:: Cryptography on Linux ::

[manas4u]

I need to develop a system which interacts with a web service by sending encrypted information to it on linux. Kindly help me with my queries:

a) Linux does not provide CSP (Cryptographic Service Provider) as in Windows , so who is responsible for handling keys.

b) If everything in linux is a file, so the private keys used in PKI will also be saved as a file.. Is it the only approach we have or any other secure way?

c) We want our system to be used by any user (admin/non-admin/root) so how to go about achieving it, if we go and restrict our access to private keys?

d) We need to use OpenPGP or OpenSSL libraries for encryption/decryption correct?

e) What is the best way to go about solving this issue of key management on linux.

Thanks in Advance.

[Hal343]

Pretty Good Privacy - Wikipedia, the free encyclopedia
downloads - pgp.comFree PGP Encryption Platform Evaluation - Download PGP Universal SerPGP Download Center - Free Encryption Products and Documentation - PGP Desktop Trial, Source Code and Morever, Whole Disk Encryption, NetShare and More
PGP uses public-private keys. The intended recipient is the only one who can decode a message.

[Thrillhouse]

a) Linux does not provide CSP (Cryptographic Service Provider) as in Windows , so who is responsible for handling keys.

You are. CSP, itself (or CAPI to be more specific) is not responsible for key management. It's simply a programming interface into some of the more popular cryptography algorithms.

b) If everything in linux is a file, so the private keys used in PKI will also be saved as a file.. Is it the only approach we have or any other secure way?

Put it this way: any key management approach you can think of for Windows can be implemented in Linux. Key management is a platform-independent problem so if you're not comfortable with keeping the private key in a secure directory with limited permissions, maybe you can try something more elaborate like saving the key to a USB token and giving the owner of that token the possession of it.

c) We want our system to be used by any user (admin/non-admin/root) so how to go about achieving it, if we go and restrict our access to private keys?

Why should the keypair(s) be shared between users? Why not give each user their own? If you give multiple users access to the same private key, you sacrifice one of the key features of public key cryptography: non-repudiation. Any user can send off a message signed with that private key and blame it on one of the other users who also has access to it. This may or may not be a concern of yours but the correct way of doing things would be to give each user who should have access to this system their own keypair.

d) We need to use OpenPGP or OpenSSL libraries for encryption/decryption correct?

You don't have to but those are two libraries that have been thoroughly reviewed by the cryptography community and are considered viable.

e) What is the best way to go about solving this issue of key management on linux.

There really is no "best" way. There's only the way that best suits your system. From your post, I don't know if we have enough information to determine the best approach.

[charlie205]

Have you rule out GNU Privacy Guard for some reason? It is very useful for this type of task.