Партнёры:
Хостинг:
NAME
skiencrypt - encrypt file
SYNOPSIS
skiencrypt [-b] [-s | -v] [-a encr_alg] [-i input_file]
[-o output_file] [-p | [-r recipient_certificate_file]
[ recipient... ]]
skiencrypt [-b] [-s | -v] [-x [-c cipher_file]]
[-a encr_alg] [-i input_file] [-o output_file]
[-p | [-r recipient_certificate_file] [ recipient... ]]
AVAILABILITY
SUNWski
DESCRIPTION
The skiencrypt utility encrypts the data provided in
input_file. If no input_file is provided, the input data is
read from stdin. Any data encrypted using the skiencrypt
utility may be subsequently decrypted using the skide-
crypt(1) utility.
skiencrypt encrypts data using a content-encryption (ses-
sion) key for the encryption mechanism specified by
encr_alg. If no encryption mechanism is given, the default
(RC4 with 128-bit session key) is used.
The session key is generated randomly and encrypted under
the public key of the intended recipient. If more than one
recipient is given, the (same) session key is encrypted
under each recipient's public key. Each recipient must be
specified as either an X.500 distinguished name in string
representation (for example, "cn=John Smith, o=SUN, c=US")
or a username. The public keys of the intended recipients
may also be provided in a file, recipient_certificate_file,
which contains the certificate of each intended recipient.
If no recipient and recipient_certificate_file are given,
the session key is encrypted under the user's own public
key.
If the -p option is used, the selected encryption algorithm
is used in password-based mode. In this mode, the encryption
key is derived from a password (rather than being generated
randomly). Therefore, no key infrastructure is required for
password-based encryption. skiencrypt will prompt the user
for a password from which the encryption key is derived.
Currently, only DES can be used in password-based encryption
mode.
The encrypted data (ciphertext) and the encryption informa-
tion are formatted as a PKCS #7 message and stored in
output_file (or stdout). The content type of the PKCS #7
message is "enveloped-data"; if the -p option is used, how-
ever, the content type is "encrypted-data".
By default, the ciphertext and the encryption information
are stored together.
If the -x option is provided, however, the ciphertext is
stored separately from the encryption information. In this
case, it is the user's responsibility to associate the file
containing the ciphertext with the file containing the
encryption information.
If any of the files with automatically generated filenames
already exist, the skiencrypt command exits with an error
message.
skiencrypt requires that the user has registered his or her
private key with the SKI keyserver (see skilogin(1)).
OPTIONS
The following options are supported:
-b Add BEGIN and END boundaries to the generated
encryption information and ciphertext messages (by
default, no boundaries are added).
-p Use selected encryption algorithm in password-based
encryption mode.
-s Run application silently (no status or error infor-
mation displayed).
-v Give verbose output. If both the -v and the -s
options are specified, the -v option is ignored.
-x Store the ciphertext separately from the encryption
information (default: ciphertext and encryption
information are stored together). The encryption
information is formatted according to PKCS #7 and
stored in the file specified by output_file (or
stdout) in the printable encoding format specified
in the Internet RFC1421 standard. The ciphertext is
stored in cipher_file in the same printable encoding
format. If no cipher_file is provided, the cipher-
text is stored in a file named after the output
file, suffixed by ".cipherdata". If the encryption
information is output to stdout (no output_file is
given), the ciphertext is stored in a file named
"cipherdata" in the current working directory. If
the -b option has been specified, the ciphertext
will be bounded at the beginning by
"-----BEGIN ENCRYPTED DATA-----"
and will be bounded at the end by
"-----END ENCRYPTED DATA-----".
-a encr_alg
Encryption mechanism. In the U.S. domestic version,
supported encryption mechanisms are "des" (DES in
CBC mode with an effective key size of 56 bits),
"des3" (triple-length DES in CBC mode), "rc2" (RC2
in CBC mode with a 128 bit keysize and an effective
key size of 128 bits), and "rc4" (RC4 with a 128 bit
keysize). In order to enable domestic sites to
exchange encrypted messages with global sites, the
domestic version also supports "des_exp" (DES in CBC
mode with an effective key size of 40 bits),
"rc2_exp" (RC2 in CBC mode with a 40 bit key size
and an effective key size of 40 bits), and "rc4_exp"
(RC4 with a 40 bit key size) as its encryption
mechanisms. The default encryption algorithm in the
domestic version is "rc4", unless password-based
encryption is used (option -p), in which case the
default encryption algorithm is "des".
In the global version, supported encryption mechan-
isms are "des_exp" (DES in CBC mode with an effec-
tive key size of 40 bits), "rc2_exp" (RC2 in CBC
mode with a 40 bit key size and an effective key
size of 40 bits), and "rc4_exp" (RC4 with a 40 bit
key size). The default encryption algorithm in the
global version is "rc4_exp", unless password-based
encryption is used (option -p), in which case the
default encryption algorithm is "des_exp".
-c cipher_file
File where ciphertext is stored (only evaluated if
the -x option has been supplied). If the -b option
has been specified, the ciphertext will be bounded
at the beginning by
"-----BEGIN ENCRYPTED DATA-----"
and will be bounded at the end by
"-----END ENCRYPTED DATA-----".
