Decryption through CGI/Perl script

Mark Malkasian mark@web-crafter.net
Tue, 2 May 2000 22:04:08 -0400 

I'm hoping to apply this to a small online ordering system for 
history books (i.e., a low-volume site). When a customer places 
his/her order, the info (including credit card details) would be 
saved as an encrypted file. (At the same time, an unencrypted e-mail, 
without cc details, would be sent to the site administrator informing 
him of the order.) Each day, the site administrator would retrieve 
the orders through the web form outlined below. The program would be 
password-protected and operate under SSL. The decrypted output 
wouldn't actually be printed to a file. (That's for testing 
purposes.) Rather, it would be displayed on the site administrator's 
screen. He would then print a copy on his office printer and delete 
the encrypted file. Then, he'd be able to process the credit card 
info at his convenience. No, it's not a solution I'd recommend for 
Amazon.com, but we're talking about a site that would be very happy 
to get 100 orders a month.
Best,
Mark Malkasian


>

>How does this provide the user any security at all? I'm failing to see

>this.

>

>On Tue, 2 May 2000, Mark Malkasian wrote:

>

>  > Hi All,

>  >

>  > I'm working on a CGI script in Perl that would allow users to decrypt

>  > GnuPG-encrypted files on the web. (I'm trying to avoid the hassle of

>  > guiding them through the process of setting up and using PGP on their

>  > Windows machines and also to accommodate Mac users.) Users are

>  > presented with a web form asking them to submit their passphrase.

>  > (Transmission would take place under SSL.) The script then inserts

>  > the passphrase into a GnuPG command and executes the command by

>  > opening a pipe (or using backticks, or a system call, etc.) to the

>  > gpg executable.

>  >

>  > I should note that my web site is being hosted remotely and our

>  > sysadm isn't particularly flexible. To get GnuPG working at all, I

>  > picked up a copy of the compiled gpg executable from another

>  > subscriber to this list, Greg McKean, and uploaded pubring.gpg,

>  > secring.gpg, and trustdb.gpg to the server after creating them on my

>  > local Windows machine.

>  >

>  >  From browsing the mailing list archive, I cobbled together a

>  > bare-bones test script (see below). I have no problem creating an

>  > encrypted file. Moreover, I'm able to download the file to my local

>  > machine and decrypt it there. However, as you may have guessed,

>  > providing the passphrase to gpg has tripped me up. When I run the

>  > script below for decryption, I get the following error message:

>  >

>  > gpg: encrypted with 1024-bit ELG-E key, ID E91E3613, created 2000-05-02

>  >        "test1 (Test) <mark@web-crafter.net>"

>  > gpg: public key decryption failed: bad passphrase

>  > gpg: decryption failed: secret key not available

>  >

>  > Is there a way around this, or does it make more sense to retreat and

>  > declare victory? (BTW, if I were managing my own server I'd take a

>  > look at the GnuPG-Interface module Frank Tobin has put together. See

>  > http://GnuPG-Interface.sourceforge.net/ . Very impressive.)

>  >

>  > Best,

>  > Mark Malkasian

>  >

>  >

>  > #!/usr/local/bin/perl

>  >

>  > $| = 1;

>  >

>  > print "Content-type: text/html\n\n";

>  >

>  > $gpg_path = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg/gpg";

>  > $gpg_config_files = "$ENV{DOCUMENT_ROOT}/cgi-local/gnupg";

>  > $ENV{"GNUPGHOME"} = $gpg_config_files;

>  >

>  > # To encrypt a test file, uncomment the line below.

>  > # $gpg_command = "$gpg_path -r test1 --output

>  > /u/web/myuserid/test.gpg --encrypt /u/web/myuserid/test.txt";

>  >

>  > $gpg_command = "$gpg_path --batch --passphrase-fd 0 --output

>  > /u/web/myuserid/decrypt.txt --decrypt /u/web/myuserid/test.gpg <

>  > test";

>  >

>  > # Execute command. Capture STDOUT and STDERR and print it to screen.

>  > open(READ, "$gpg_command 2>&1 |") or die "Failure on open $!\n";

>  > while (<READ>)

>  > {

>  > $output .= $_;

>  > }

>  > close (READ) or die "Failure on close $!\n";

>  > print $output;

>  > -------------------------

>  > Mark Malkasian

>  > mark@web-crafter.net

>  > http://www.web-crafter.net

>  >

>

>__

>

>L. Sassaman

>

>System Administrator                |

>Technology Consultant               | "To hold a pen is to be at war."

>icq.. 10735603                      |

>pgp.. finger://ns.quickie.net/rabbi |                    --Voltaire


-------------------------
Mark Malkasian
mark@web-crafter.net
http://www.web-crafter.net