This section is maintained by the qooxdoo community. Here is how you can contribute.

Crypto

OpenPGP

This package contains classes to generate OpenPGP public-key encrypted messages. The output is compatible with GnuPG and other OpenPGP implementations.

Use Case Example: Encrypting a single message

This example encrypts text, such as a password, using the GnuPG public key of the server. The resulting OpenPGP message may then be securely sent to the server and decrypted.

  • On the server, use GnuPG gpg –gen-key to generate a public-private key pair
    • Move the resulting .gnupg directory into a location accessible to the httpd daemon but outside the htdocs area
    • Make the .gnupg directory accessible only to the httpd daemon by setting the owner and mode
    • Provide a web service, such as an RPC, for the qooxdoo desktop app to download the public key block
  • In the qooxdoo app, encrypt a plain text message msg as follows:
var pgpMsg = openpgp.Encoder.encrypt(serverPubKeyBlock, msg);'
  • Send pgpMsg to the server app for decryption, for example, using an RPC service
    • The plain text message is secured within the cipher text of pgpMsg

Encrypting Multiple Messages

  • For encrypting multiple messages with the same public key, this technique is more efficient:
var encoder = new openpgp.Encoder(serverPubKeyBlock);
var pgpMsg = encoder.encrypt(msg);
  • This approach re-uses the same encoder object to encrypt each message, avoiding the expense of repeatedly instantiating a number of objects in each call to the static openpgp.Encoder.encrypt method.
  • However, if messages are sent infrequently, the static openpgp.Encoder.encrypt()method is less costly, because an encoder object continuously collects "entropy" from mouse move and keystroke events. This "entropy" is combined with other pseudo-random factors to generate session keys, which must be unpredictable. The static method stops entropy collection before returning the encrypted message.

General References for Crypto Package

Please make sure any of the input used is covered by a license compatible to LGPL/EPL!