Project Ägypten: Technology

Home | Technology | Who | Schedule | Development | Public Relations | Glossary

This page provides an overview. The CVS repository contains technical details.
Some more general description is available in German.

Strong connection: with two-way communication accomplished by direct linking or KDE plug-in methods
Client/Server communication: Client (A) requests a service from Service provider (B). This is either accomplished by using Unix Domain sockets, shared memory or hardware connection.
KDE-dependent module

GpgSM

This module is responsible for encryption and key-management. It has been designed and implemented according to GnuPG and offers among other features a database for certificates. The format of this database can also be used by GnuPG, so all public keys can be saved in a single file.

Private keys are not handled by GpgSM; it delegates the operations of signing and decryption to the GpgAgent. When decrypting, this delegation only concerns the decryption of the Session-Key; the symmetric decryption however is done here. The module is capable of encrypting data streams of arbitrary length. It offers a command line interface widely corresponding to the interface of GnuPG.

GpgSM is also responsible for the generation of keys and related messages. The key generation itself will be delegated as usual to the GpgAgent, enabling it to save the private key directly in it's PSE.

Apart from the mandatory algorithms, AES will be also implemented. Because it is not yet mentioned in the specification, it's use will be made available by a certain option in the configuration.

GpgAgent

This module takes over multiple tasks:
  • It takes over all cryptographic operations requiering a private key.
  • It manages both the Soft-PSEs and the Token PSE.
  • It saves the fingerprint of the root certificate.
  • It delegates operations to a krypto token, using the standards PKCS11, PKCS12 and PKCS15.
  • Optionally, it is capable of assuring the integrity of the system (i.e. it's modules and certain keys). To assure this, it uses a MAC, whose key is derived from a PIN.
  • It offers functionality for both import and export of the private keys.
  • It generates new key-pairs.
For querying the PIN, the GpgAgent uses the PIN Entry-module. Special measures to protect the sensitive information are implemented here (e.g. to protect information from being swapped to the harddrive).

The design of this modules interface enables the module to be completely implemented on a seperate hardware module.

DirMngr

This module controls all directory accesses and performs search operations. To accomplish this, it also uses OpenLDAP directly. Certificate Revocation Lists (CRLs) are kept in a local cache by this module and their validity is directly checked here. It is linked against the hereby required libraries.

PIN Entry

This is a very simple module, it only opens a modal dialog and asks for the PIN. Using a special protocol, it cooperates directly with the GpgAgent. This functionality is not built into the GpgAgent directly to avoid linking against the complex GUI code. Furthermore, the module can be adopted to existing graphical user interfaces easily.

Within the project the PIN Entry will be implemented as a qt-, gtk- and text-version. Possibly an even simpler version using the basic grapical user interface (X11) will be added in the future This would simplify code-validation.

->Français ->Deutsch

Links

Ägypten2 Project
KMail
Mutt
GnuPG
Sphinx
Intevation
g10 Code
Klarälvdalens Datakonsult
Bundesamt für Sicherheit in der Informationstechnik

Contact

You can reach the project team on several mailing lists:
gpa-dev (technical coordination)
 
kmail (KMail)
gnupg-devel (GnuPG development)
 
Project coordination:
<bernhard@intevation.de>
<jan@intevation.de>

Page last modified: $Date: 2004-04-06 18:26:43 $
(C) Intevation, Verbatim copying and distribution of this entire page is permitted in any medium, provided this notice is preserved.