PGP based server to server communication

Using PGP when two server communicates with each other has a lot of advantages, such as among other things reducing the probability of a “Man In The Middle” attack, by cryptographically signing and encrypting data sent from one server to another.

In the upcoming 8.4 release of Phosphorus Five I have made this much simpler. First of all, when you install your server, you can check of simple checkbox, and have your server’s public PGP key transferred to your configured key server. The default key server used in Phosphorus Five is “keyserver.ubuntu.com”, but this can easily be changed in your web.config file.

Secondly, when some MIME envelope is parsed, and it has been cryptographically signed, Phosphorus Five will automatically retrieve the public PGP from your configured key server, and install it into its PGP context.

Thirdly, I have created lots of meta PGP key retrieval URLs for a default Phosphorus Five installation, allowing a server to automatically communicate and send public PGP keys back and forth. For instance, if you need to securely communicate with a server using PGP cryptography, you can simply request the server’s base URL and append “/micro/pgp” to it. At which point the server’s public PGP key will be returned as ASCII armoured text. Notice, you’ll have to use “Peeples” to explicitly allow for accessing this URL if you wish for non-root accounts to be able to retrieve keys. Requesting my personal development server’s main PGP key for instance returns the following.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.8.1.0

mQINBFsmpEUBEACPPTzy3Tg95PoQcpY6CetYbC6+1kKgn1ue9M5yMwyx/MA5JIS5
FfiQBXCzyIDTPN1xquvkAM59w0FkBfgI3ZjYojKLkx3DcEjB3acigzjxHRCvdZML
7Q6A0lWgnlV2Uw9KZmP40LHcWRSvq97eGse+wX9G278J2bLWggxVoBFXZqXnduxf
FVLMcXdA1phhk/ClMjsrPnX5tbUCXsE+wj4ZzKA81hkdg1Bq8pLeUWklzGazzUe4
lE2EJ0uekdoiMYT+7ov4H+3hf3T30naWfkR9rSb7e3owBjceJIlao3JvSfQ7jbkc
ZaOSZq1USe87PPLqvhrzNDCZqvs3EUjvXwYtGNfpDr+W/lezqTpDVenmm0g1179u
lZHpXlYkY0wqn8hY0fvjrb065Ah/FHmchzY6e4a8Lh1Iiu92pEBp6TAmdJ+AyaDF
8jsoSi+MZXKjorCmeGfiHNVCUfWL7ZMLEJOgxqpJIWxdyZ6GJOUZLs0skgCM4k5C
vXl9+ojHo+0a9pnj0xKwIsTRtipSvF+UxMgEBOHCeRC+Z9RNm9S06wzDkx2FNdi8
YC5nawSr+H1F21Ijj7nyV+B7Neb088FSnlfLn1dEcREgWhPTfu4wPy0TMzForLrQ
ULakl93CU4A57VH+8gjYuPRBk39Bz5QQhkTXVdub0Hpk4ugfXmx6LmuW6QARAQAB
tDFEdW1teSBUZXN0aW5nIEtleSBOb3QgaW4gQWN0dWFsIFVzZSA8Zm9vQGJhci5j
b20+iQIxBBABAgAbBQJbJqSCAhsDBAsJCAcGFQgCCQoLBQkFpOvFAAoJEIY6IiZv
nvOaYHIQAIvMpAdg5YsZH1cMzFFBQxMeM0hoBJottuszsuujiTyachnV8a2cZX7G
xdek2WtA/ipcuUIJJKppztjB3aNvqqUtYBhXkng0KsxWC8nctDiHNKfxsNnZ/s+4
T1Nq3cjlAH8ihWWPFCjJalwQ5nKyT+zzsVM8nfuIyjoPlZdcjbv+pJSwrsX3388L
C7J1NIxv1HYbGMT23gyPPF/S6k3mqbEbMAmphnKfMWfMDVRep8W8q4dDvPYtG3Tg
v4dwjJxhN3lzlKaSVLAauHPnVyeC44P1NMZQzXdx0Lnhd1r5ibucemxCmMrGGDvZ
/NiktmOCX9H/dykESurjBv820Xpa6r+/Z1gZ/WsaxOw3uqPyH6YgPDkdcDhisGhO
0e6yz2Sfx52VPIAw2K6EkeKLuh+MmbgEI7PZMz/j66VdsJXtqMetXCMbabWgF4V0
Sq64lcbqW0ixIFULQKEVkOCG7Jc+CaGkh1JoVcpE7YZty7wIaBPNaYYA07BhDmSc
Fs/Kb/i5AGW/cEr284k+Dx4oxKEDTmTLSgDdlNiu2Kk2KuyrwbLJPGD/iNWp7c07
Fb1e4WHyCHKaFnaWEaG6qeiLaXSyy4rHOQof0J+7/ArFc92UDtMcUWtHatIcxU0Y
vSYYzNWkLYqOghrkw1W58bGmFKa6Bzx3CzpcoQ2m350Jzhf9O2qG
=QUYz
-----END PGP PUBLIC KEY BLOCK-----

In addition, you can also list all public PGP keys a single Phosphorus Five server has by requesting the url “/micro/pgp/list”, which for my server yields the following (Hyperlambda).


