E-Business Server:ERROR: Key cannot be used for encryption

From SDS
Revision as of 09:51, 27 May 2014 by Badm1 (talk | contribs) (Created page with "== ERROR: Key cannot be used for encryption == '''Technical Articles ID: SDSKB5''' '''Environment''' McAfee E-Business Server 7.x and 8.x for cause 1. For cause 2, EBS 7.6 ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

ERROR: Key cannot be used for encryption

Technical Articles ID: SDSKB5

Environment

McAfee E-Business Server 7.x and 8.x for cause 1. For cause 2, EBS 7.6 and earlier, EBS 8.7 and earlier.

Problem The following error may be generated with E-Business Server when you attempt to encrypt a file:

event 1: initial

event 3: error -11493

Error: key cannot be used for encryption

event 2: final

error encrypting file.

Key cannot be used for encryption


exitcode = 22 may also be generated.

Cause 1 You are attempting to use a sign only key or a signing subkey for encryption.. To determine if a key is sign only, run the –key-list command to view the keys. A sign only key will have only a DSS field, where an encryption key will have a DSS field with a DH field below it. Below is an example of a sign on ly key (called signonly) and of a standard public key (gary test).

Alg Type   Size     Flags    Key ID   User ID

--- ---- --------- ------- ---------- -------

DSS pair 1024     [VI---] 0x243DCBDE signonly

DSS pub 2048/2048 [-----] 0x21BA1EA3 gary test (test)

Solution 1 Use an encryption key or remove the signing subkey.

Cause 2 The key is a DSA (Digital Signature Algorithm) key with a Signing Keysize greater than 1024. McAfee E-Business Server does not currently support the 2048 or 3072 key sizes.

If this is the cause, when you view the Key Details, the Cipher may be listed as Unknown:

Cipher: UNKNOWN

Note that other issues such as an unknown / unsupported hash, may result in Cipher: Unknown, so this by itself does not indicate that the key uses DSA 2048. However, “Key cannot be used for encryption” combined with the UNKNOWN Cipher is a strong indication. You can use a program such as pgpdump to learn more. To use pgpdump, export the key using ascii armor, then copy and paste into the pgpdump window. Pgpdump is available free at http://www.pgpdump.net/. Pgpdump is not maintained by SDS, and SDS is not responsible for any errors, nor does SDS guarantee that the site will always be there. That said, I use it all the time.


Solution 2 Recreate the DSA key with a Signing Keysize equal to 1024. EBS 7.7 and 8.8 will support DSA 2048 signing keys. Upgrade to these releases when they become available.