[ILUG] Question on an encryption system (using OSS)

[Paul Jakma]

On Tue, 13 Sep 2005, Braun Brelin wrote:

> 1. I encrypt a file
> 2. I make this file available via a P2P system like bit torrent.
> 3. When someone downloads the file, in order to unencrypt it, they have to
> get a key from me.
> 4. Since I make it available on P2P, multiple people might download it. Each
> person that wants to read it
> has to get a different key so that each key is unique to that person.
>
> I'm guessing a public key encryption scheme works best here. I'm 
> thinking of using GPG to actually perform the encryption and 
> generate the keys.

If the file is to be the same for each user, there's no point. Just 
use a symmetric cipher (assymetric ciphers are just a way to securely 
transfer the real symmetric cipher's key ;) ).

(You could still use asymmetric ciphers to transfer this key though - 
but there's no point encrypting the file with PGP).

> Is what I want to do basically sound? I.e. am I missing something 
> obvious here security-weakness wise?

Yes, in order to tailor the encryption of your files per user, you'll 
have a different file per user, which makes P2P useless.

A better way possibly might be identify which portions of your file 
you don't mind being public, and which you do. Make the public 
portions available on P2P. Distribute the withheld portion on a 
per-user basis. Ie the 'withheld' portion is the key..

This only works though if your file meets the properties of having a 
'key portion' and that portion being of proportionally small size to 
the remainder of the file..

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
Air pollution is really making us pay through the nose.