Creating PGP-Encrypted E-Mails Using ASP - Article (Page 2 of 2 )
The Concept of PGP
For PGP-based communication both the sender and receiver should have public and private key pairs. The sender's public key should be distributed to the receiver. Similarly, the receiver's public key should be distributed to the sender. When sending a message or a file, the sender can sign using his private key. Also, the sender's private key is never distributed.
Signing
Signing an e-mail message means the sender attaches a digital ID to it so that the recipient knows the sender. Signing authenticates a message, but it does not provide protection.
Encrypting
Encrypting a message means converting the information into a "scramble" format; only the true recipient can "unscramble" it. Encrypting a message requires that you have the recipient's digital ID.
Installation and Configuration of PGP Command Line
The Massachusetts Institute of Technology (MIT) distributes PGP Freeware without cost for personal, noncommercial use at http://web.mit.edu/network/pgp.html. A commercial version of PGP is offered as a PGP E-Business server product. For the commercial version, contact PGP Security, a subsidiary of Network Associates Technology, Inc., at http://www.pgp.com/products/whatsnew/pgp-ebusiness-server-71.asp. If you have already installed and configured PGP Command Line, skip this section.
Installation of PGP Command Line Run the setup and install in your preferred location.
Configuration of PGP Command Line Before sending an encrypted mail, PGP needs to be configured. The steps for configuration are given below:
Generation of key pair
Extracting public key
Adding recipient's public key
Generation of Key Pair
Key-pair generation can be invoked by command 'pgp -kv'. You will be prompted for the following steps during the key-pair generation process.
Key type
Key algorithm
Key size
Public ID for user key
Validity period of signing key
Pass phrase
Digital Signature Standard -- Diffie-Hellman (DSS/DH) is a recommended key algorithm. RSA (Rivest-Shamir-Adleman), a cryptology method by RSA Data Security, Inc., that uses a two-part key, can also be used, and this is the only algorithm supported by the older versions (2.x or earlier) of PGP. During the process, select the key size and type that suits you.
Follow the screenshots that show the key-generation process.
Extracting the Public Key
A public key should be exchanged between the sender and recipient before starting communication. A public key can be extracted in a text file and distributed to the recipient. Keys can be extracted using the command 'pgp -kx userid keyfile'. A screenshot of extracting the key appears below:
Adding Recipient's Public Key
As a part of the key-exchange process, the recipient's public key should be added to the sender's key ring. The public key can be using the command 'pgp -ka keyfilename'. A screenshot of adding the key appears below:
After confirming the authenticity of the public key, you can sign them. While encrypting a file using a recipient's ID, you will be prompted with a warning about the trustworthiness of the public key. Signing will eliminate the prompting of warning during the encryption process of a message. A key can be signed using the command 'pgp -ks userid'.
Generation of PGP-Encrypted E-mails from ASP
Earlier sections of this article have detailed the installation and configuration of PGP Command Line. How this process helps in sending encrypted mails from ASP will be discussed in this section. Generally the information that needs to be encrypted is first written as a text file. Then the file is signed, encrypted, and mailed. The following is the command used to encrypt a text file (refer to the PGP Command Line users guide, available at http://www.pgpi.org/doc/guide/6.5/en/cmdline/ for other option. The guide in pdf format is also packaged with the product.)
The description of command-line options used: s - sign e - encrypt a - creates an ASCII-armored output file with extension .asc when you sign or encrypt t - input is a text file
An ActiveX control is created with the functionality to encrypt and sign a text file. This ActiveX can be invoked in an ASP page. After encrypting, the file can be sent as an e-mail using any mail component. The ASP and the control code are shown below.
ASP Code
<% Set xObj = Server.CreateObject("XCrypt.Crypt") xObj.boolLogStatus="True" xObj.strLogFilename="c:\pgpcmd\log.log" x=xObj.encrypt("c:\PGPCmd\PGP.exe","c:\PGPCmd\message.txt", "selva.kumar@xpedior.com", "unknown@xyz.com", "sel123") Set xObj=nothing %>
Control Code
Public Function encrypt(strPGPLocation As String, strFileLocation As String, strSender As String, strRecipient As String, strPassphrase As String) As String '****************************************************** 'Author: Selva Kumar 'Purpose: PGP Encryption '****************************************************** 'Variables: 'strPGPLocation - Location of command line PGP. Ex:C:\PGP\pgp.exe 'strFileLocation - Location of file to be encrypted 'strSender - Sender's e-mail address 'strRecipient - Recipient's e-mail address 'strPassPhrase - Passphrase of signing key 'strCryptFileName - Encrypted file name 'strOptions - By default, -seat. Refer PGPCommandLine manual for further options 'Variable declarations Dim strCryptFilename As String Dim strCommand As String Dim boolExeStatus As Boolean Dim strOptions As String Dim ws 'Variables assignment strOptions = "-seat" strCryptFilename = strFileLocation & ".asc" boolExeStatus = True If boolLogStatus Then writeLog ("***** Entering encrypt function - initialization succeeded *****") End If 'Check for the existence of pgp executable If Dir$(strPGPLocation) = "" Then encrypt = "PGP executable not found" boolExeStatus = False If boolLogStatus Then writeLog ("----- Error: PGP executable not found -----") End If Exit Function Else If boolLogStatus Then writeLog ("+++++ PGP executable found +++++") End If End If 'Check for the existence of input file If Dir$(strFileLocation) = "" Then encrypt = "Input file not found" boolExeStatus = False If boolLogStatus Then writeLog ("----- Error: Input file not found -----") End If Exit Function Else If boolLogStatus Then writeLog ("+++++ Input file found +++++") End If End If 'Check for the existence of encrypted output file. 'If the output file exists ' the file will be deleted and the encryption command is executed 'else ' The encryption command is executed If boolExeStatus Then strCommand = strPGPLocation & " " & strOptions & " " & strFileLocation & " " & strRecipient & " -u " & strSender & " -z " & """" & strPassphrase & """" If Dir$(strCryptFilename) = "" Then Shell (strCommand) encrypt = strCommand Else If boolLogStatus Then writeLog ("+++++ The output file already exists +++++") End If Kill (strCryptFilename) If Dir$(strCryptFilename) = "" Then If boolLogStatus Then writeLog ("+++++ The output file was deleted +++++") End If Else If boolLogStatus Then writeLog ("----- Error: Deleting output file -----") End If End If Shell (strCommand) If boolLogStatus Then writeLog ("***** PGP encryption command executed *****") End If encrypt = strCommand End If End If End Function
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
ASP 
/ 18 
HTTP Tunneling Revealed: Part 1/3
