securing data, as long as the passphrase is kept secret. Developing an encryption system that does not require user intervention will require the storage of passphrases in a database or other persistence mechanism. It is essential that this security issue be addressed during the design phase of your project, and that steps be taken to properly obfuscate the passphrases.
References
van Oorschot, P., and Wiener, M. 1994. "Parallel Collision Search with Applications to Hash Functions and Discrete Logarithms." 2nd ACM Conference on Computer and Communications Security. ACM Press.
The Diceware Passphrase FAQ: http://world.std.com/~reinhold/dicewarefaq.html#howlong
Subscribe to ColdFusion Developer's Journal Email News Alerts
Subscribe via RSS
