0

I need to encrypt data asymmetrically (binary as well as text) with a public / private key system. Currently I'm using openssl_seal, because I need to encrypt the data with more than one public key. As a result I get an encrypted message (which is fine) and two or more envelopes (which is not so fine). The latter one is not so fine, because I have to store these envelopes into the database as well. And for each little message, I need to store at least two envelopes, which might me larger than the message itself.

Then I remembered GnuPG: I can write a mail to more than one receipient and can encrypt the message that way, that everyone can decrypt the message with his/her own private key. No envelopes needed. So I looked for a GnuPG library in PHP but I only found a linux solution. Unsatisfying because we have windows systems as well.

Is there any public / private key library out there, which can encrypt messages/data with more than one public key without bothering with envelopes?

What I need is a library which can create a public/private key set, 2048 or 4096 bit strong.

The library must have a function to encrypt any kind of data with one, two or more public keys and has a simple data block as result only.

The library must have a function so that the encrypted data can be decrypted with any of the corresponding private keys.

Any hints or ideas? Maybe there is a special function in OpenSSL? IIRC, I can write e-mails to several receipients with S/MIME encryption as well. And it's only 1 e-mail with many receipients. No seperated envelopes.

Thanks in advance

Hennes

Hennes
  • 1,340
  • 1
  • 10
  • 26

1 Answers1

2

Both OpenSSL and OpenPGP (which GnuPG implements) use symmetric encryption to encrypt the data (using some random key) and then encrypt the key using asymmetric encryption, encrypting it once for each recipient.

In OpenSSL, this is called "envelope", in OpenPGP "Session Key Packet". Both contain more or less the same data and thus should be of similar size. I don't know if you can make OpenSSL to return all those as a single blob, GnuPG does so per default – but the file size will not be notable different.

Further remarks:

  • You can view the contents of an OpenPGP file using gpg --list-packets or pgpdump (which is not included with GnuPG, but gives a better readable output with numeric IDs resolved, ie. algorithms used.
  • The GnuPG interface should also work under windows, but as far as I know requires manual compilation.
  • I often saw people just calling the gpg.exe binary manually. But be careful if doing so, there are some ways to create security problems this way.
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • If I get your statement concerning GPG/PGP correctly, you say that a) the encrypted message contains all envelopes of all receipients, b) all receipients gets all envelopes and c) the encrypted message gets larger the more receipients it has. Is this correct? – Hennes May 14 '14 at 06:39
  • a) Yes, b) yes, unless you encrypt to each recipient individually (or change the OpenPGP packets on your own) and c) slightly by a constant amount per recipient, not dependent on the original data size. – Jens Erat May 14 '14 at 08:46