© Herbert Hanewinkel
For securing web forms with public key encryption.
How to integrate it with existing PKI?
- Many sites use small key sizes for demonstrating the public key encryption only.
- a special mail reader with decryption software in Java, e.g. Ernest Hammingweight's MeringueMail
How to secure form data without any "special" processing software for decryption using standard keys sizes (>= 1024 bits)?
My provider offers a CGI program formmail.pl to forward form data as mail, a solution that is offered by most providers.
Encryption could be done automatically and hidden before transmission.
- The CGI program formmail.pl forwards the encrypted contents as mail.
- The mail is automatically decrypted by the receiver using a GnuPG/PGP mail plugin.
Decryption is done automatically by a GnuPG mail plugin for your favorite mail client.
The OpenPGP message format is described in RFC 2440 / RFC 4880 and implemented in the GnuPG software. PGP message encryption is based on symmetric encryption of a message using a random session key and public key encryption of the session key.
My contact form offers encryption for sending me confidental messages. It is coded to use my PGP 1024 bit RSA public key.
- rsa.js -- RSA encryption/decryption
- aes-enc.js -- AES encryption.
- mouse.js -- entropy collection from mouse motion and key press timing.
- PGencode.js -- OpenPGP message encoding.
- base64.js -- OpenPGP radix-64 encoding.
- PGpubkey.js -- RSA/Elgamal public key extraction from a PGP public key block.
- sha1.js -- SHA-1 implementation from Paul Johnston for OpenPGP Version 4 key ID calculation.
The packet decoder could be used as a starting point and extended for decrypting PGP encrypted messages:
Secret keys are stored by GPG by default CAST-128 encrypted.
- PGdecode.js -- Extracts values from PGP key and data blocks.
- PGP packet decoding -- Simple frontend for PGdecode.js.
- cast5.js -- CAST-128 encryption/decryption.
How the algorithms work:
Is it secure?
- The software encrypts form data at the client before transmission using strong public key encryption. An encrypted message is secured at the level provided by an RSA or Elgamal 1024 bit key, e.g. decryption of a single message will need a few month.
References & Links:
- RFC 4880: OpenPGP message format
- Gnu Privacy Guard
- John Walker's Browser-Based Cryptography Tools
- RFC 2144: The CAST-128 Encryption Algorithm
If you have questions regarding the software, send me a mail.
Please note that I can not answer requests about encryption in general.