83bfcbe0235f90e0a67bb865863a22266f9ef39a
  id:6F9EF39A
  algorithm:RsaGeneral
  strength:int:4096
  creation-time:date:"2018-06-17T18:11:17"
  is-encryption-key:bool:true
  is-master-key:bool:true
  is-revoked:bool:false
  version:int:4
  expires:date:"2021-06-17T18:10:18"
  user-ids
    :Dummy Testing Key Not in Actual Use <foo@bar.com>
  signed-by
    6F9EF39A:date:"2018-06-17T18:12:18"
d9d9a341717d93ce911958aeddbb618d4f2ac9a9
  id:4F2AC9A9
  algorithm:RsaGeneral
  strength:int:4096
  creation-time:date:"2018-06-17T18:07:40"
  is-encryption-key:bool:true
  is-master-key:bool:true
  is-revoked:bool:false
  version:int:4
  expires:date:"2021-06-17T18:07:03"
  user-ids
    :kgkgiygiugiugiyg iugigiug <igigiyg.ouhouh.no>
  signed-by
    4F2AC9A9:date:"2018-06-17T18:08:03"
... etc ...

… or you can query for specific keys, using a URL such as for instance “/micro/pgp/d9d9a341717d93ce911958aeddbb618d4f2ac9a9”. Which yields the following for my server.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG C# v1.8.1.0

mQINBFsmo2wBEACbEOC6qUenvvQqj2uj2RQ+eFfrcOkaQk+KKl/xoY6HDbvbQtw6
5EVx9tsftr1zzznqGT8/M2pHlJQdgaOMg8m7hzdozWkazK1L1BPEoV/r34EuLmDg
WhihMDb28Y3MBV/5Zkl9QRR5FClR2cpy/dTKc0ANwcBpqXcHzdYYviA+SoST96un
kjV85YS77WBdIEHhfBkjjDUBnjG/934y5v1txtvtBrr9MqxDJy4kgR7yHZmh4c1H
8uRkuCxWf9eJ0BH9VXhUDTDD7NTBFAdNSqH7lWfF8P8N4Z+URI6igeLET8JUZBio
5V2LvleESp9C78Sacv5j7LocqW0bL3nki0sma/yIs0OocHZxELi/or3ysW9K3KBd
z6dh/aT4TCkIh7/DuCowtUKmasfFmol/te8q2irIsBqWH32Z+7GZ1UaO9tiok2JF
BGK7+3wQcJFXnKSxppQ01KY46Nw3Pg17CgRuvMCFT+PhmGFKm8mwo2cvkq64NFU0
gjHeY4BG2iSvDLQDNfRWjA5mleUmeRBM8lYw+9Cqq3vOrWSDoLzPt9YKeKsrn3HU
SDs/IsSylIwppkpY+cKZE3zl17Eco3NwvWfWLFrr3eJxY3UsknspwQz10siEL4Z4
+Diz2oqtGPppTUBUZZOPUr1cspy61+czxEnSF+1hMVLY9tnCS12vWAQh5QARAQAB
tC1rZ2tnaXlnaXVnaXVnaXlnIGl1Z2lnaXVnIDxpZ2lnaXlnLm91aG91aC5ubz6J
AjEEEAECABsFAlsmo4MCGwMECwkIBwYVCAIJCgsFCQWk69sACgkQ3bthjU8qyalv
bxAAhwdqydcskiogAlAD1J3LarFIiWATfV5fD469xaoNq8nKLgXTDZesuCfpTY78
a5etBZDEq+UJmaxy/RfujTiDFAB3OT4mFqbToRTkTyCLXVrCivaB8gMTJS7TUNS7
/WmiV2yjSXiTPnQZbR1INgEd8JbiJ8GJbHJqHU6LPIWcSg0sH3CMuDfL6wihugFp
lpAYduDaAEhEPcK2iADcByKy6o+WUVOyivDculXkJY2migPEBhMEHoINjc9ooIep
AdyEq4HLcXPjKPCXWZp4zqX9oTCxX5q0+YC3TS6n4JKZGNMYYgMoDOq2EJ8HA5WR
RtfOq7qDQ/Vw3V2/5DBFYxwmet/U5LMBzQwCdcIXVLbBjmnclSxmbM1dg6mjAsOL
TZ3UP1s//UZB6MOzcufRaWVwFcV4sKZ+h11pwjdXER8isFfMofnze5GqtE1Lm//V
kcWOs4+gvFH3Tb4gjOXi+pIcPKxBPp8YGjSQTI2tO7N789irKATYCrfguHXHEv1V
ZjFwgIPv0NmxqHdVe0WAnjmQaaTqtLMNnUCeIV5ytM/uSKbQwkVesDZUdXgPP3Lp
ryZYKYWMeCE9epjURs3ileMfNEPOtGc27rBQHUaNHD5HG0TxqXgVqWdg1xpVJy+N
jBibMutj/fV3PzEhSUMlVN61/smJDopYBgFOCv4c06JNZbw=
=/BDf
-----END PGP PUBLIC KEY BLOCK-----

You can also of course return multiple keys at the same time, by instead passing in things that will be matched as the “identity” of the key, such as for instance “/micro/pgp/Hansen”, which will return all keys having “Hansen” somewhere within their identity.

All in all, this creates some pretty cool opportunities for secure communication, allowing for meta retrieval, having automated processes retrieve server keys, and such immediately establishing a secure and encrypted communication channel.

I will also implement more of these types of “convenience” methods and functionality before the upcoming 8.4 release, allowing you to do lots of other interesting things too. However, that was that for today 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.