|
9 | 9 | coded in Python3. |
10 | 10 |
|
11 | 11 | All cryptlib tools can replace complex OpenSSL code by using Cryptlib and are designed |
12 | | - to interoperate with programs that are widely used and established like gpg2 and openssl. |
| 12 | + to interoperate with programs that are widely used and established like gpg2, openssl |
| 13 | + and Email clients like Thunderbird or Outlook. |
| 14 | + |
| 15 | + ## claes - File Encryption Using Pure AES |
| 16 | + |
| 17 | +If you use only one of these programs, either openssl or gpg2 for file encryption, |
| 18 | +the resulting encrypted cipher texts are stored in a format that cannot be interchanged with the other. |
| 19 | +GnuPG aims to implement the OpenPGP standard with |
| 20 | +various degrees of success in a format that consists of packets described in |
| 21 | +<a href="https://datatracker.ietf.org/doc/html/rfc4880">RFC-4880</a>, |
| 22 | +while OpenSSL (accessed via the command line tools) can produce cipher text in CMS-format or in |
| 23 | +<a href="https://www.openssl.org/docs/man1.1.1/man1/enc.html">its own proprietary format</a>. |
| 24 | +As it is seen so often, both worlds (although using AES) cannot talk to each other easily. |
| 25 | + |
| 26 | +But the tool <a href="https://senderek.ie/cryptlib/tools/claes"><b>clAES</b></a> is made to talk to both, |
| 27 | +as it can produce OpenPGP messages (as the default) and additionally |
| 28 | +switch to CMS or OpenSSL message formats if need be. |
| 29 | +In any case, the input data is encrypted with a passphrase that the user provides to the program |
| 30 | +and AES will always be used as the only encryption method. |
| 31 | + |
| 32 | +``` |
| 33 | +claes [-debug] [-decrypt] [-cms | -openssl [-128]] [FILE | -] |
| 34 | +``` |
| 35 | +## clkeys - Public and Private Key Management |
| 36 | + |
| 37 | +One of the main features of <a href="https://senderek.ie/cryptlib/tools/clkeys"><b>clkeys</b></a> is to |
| 38 | +generate RSA and DSA asymmetric keys and to store these keys safely in a file in the PKCS#15 token format. |
| 39 | + |
| 40 | +If you ever have imported RSA keys for use in an email client like thunderbird, you'll probably |
| 41 | +know that this software expects both the private and the public key together in a single file |
| 42 | +in PKCS#12 format. This bad habit has become common-sense, despite the fact that the PKCS#12 |
| 43 | +format is a <a href="https://www.usenix.org/legacy/event/sec02/full_papers/gutmann/gutmann.pdf"> |
| 44 | +weak format and a bad idea to store a private key</a>. |
| 45 | + |
| 46 | +Cryptlib, on the other hand, will always store private keys in the PKCS#15 format, a format that is |
| 47 | +used with cryptographic tokens like Smart Cards, where the keys never leave the device. |
| 48 | +Because one of the principal design features of Cryptlib is that it never exposes private keys to outside |
| 49 | +access, Cryptlib chooses to use the PKCS#15 format with no exception. |
| 50 | +So do not wait (or even wish) for a conversion tool that makes Cryptlib-generated keys available in |
| 51 | +a PKCS#12 format file. It makes no sense to deliberately reduce the security of your private keys |
| 52 | +just because some email client wants them in a weak format only. |
| 53 | + |
| 54 | +In addition to generating RSA and DSA public key pairs, clkeys can generate certificate signing requests |
| 55 | +for a public key and also import self-signed certificates or certificates signed by an external CA. |
| 56 | +All files that clkeys will create (cert requests and certificates) can be used by other software, |
| 57 | +just the private key remains secure in a PKCS#15 format file, that will be used with Cryptlib exclusively. |
| 58 | + |
| 59 | +``` |
| 60 | +clkeys generate [-DSA] KeysetName [-SIZE RSABits] [-CN YourName] |
| 61 | +clkeys request KeysetName [-CN YourName] |
| 62 | +clkeys import KeysetName CertFile |
| 63 | +clkeys casign CA-KeysetName RequestFile |
| 64 | +``` |
| 65 | + |
| 66 | +## clsmime - S/MIME public key encryption tool |
| 67 | + |
| 68 | +<a href="https://senderek.ie/cryptlib/tools/clsmime"><b>clsmime</b></a> is a tool that uses public and |
| 69 | +private RSA keys made with clkeys to generate encrypted SMIME messages and signed SMIME messages. |
| 70 | + |
| 71 | +It can also exchange SMIME encrypted and signed messages with established EMAIL clients like Thunderbird, Evolution or Outlook. |
| 72 | +<a href="https://senderek.ie/cryptlib/tools/clsmime"><b>clsmime</b></a> handles SMIME messages |
| 73 | +that are produced by OpenSSL as well. While <b>clsmime</b> will use private keys generated with clkeys in PKCS#15 |
| 74 | +format for decryption and signing, it can use certificates generated by OpenSSL for encryption and |
| 75 | +verification as well. |
| 76 | + |
| 77 | +``` |
| 78 | +clsmime [OPTIONS] encrypt messagefile certificate |
| 79 | +clsmime [OPTIONS] decrypt encrypted_message KeysetName |
| 80 | +clsmime [OPTIONS] sign messagefile KeysetName |
| 81 | +clsmime [OPTIONS] verify signed_message [CArootCertificate] |
| 82 | +``` |
| 83 | +## More to come! |
| 84 | + |
| 85 | +These are only three examples of how you can use Cryptlib to build reliable tools for users. |
| 86 | +And there are many more tools to come in the near future. |
0 commit comments