On Aug 5, 2016, at 10:56 AM, Ron Frederick <ronf@xxxxxxxxxxxxx> wrote: > On Aug 5, 2016, at 10:40 AM, Ben Lindstrom <mouring@xxxxxxxxxxxxxx> wrote: >> Alex Bligh wrote: >>>> On 5 Aug 2016, at 18:09, James Murphy<james.murphy.debian@xxxxxxxxx> wrote: >>>> >>>> The more mainstream thing to do is just use gpg, which has this >>>> functionality already built in. Is this not suitable for your use case? >>> >>> The advantage of Colin's approach is that gpg requires out of band exchange >>> of gpg keys separately from ssh keys. If you already have ssh keys >>> distributed (which might be in an automated environment for instance), >>> it would be very useful. >>> >>> Of course if you already have gpg keys set up and exchanged, gpg >>> would be just fine. >>> >> The downside to this approach is your using keys created for signing for encryption now. Which >> means you've leaked additional information about the key material. Thus slightly weakening the >> security of your key. >> >> Which isn't really a smart thing to do. > > Since public key crypto is being used here, you also can’t encrypt something larger than the key size directly. You’d have to create a symmetric key, encrypt the data with that, and then encrypt the symmetric key with the public key. You’d then need to also define a container format for that. It looks like the “sfile” code does all that, but at that point why not use “openssl cms”? It will work with the same public keys used by SSH and already provides a standard format for this encoding. Following up on my own reply about using OpenSSL’s “cms” mechanism for this, I looked a little more closely and it appears that the CMS implementation in OpenSSL will only allow you to specify certificates for the recipients of an encrypted CMS message and does not support passing in raw public keys, even though that’s all you’d really need to perform the encryption. It would be straightforward to ask for recipients to send a certificate, though, and it could even be a self-signed certificate if you have some way of verifying the certificate out of band. This certificate could be based on the same key pair used by SSH if you wanted it to, though I agree with the point above that it would be better to use different keys for these two purposes. -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev