Newbie questions about Pliant

Newbie questions about Pliant

Creating an account at on the Helio Pliant server.

I'm unable to create an account ; got the following message:
"Your public key is too short."
but actually the public key I enter is very long...
Any help would be appreciated ;)
Message posted by maybe Johan Boulé on 2001/01/11 05:01:35
Ooops !
I put my message on the abstract of the subject.
Sorry
(but we'll certainly still make many other mistakes in this new forum system until we are accustomed to use it)
Message posted by hubert.tonneau on 2001/01/11 07:53:01

About your problem with the forum: we need to add a few help sentences in the forum.

Now about your problem with the Pliant server rejecting you key when you try to open an account:

  • Is it a Pliant crypto system public key ? If yes, please post it on this forum.
  • Is the 'max_legal_key_bits' value you have in your /pliant/util/crypto/legal.pli the same as the one of the server you are trying to connect ?
Message posted by johan.boule on 2001/01/11 14:04:39

I finally managed to create an account on the helio.pliant.cx site / fat.heliosam.fr computer. I don't have any knowledge on the RSA criptologic method, so I thought I had to enter the public key myself, but as I understand, this key must be generated (from what ?). So, I haven't entered any public key on the invitation page and it generated it later.

> Is it a Pliant crypto system public key ? If yes, please post it on this forum.

> Is the 'max_legal_key_bits' value you have in your /pliant/util/crypto/legal.pli the same as the one of the server you are trying to connect ?

constant max_legal_key_bits 128 # France

Does my 'localhost' pliant HTTP server must be running in order to use the Helio server ?

As you see I'm really a newbie both to Pliant HTTP server, and to security issues in general. I would be pleased if someone could give me the adress of a good site that simply explain things about the security of HTTP servers with RSA.

Cheers,
Johan

Message posted by hubert.tonneau on 2001/01/12 15:02:16
If you want to generate an RSA key, you have to do the following:
  • Make sure that you have a big 'max_legal_key_bits' value.
    Doing so, you are making your own version of the software, and you should be awared of legal constains in your country.
    The built in value is satisfying the French law, but is useless because too small, so too weak, so it's not used on pliant.cx sites because it would expose Pliant users to virus.
  • Run the HTTP server locally, and connect to it with administrator account (the simplest is to start the HTTP server with the 'configure' option set).
  • Get to 'Configuring the server', then 'Users' page.
  • Define yourself as a new user, and in your account form, select the 'Generate' button on the 'Public key' line.
Now you have a working public/private key pair and you can provide the public key to the Pliant site when opening your account.
Message posted by hubert.tonneau on 2001/01/12 15:08:08
When you want to use your key to securely connect to Pliant web site, you
have to run the following command:
  pliant module /pliant/util/crypto/proxy.pli command proxy
Then the following dialog will append (replace 'hubert.tonneau' with
your account ID):

Please enter site name you want to connect to: helio.pliant.cx
Please enter user ID: hubert.tonneau
Please enter 'hubert.tonneau' password: ...........
Connecting to http://localhost:1080/ in your browser
will securely connect to http://helio.pliant.cx/
....

You get a '.' each time the secured proxy successfully opens a secured
connection with the remote server. You get a '!' if it fails.
Opening the first secured connection may well take quite a long time
(let's say 1mn on a 300 Mhz processor, using a 1024 bits key), then the
next ones should open fast.
Message posted by pom on 2001/01/12 16:33:12
From RSA laboratories FAQ, this short description of RSA cryptosystem:

  What is the RSA cryptosystem?

The RSA cryptosystem is a public-key cryptosystem that offers both encryption and digital signatures (authentication). Ronald Rivest, Adi Shamir, and Leonard Adleman developed the RSA system in 1977; RSA stands for the first letter in each of its inventors' last names.

The RSA algorithm works as follows: take two large primes, p and q, and compute their product n = pq; n is called the modulus. Choose a number, e, less than n and relatively prime to (p-1)(q-1), which means e and (p-1)(q-1) have no common factors except 1. Find another number d such that (ed - 1) is divisible by (p-1)(q-1). The values e and d are called the public and private exponents, respectively. The public key is the pair (n, e); the private key is (n, d). The factors p and q may be destroyed or kept with the private key.

It is currently difficult to obtain the private key d from the public key (n, e). However if one could factor n into p and q, then one could obtain the private key d. Thus the security of the RSA system is based on the assumption that factoring is difficult. The discovery of an easy method of factoring would ``break'' RSA.

Here is how the RSA system can be used for encryption and digital signatures:

Encryption   Suppose Alice wants to send a message m to Bob. Alice creates the ciphertext c by exponentiating: c = me mod n, where e and n are Bob's public key. She sends c to Bob. To decrypt, Bob also exponentiates: m = cd mod n; the relationship between e and d ensures that Bob correctly recovers m. Since only Bob knows d, only Bob can decrypt this message.

Digital Signature   Suppose Alice wants to send a message m to Bob in such a way that Bob is assured the message is both authentic, has not been tampered with, and from Alice. Alice creates a digital signature s by exponentiating: s = md mod n, where d and n are Alice's private key. She sends m and s to Bob. To verify the signature, Bob exponentiates and checks that the message m is recovered: m = se mod n, where e and n are Alice's public key.

Thus encryption and authentication take place without any sharing of private keys: each person uses only another's public key or their own private key. Anyone can send an encrypted message or verify a signed message, but only someone in possession of the correct private key can decrypt or sign a message.