Lost Newbie

Richard Lynch lynch at lscorp.com
Thu Sep 24 20:00:31 CEST 1998

I'm pretty much lost, and am not even sure if gnupg is the tool that I
thought it was...

Here's what I want to do:

In a PHP script on my web server, use gnupg to encrypt a credit card
number, (I guess using some password that only I and/or the client know).
Err, make that a public password to encode.  See below.

E-mail that encrypted data to somebody on a Mac or PC.

They pull out their secret decoder ring, plug in the password (make that a
private decoding password) and the encrypted text, and out pops the
customer's credit card number.

I'm not so worried that their e-mail client has some fancy plug-in to
automagically decrypt the message, but that would be a nice plus.

This is for starving musicians to sell a CD or two a month, and maybe even
be able to pay back the pressing costs of the CD.  Studio time, rehearsal
time, advertising, etc are pretty much just written off as cost of doing
business loss, which is why they're called starving musicians.  So,
commercial options are right out...

Anyway, I've read the README, and the web page and its man page, and I'm
totally lost with the keys and keyrings and trusted users.  I somewhat
understand the point of keyrings in terms of ensuring that the data came
from the right person, but I'm not sure how/if I need to apply it in terms
of what I want to do.

I haven't even begun to figure out how I'm gonna get the "secret decoder
ring" running on their Macs or PCs.  I guess I could telnet in to the
server, decode the cc# for them, and they'd feel happy, but it seems to me
that anybody smart enough to be snagging cc#s in the first place could
happen upon my telnet session and snarf them out of there, too.  Of course,
it's not like the decoding will happen often enough to be high profile to
anybody, but I might as well do this right, if I'm going to do it.

If it's the only option, I'm willing and more-or-less able to write a
minimal c++ client for PC (and Mac, if I can find a compiler).  By minimal
I mean slapping a two-box interface on top of gpg that takes in the
password and encrypted text, calls the gpg decoder with them, and prints
out the result text.  By able I mean that I can compile a gpg library, I
reckon, if somewhat slowly and with many halts while I try to figure out
what the hell is wrong with Windoze that Unix expects to be there, and I'm
an interface hacker by trade, so I got that part down.  :-)

I tried just messing around a little with what would seem to me to be
reasonable flags to gpg.  I even found a combination or two that didn't
yell at me. :-)

./gpg -r -e /pathtosillyfile/test.txt

Alas, I can't seem to find any output file from this, so my excitement at a
lack of an error message was premature.

Then I noticed the -o (--output flag) and tried:

./gpg -r -e /pathtosillyfile/test.txt -o /pathtosillyfile/secret.txt

which apparently is an invalid combination...

So, where is my intuitive kick-the-tires approach going wrong, and what
concept[s] do I need to wrap my brain around?

I understand the basics behind psuedo-random prime number driven
encryption, more or less, from courses long, long ago, and even ported an
example RSA encryptor through a Lisp compiler upgrade a few years back.
Some word size changed or something, so I had to pick some new prime
numbers.  Figuring out that was what was wrong pretty much took me through
the whole thing, though.  I understood it well then, but it's a little hazy

I'm not super concerned about password security itself.  I can transmit
them by sneaker-net or phone lines, except for the script itself on the
server, which I'll be telneting back and forth...  Hmmm.   Guess I want a
public encoding password, but a private decoding password, if that is a
possibility in this bewildering array of keys, options, and buzzwords.

Well, I hope all this doesn't sound too stupid, and somebody can point me
in the right direction for understanding all the documentation I've read,
but only understand on a surface level.


-- "TANSTAAFL" Rich lynch at lscorp.com

More information about the Gnupg-devel mailing list