Recently, I was investigating a simple process for allowing a consortium of parties to communicate data inline with European Council security recommendations. One of the recommended tools is Zed! from Prim'X which provides an easy way to work with encrypted file containers.
Great! However... I didn't really fancy sharing passwords over the phone or email with tens of people, as the password will be either too weak or everyone will want to write it down and leave it on a train.
The other simple option that can be controlled within an organisation, without having everybody purchase smart cards, was public key infrastructre (PKI). An area I believe seriously lacks accessibility outside of the software industry - and for good reason in some cases.
That said, it's a bit much to expect non-technical users to install all the necessary libraries and start using terminal/command-line tools themselves.
The Ideal Situation
Well, we needed a click-and-run tool that:
- can be shared throughout an organisation
- has one simple interface with one button (let's say "generate"?)
and on the other side, out pops:
- a passphrase-protected private key file that the user needs to keep secret
- a public certificate file that the user can safely share with anyone and their aunts
Challenges
But, there are some challenges that blind-sided me.
Firstly, I'm a Java developer and thus wanted to take advantage of the fact that many users would have Java installed anyway. That's until I found out that Java restricts encryption out-of-the-box under the US export laws, and I didn't fancy breaking those terms and conditions.
So, having done a lot of work with both Python and OpenSSL recently, I knew it would be straight-forward bundle everything together into a reasonably small executable. Much of my inspiration came from Richard Knop's blog post. As for the GUI, I went with WxPython, and finally to bundle the code, I could freeze it using PyInstaller.
The result was a simple click-and-run application (less than 15MB in size) that asked the user for their certificate details: name, organisation, passphrase etc; which spits out the relevant self-signed certifcate and key file (stored in a PKCS#12 container) on the other side.
Tying it up with Zed
Now, everyone within the organisation will be able to share their public certficates (just like sharing their email address), which can then be imported into Zed along with their own private key. The container is then encrypted with an access list of public keys (i.e. Alice and Bob) and only those people would be able to decrypt and manipulate the container.
There you have it, PKI made easier.