-i input_file
File containing the data to be encrypted.
-o output_file
File where encryption information (i.e., the
content-encryption mechanism and optionally the
(encrypted) content-encryption key for each reci-
pient) and optionally ciphertext are stored. The
output format is compliant with PKCS #7. The encryp-
tion information contains the (encrypted) content-
encryption key for each recipient and the content-
encryption mechanism that was used, and the content
type of the PKCS #7 message is "enveloped-data"; if
the -p option was used (password-based encryption),
the encryption information only contains the
content-encryption mechanism that was used, and the
content type of the PKCS #7 message is "encrypted-
data".
If the encryption information and ciphertext are
stored together (default), and the -b option has
been specified, the resulting PKCS #7 message will
be bounded at the beginning by
"-----BEGIN ENCRYPTION INFO AND ENCRYPTED DATA-----"
and will be bounded at the end by
"-----END ENCRYPTION INFO AND ENCRYPTED DATA-----".
If the encryption information and ciphertext are
stored separately (see option -x),andthe -b option
has been specified, the resulting PKCS #7 message
will be bounded at the beginning by
"-----BEGIN ENCRYPTION INFO-----"
and will be bounded at the end by
"-----END ENCRYPTION INFO-----".
-r recipient_certificate_file
File where the certificates of the intended reci-
pients of the ciphertext are stored. Each certifi-
cate in this file is assumed to have already been
verified by some out-of-band mechanism (e.g., by
comparing the digest of each certificate with the
digest generated by the source which provided the
certificate). This option is useful if the public
key of an intended recipient is not available from
the naming service. Each certificate in
recipient_certificate_file must be bounded at the
beginning by
"-----BEGIN CERTIFICATE-----"
and bounded at the end by
"-----END CERTIFICATE-----".
Each of the boundaries must be followed by a NEW-
LINE. Please refer to the example below.
EXAMPLES
This example encrypts the file "appl" under the public key
of "o=SUN, c=US" and stores the ciphertext along with the
encryption information in the file "appl.enc":
example% skiencrypt -i appl -o appl.enc "o=SUN, c=US"
The following example encrypts the file "appl" under the
public key of the user with username "alice". The encryption
information is stored in the file "encrinfo", and the
ciphertext is stored separately in the file
"encrinfo.cipherdata":
example% skiencrypt -x -i appl -o encrinfo alice
The following example encrypts the file "appl" under the
public key of the user with username "alice". The encryption
information is output to stdout (and redirected into the
file "encrinfo"), and the ciphertext is stored separately in
the default file "cipherdata":
example% skiencrypt -x -i appl alice > encrinfo
The following example encrypts the input file "appl" under
the public key of the user with username "alice". In addi-
tion, the input file is encrypted under the public key of
each certificate stored in the file rcpt_certs. The result-
ing ciphertext and encryption information are stored in the
file "encrypted":
example% skiencrypt -i appl -r rcpt_certs alice >
encrypted
rcpt_certs should have the following format:
-----BEGIN CERTIFICATE-----
MIIBRDCB7wIEMe0zZzANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkzNVoXDTk5MDcxNzE4MzkzNVowPTELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEPMA0GA1UEDRQGZHVtbXkxMQ8wDQYDVQQD
FAZkdW1teTEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAt9LgN5oT1WtlCJFXLmhc
SY4kN7OcNkBYq9iT4R8K0uZIrgp9/hSe0DFgQaAZkIUjqB0YkeIFPmy6/K3bp0l9
1QIDAQABMA0GCSqGSIb3DQEBBAUAA0EAdolKCynL2WjOxHmmsRbEg51dwB2u/ExM
2ZMaZvLMXHX5VIsjxfLSCXu3iI/RdMIi5dGfZhrp2XBkg0gkii+Mkw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBSjCB9QIEMe0zYTANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJVUzEMMAoG
A1UEChQDU1VOMB4XDTk2MDcxNzE4MzkyOVoXDTk5MDcxNzE4MzkyOVowQzELMAkG
A1UEBhMCVVMxDDAKBgNVBAoUA1NVTjEQMA4GA1UEDRQHY2hhcmxpZTEUMBIGA1UE
AxQLY2hhcmxpZSBsYWkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAxQzeNvx72Dkp
GI9r6hALR3nVBG13PA/2wKrsT25xQGoSp104klnVgRfp4mbeiHEIfKG7Q9Z0bOei
luT4fG5EQQIDAQABMA0GCSqGSIb3DQEBBAUAA0EAUahDuBR5ONKIGvV4wvk2ZfVi
ms2TwKEDhtAkdQe0B3xeZk7e1/h6iK8QrXz2VtSCXde4onRr84Afj8je5gAkoQ==
-----END CERTIFICATE-----
EXIT STATUS
The skiencrypt command exits with 0 if successful and 1 oth-
erwise.
SEE ALSO
skidecrypt(1), skisign(1), skiverify(1), skilogin(1)
NOTES
For software shipped outside North America, the key size of
the (symmetric) encryption/decryption mechanism is limited
to 40 bits. Also, triple DES is not permitted. In the case
of the RC2 encryption algorithm, an effective key size of 40
bits is used.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |