Inhaltsverzeichnis

Key Management

From Version 4 onwards, the SKDS script files are protected by a RSA encryption algorithm against unauthorized usage. That gives a probability of 1:21024, that nobody else can ever use that script.

The used algorithm is a so called „public key encryption“. This means there are two so called key files, the so called public key and the so called secret key.

The public key is named yourchoosenusername.pubkey and is stored in the pubkeys- subdirectory, the secret key is named yourchoosenusername.seckey and is stored in the seckeys- subdirectory.

The secret key is protected by your chosen password and is needed to decrypt all script files, which where encrypted „for you“, means by using your public key. The public key instead can be given to anybody else, as the others would need this file to encrypt a script for you, which only you can read.

Inital Key setup - The Key Manager

This so called key pair is generated by the SKDS Key Manager.

The usage is simple:

Type in your chosen username and password (at least 6 characters long), press „Generate a new key“ and take a cup of coffee… Because of the mass of mathematics behind this key calculation takes a long time. If it takes longer than five minutes, than you either need a faster PC or something went wrong..;-)

Key Generation & Handling Guideline

As the key system is the key point of the whole script handling, it's strongly recommended to follow a few rules:

Key file storage location & search algorithm

The way how the storage location of the key files is determined works as follow:

Unlock your keys at program startup

To use your keys during the normal SKDS usage, they need to be loaded and „unlocked“ at startup. For this a key dialog appears at each program start

where you type in your username & password to load your keys.

How to compile and encrypt scripts with SKDSC

As we've learned above, script files are protected by encryption. But how to generate these files to work with them?

For this the already known command line compiler skdsc has been slightly modified.

First of all the -r option (who is able to read the scripts) has been removed, because it's not distinguished anymore between reading and executing a script 1)

The -x option (who is allowed to execute a script) is modified in two ways:

  1. because of the underlaying principle, you can (and have to) choose only ONE user, who is allowed to use (and able to read) the script. So it's not longer possible to define a group of people or organizations.
  2. the -x option is now mandatory, as the encryption algorithm always needs a public key to encrypt to.

In practice that means that you start skdsc as follow

skdsc -x yourusername test.pas

to compile (and encrypt) a script for yourself and

skdsc -x theotherusername test.pas

to compile (and encrypt) a script for somebody else.

Please remind that you always need to have the public key file of „username“ in your public key directory, as this file is needed for the encryption process.

The Key Exchange process

This process is quite simple: Everybody, who wants to generate a script for you, needs to have your public key file (stored as yourusername.SKDSpubkey in your pubkey directory) and has to store it in his pubkey directory - so the easiest way is to just exchange these file and collect as much as possible keys of other users in your own public key folder.

1)
reading is not implemented anymore at all. Later, when SKDS becomes OpenSource, somebody could create its own reader, but it's not foreseen that the official releases will support this feature