On Mon, 14 Jun 2010 21:40:30 +0000 "Thor (Hammer of God)" <[email protected]> wrote:
> Hey Nid - > > > -----Original Message----- > > From: Nid [mailto:[email protected]] > > Sent: Monday, June 14, 2010 11:18 AM > > To: Thor (Hammer of God) > > Cc: [email protected] > > Subject: Re: [Full-disclosure] Introducing TGP... > > > > Hi Timothy > > > > > > TGP - "Thor's Godly Privacy" > > > > > > 06/13/10 v1.1.06 > > > > > First of all you should keep in mind, that base64 raises the size of your > > data > > by 33%. > > Yep. I'm fine with that. One can always zip the data. > > > posting big files especially on mailing lists might offend the other users > > of the > > list. specially if you see the headline of lsi's answer. > > there your message is marked as spam. Also assuming to have a lot of people > > behaving like this would result in moderated lists. > > BTW why not storing your data on rented space? > > Of course - all that goes without saying (well, I guess not ;) - I was just > using that as an example. Mailing list, facebook, blog, whatever. Of course > there will be some places where that won't be appropriate, but that much > should be obvious. We could use Google cache for that matter... The point > was the portability options one has in a public environment; let's not get > bogged down into things like "spam" - that takes the focus off the real point. > > > > > > The next issue is that you can not trust private keys which are published on > > the internet with respect to signatures. These keys could have been cracked. > > Using such a key only for yourself to have data on the internet seems also > > not to make sense. It could be better placed on a private machine where you > > have controled access to for example with VPN or ssh. > > Well, that's the whole point. In TGP, I use AES256 bit encryption based on > what should be a strong passphrase in combination with a salt to protect the > private key. To crack that private key, you would have to brute force the > entire keyspace, which is currently not technically feasible, or have a > custom-made rainbow table with also is not technically feasible for my 20 > character passphrase and salt. If you are going to "trust" encryption, then > the key's integrity should be acceptable. But, if you don't want to publish > it, then don't. Problem solved. Please don't misunderstand my statements - > I'm not saying one has to do that. I'm saying that one *could* do that if > you wanted to. I could post 20 different private keys around the world in > different places if I wanted to, but only use the one *I* know is used. > There are a million ways of doing it. However, I think you are missing the > logic that if your private key could really be cracked, and thus I could get > the ke y > required to asymmetrically decrypt the key used to symmetrically decrypt the > CryptoBlob, then I would not bother with the key at all and just crack the > crypto blob. Further, if one could just "crack" the key, then one would > just "crack" the VPN encryption or SSL encryption and get your private key > that you had controlled access to. If I have to pick a locked cased to get > to a key that opens another case, I'd just pick the lock on the other case. > Why looking at encrypted data as something that has to be further protected > -- just make sure the encryption is sound in the first place. > > > > > The next point is if you would like to use the key in an internet cafe at a > > restaurant, you will not be able to trust the machine. most likely there is > > a > > trojan on it or a key grabber. > > I wouldn't say "most likely" but that's a great point. However, it doesn't > matter if the machine is owned - I'm just copying the data off of it. Hell, I > could print out my key if I wanted to and type it back into my own system. > Even better, if I'm using other people's public keys to encrypt data, it > won't matter if the machine has a key logger. I don't type passwords for > people's public keys. But like I already said - if you don't want to post > it, don't. Easy. I actually speak to that in the part of my post direct > below that you quoted... > > > > > > Normally, you want to keep your private keys as safe as possible. This > > > is still the case with TGP. However, it is trivial to build as many > > > private keys as you wish to use for anything you want to use them for. > > > TGP Private Key files are password protected and individually salted, > > > so with a strong passphrase you have very reasonable assurance that no > > > one is going to get to your key any time soon. So, you can create a > > > private key with a strong password, post that, and then, say, encrypt > > > a scan of your passport and post that. Then if you are ever in a pinch > > > while travelling or something like that, you can simply use Google or > > > Bing to access your data wherever you are. > > Thanks for the comments! > > t Boah..... HEIL HITLER...... CAN YOU NOW SHUT THE FUCK UP ALL PLEASE... IT'S LIKE a record from talks of FX or so.. just useless shit.... And you should know when to STFU... seriously.... I wonder how FX can read this list foir years... rmb -- rembrandt <[email protected]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
