Mailing List Archive

On Fri, 4 Sep 1998, Samuel Liddicott wrote:

> I know a LOT of people running minivend (online shopping software) who are
> starving for some kind of PGP with which credit card info can be encrypted
> before being emailed.

I have a similar situation. As a temporary bridge solution to a client's
shopping mechanism we needed a way to transport credit card data from the
live servers at the colocation center to the company's main office for
fulfillment. The interim shopping system was an email based one and so I
devised a simple set of perl scripts that use gpg to create an encrypted
message tunnel. It is called CMT for Crypto Mail Transport.

CMT-Send: Script that receives plaintext email, encrypts them and forwards
them to CMT-Receive.

CMT-Receive: Script that receives encrypted email, decrypts them and
forwards them on to the true recipient.

CMA: A tool for storing messages in encrypted format with an offline
(floppy) keyring and a console application for printing messages.

CMT-Send is a local qmail email alias that email is delivered to. It
encrypts the message with CMT-Receive's key and emails it to CMT-Receive.
CMT-Receive accepts encrypted messages, decrypts them and forwards them on
to CMA. CMA is an archiver that receives messages and encrypts them using
a second key whose private portion is stored offline.

When the user wants to view a message, they login under a user that runs
the CMA UI. The CMA UI prompts them to insert their key disk which it
then checks for validity. Using that keyring they can then select
messages to be sent to the printer attached to the parallel port.

CMT is a useful encrypted message tunnel, albeit somewhat crude. All told
the solution took about 10 hours to put together.

This solution, however, requires a unix server to be the inbound port of
the encrypted mail tunnel and a unix email server to be the outbound port
of the encrypted mail tunnel. We recycled a 486 that was collecting dust
for the destination machine. It is isolated from the network logically,
protected by a firewall and only accepts SMTP connections.

C=)

--------------------------------------------------------------------------
There is hardly a thing in the world that some man can not
make a little worse and sell a little cheaper.
--------------------------------------------------------------------------
Caskey <caskey*technocage.com> /// pager.818.698.2306
TechnoCage Inc. ///| gpg: 1024D/7BBB1485
--------------------------------------------------------------------------
I didn't fight my way to the top of the food chain to be a vegetarian.

Samuel Liddicott <sam@worldwidehealth.com> writes:

> GPG. I have 0.3.4 compiled and working on UNIX, but I need to be able to
> decrypt the emails on a windows PC.

Please contact me if you need an up-to-date windows version - It is
possible but I won't do this on a voluntary basis.

> Will PGP5 for windows be able to decrypt GPG messages? And how do I get my

I think so.

> secret key off the unix machine where it was generated into either PGP5 for
> windows ($30 version) or into the lowley GPG for windows?

I don't know whether I understand it correct. The problem is the
passphrase - I have not yet figured out what is wrong on my salted and
iterated S2K implementaion which is what pgp5 uses to protect secret
keys. The workaround is easy: remove the passphrase, export, import,
and set the passphrase again (on BOTH copies). But be sure that you
have the full control over both machines and noone can steal your
unprotected secret key during this process.


Werner