1

My question is how does camel pgp actually work and if my deduction is correct at all, I'm not a java programmer so please note that some of the following text might make no sense.

Does it encrypt the payload with a symmetric key, then encrypts the symmetric key with a public key and sends both to the destination (e.g. ftp server) which then decrypts the symmetric key (session key) and then decrypts the payload with it ? Or does it encrypt the payload with pub key and thats it ? Besides, is any of the keys generated every message ? In other words, lets say we have 20 files in a directory, camel processes them one by one, does this mean that the symmetric key will be generated 20 times or it's only generated once and then reused?

I am trying to find out the best solution to encrypt the messages, it seems it's sufficient to use a symmetric key only (AES) as I can transfer it through a safe channel once and that's it, however the implementation appears to be painful in comparison to PGP (I have to implement a Java tool to generate, save to file and load AES keys, play with initialization vector, HMAC etc.), but on the other hand if the latter creates a different key each time it would be inefficient in my case.

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
Sebbie
  • 29
  • 6

1 Answers1

1

In OpenPGP, you've got two choices, Apache Camel allows both of them:

  • Hybrid Cryptography

    A session key (a new one generated each time) is encrypted using public/private (asymmetric) cryptography. This session key is then used for encrypting the actual information using symmetric cryptography.

    This approach combines the advantages of public/private and symmetric cryptography: it enables the advanced key management features of OpenPGP, but does not suffer from the enormous costs of encrypting large amounts of data using public/private key cryptography.

    Generating new, random session keys each time is very cheap, as those are mostly a random block of data, and do not involve complex calculations as for public/private key pairs.

    Using GnuPG (and probably all other implementations), this approach is used by default when using gpg --encrypt. If you specify the recipient's public key, and no passphrase, you will be using this approach.

  • Symmetric Encryption

    OpenPGP also allows directly generating the session key from a passphrase, which is directly used for symmetric encryption. This disables OpenPGP's key management features. Direct symmetric encryption is rarely used with OpenPGP, but might be handy sometimes.

    Using GnuPG, this is achieved by calling gpg --symmetric. If you encrypt (and do not sign), but are asked for a passphrase, you will probably be using symmetric cryptography.

In OpenPGP, public/private key cryptography is never used to encrypt input directly.

Jens Erat
  • 37,523
  • 16
  • 80
  • 96