Re: Questions about generating keys
On Thu, Aug 23, 2007 at 05:11:35AM +0300, Oskar L. wrote: Ok, so RSA isn't always significantly faster, as I thought it was. I had read somewhere that it was, (probably on this list) and my own testing with my 4GB backup files showed RSA to be notably faster. Make sure you're comparing apples to apples here. If you're comparing RSA to DSA, you need to measure signature speed. If you want to compare RSA encryption speed, you need to compare it against an encryption algorithm like Elgamal. DSA doesn't encrypt. So would it be fair to sum up the differences like this: - for signing DSA is faster, for verification RSA is faster, but there's not much of a difference. There is a substantial difference, but no real difference in practice for most uses of OpenPGP. (I could make up a case where it might make a difference, but it would be an odd, clearly invented, case). - OpenPGP implementations must support DSA, but supporting RSA is optional, but both gpg and PGP support RSA, so there's not much of a differance. Yes. - original DSA limited to 1024 bit keys and 160 bit hashes. Yes. - DSA signatures are smaller. Yes. DSA signatures are relative to the size of the hash used. RSA signatures are relative to the size of the key. - updated DSA, aka DSA2, equal to RSA when it comes to the lenghts of keys and hashes. Not exactly equal, but roughly equal. The largest DSA2 key that GPG will generate is a 3072 bit key that uses a 256-bit hash. The largest RSA key that GPG will generate is 4092 bits long. 3072/256 is roughly balanced in strength (that is, the key and the hash are about the same strength). 4096, the RSA limit, isn't felt to be significantly stronger than 3072 (the next step after 3072 is actually 7680 in the NIST key management publication 800-57). - RSA has a hash firewall Yes. If there are no other significant differences that I have missed, since I want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a minus for not being required by OpenPGP, but only a small one since it is supported anyway. DSA2 gets minus points both for lack of support in older versions of PGP, and for lack of a hash firewall. RSA still seems better to me, but not by as much as I previously thought. It's important to note that we're talking about tiny fiddling details here. Either path is so vastly stronger than is usually needed that this is rather like discussing whether a 1001-foot fence is better than a 1000-foot fence: sure, 1001 sounds better, but if you have an attacker that could get over a 1000 foot fence, it's safe to assume they can make a pretty good crack at the remaining foot. If you're really worried about people with older software not being able to use your key, that's a strong reason to not choose DSA2. In that case, I'd make a RSA primary key, an encryption subkey of whatever algorithm you like, and then a DSA subkey that you actually use to sign with. Do avoid signing documents with a big RSA key. It's really annoying to the recipient. So they accepted RSA into the standard, while it was still restricted by patents, as long as it wasn't made the default? I took for granted that an open standard like OpenPGP would not have accepted any patented stuff into the standard, and that RSA was added later, after the patents ran out. I'm a bit sad to find out I was wrong, I was under the impression that OpenPGP only allowed completely free and open algorithms. It's way more complex than that (both for OpenPGP and other IETF specs). Check out the significant number of patent-related documents on the IETF website. There are (at least) two full RFCs on this topic alone. Remember also that before OpenPGP was OpenPGP, it was just PGP: a good bit of the OpenPGP standard was standardized before the IETF was brought in. Again, historical and occasional legal issues that aren't really relevant any longer. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Robert J. Hansen wrote: In the battle between armor and warhead, _always_ bet on the warhead. Playing defensively and trying to make an email address invisible is going to be an exercise in frustration. They always get seen. They always get spammed. Play defensively and you lose. Well if you need to have an e-mail address available to the general public then this is certainly true. Spammers have even been known to hire cheap labor to surf the web looking for e-mail addresses and filling in spam in forms, so even hiding your address in a blurred upside-down JPEG won't help. If you have security unaware friends who type in your address on send your friend an ecard type of sites, or have you in their address book on their Windows box full with spyware, then the spammers will get your address, no matter what you do. But if you don't need a public address, and only have security conscious friends, then I would think you have a good change of staying of the spammers lists. Yahoo! has a nice free service called AddressGuard. You just create a base name (foo) and append an ID (bar) to it, and now you have a disposable address: [EMAIL PROTECTED], witch delivers mail to your normal Yahoo! address. You can have 500 different IDs, so you can give a different address to each of your friends, and check who is leaking your address. Whitelisting, graylisting, blacklisting, Bayesian filters, even lawsuits if you're so inclined--those are all active measures which force the spammers to adapt to your actions. That gives you a measure of initiative back. You're no longer playing pure defensive. Those are all good things, but just because we have them does not mean that it's not a good idea to try to stay of the spammers list in the first place. Personally I'd like to see more aggressive anti-spam measures, like the ones taken by Blue Frog. If you like, I'll ask the antispam research group here at UI if they think there's anything to be gained by omitting an email address from a key. User IDs do not provide any authentication, so security wise they are useless. The most secure thing would be not to have one at all, and have my friends remember that key number belongs to me. This way, if my friends get raided, it will be more difficult or impossible for the police to figure out that it's my key. But since this is very inconvenient, I decided to sacrifice a little security for convenience, by putting my first name in the user ID. I don't provide an e-mail address mainly because it's easier to change my e-mail address if I don't have to update my key, but this undeniably also makes things a little harder for spammers, since it's one less place they can find my e-mail address. It might also help in a deniability claim. I don't however think that it's too much to ask that people remember witch e-mail address goes with witch key. Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Sven Radde wrote: I am paranoid, too. Could someone therefore please explain to me what a hash firewall actually is (possibly off-list)? In an RSA signature, data about what algorithm was used in a signature is, itself, part of the signed data. You can't lie about a signature algorithm without tampering with the message and making the signature fail to verify. In DSA, the data is not part of the signed data. This allows you to lie. This has potential problems if one of the supported hashes becomes so catastrophically weak that second-preimage attacks become feasible. SHA-1 may be basically dead as far as crypto goes, but it is a _long_ way from a second-preimage attack. The paranoid interpretation of this: Let's speculate that tomorrow, Shengdong University continues their trend of eye-popping crypto research and announces a second-preimage attack against SHA-1. You migrate to RIPEMD160 or truncated SHA256 or what-have-you as a result. An attacker wants to forge one of your new RIPEMD160-based signatures. An attacker gets a good RIPEMD160-based signature from you. This is basically one very long binary sequence, which says hey, if the message you're reading hashes out to this binary sequence, then yes, it's for real. I construct a new message, saying I, Sven Radde, agree to pay Rob Hansen one frosty cold pint of bitters. I wave the dead chicken over it, or whatever Shengdong U. says I have to do, in order to make it hash out to the exact same binary sequence as the one your signature says is authentic. I lift your RIPEMD160 signature and place it on my new forged message. I proceed to then lie and say This message used SHA-1 as a digest. I give it to your local barkeep. He looks at the message, SHA-1s it, gets the binary sequence I constructed. He compares it against your signature block, which says hey, if the message you're reading hashes out to this binary sequence, then yes, it's for real. Your barkeep pours me a nice cold frosty pint of bitters--hey, I'm a barbaric American and I drink my beer _cold_, thank you very much--and puts the bill for it on your tab. I have now defrauded you by using a forged message. And it's all made possible by the lack of a hash function firewall. The practical paranoid interpretation of this: A second-preimage attack on SHA-1 would be a mathematical advance of such massive proportions that worrying about its consequences for DSA signatures is kind of dumb. If you stay up late at night wondering what will ever happen to Deal Or No Deal in the days after a meteor hits Earth, then you're probably the type of person who worries about what happens to DSA signatures after a second-preimage attack on SHA1. The rest of the world, however, will have much more important things to worry about. ... Personally, I myself subscribe to the practical paranoid view. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Oskar L. wrote: But if you don't need a public address, and only have security conscious friends, then I would think you have a good change of staying of the spammers lists. This is not my experience. I've received spam addressed to my amateur radio call sign (KC0SJE) at a domain that's not directly associated with me. I don't know how it was discovered, but for right now I'm leaning towards the hypothesis that spammers have made pacts with the Devil and learned dark arts. Those are all good things, but just because we have them does not mean that it's not a good idea to try to stay of the spammers list in the first place. Sure it is. All of us are constrained by external forces. We don't have as much time, as much energy, as much money, as much anything as we want. We have to make tradeoffs. That's called economics. If I know that one sort of antispam measure is going to reduce the spam I receive 100-fold over the reduction produced by another antispam measure... and the 100-fold measure takes the same amount of resources as the other one... then why should I ever use the second measure? I get a 100-fold reduction from X amount of time and labor, or a 101-fold reduction from a 2X amount of time and labor. This is really simple to me; I'm going to take the 100-fold reduction and spend the extra X time goofing off, or visiting my nephews, or grabbing lunch with my sister, or doing thesis research, or... Use the most effective measures available to you, and know when to stop. If I had 2X units of time, I still wouldn't use the two measures to get a 101-fold reduction in spam. I'd spend X time using the technologies currently available, and I'd spend X time researching new technologies to try and kick the 100-fold technology up to 1000-fold. That'd be a very efficient and economical use of time. User IDs do not provide any authentication, so security wise they are useless. Whoawhoawhoawhoa. I don't know where you got this from, but it's very wrong. User IDs do not provide any authentication, okay, that much is true. If you want authentication, you're really looking for a trusted signature on the user ID, fine. But security wise they are useless is just barking madness. Really. The most secure thing would be not to have one at all, and have my friends remember that key number belongs to me. This way, if my friends get raided, it will be more difficult or impossible for the police to figure out that it's my key. You are apparently not up to date on something called traffic analysis. I suggest you look into it. What you're talking about here is probably a pipe dream. If you're that concerned about getting raided, there are two things you need to do right now. 1. Stop posting to crypto mailing lists that keep public archives. Creating an electronic paper trail of yourself saying I'm concerned about getting raided by the cops, please help me figure out how to protect my electronic privacy is not a very smart thing to do. 2. Hire an information security professional. GnuPG can be part of a security solution, it can even be a very effective part, but it is not magic fairy dust. You will not find privacy or security just by sprinkling a little magic fairy dust here and there and thinking that it will just work. If your needs are this high-level, you need the services of an information security professional. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 04:11 2007-08-23, Oskar L. wrote: - --snip-- Robert J. Hansen wrote (regarding DSA2 keys): The latest versions of PGP support them. That's good news. Can it also create them? But there are probably still many using older versions. I know some who refuse to update from 6.5.8. Some people stick to PGP 8.1, a version fairly compliant with GPG. See below. David Shaw wrote: Now that DSA2 is here, there aren't really that many benefits to RSA (and I say this as someone with an RSA key). In theory, DSA is better because it is required by OpenPGP: you won't be able to find any OpenPGP implementation that doesn't handle it. This is not true of RSA (it's legal for a program to reject it just because it is RSA). In practice, that doesn't happen much because the big two, PGP and GPG, both handle RSA. - -- snip -- So would it be fair to sum up the differences like this: - for signing DSA is faster, for verification RSA is faster, but there's not much of a difference. - OpenPGP implementations must support DSA, but supporting RSA is optional, but both gpg and PGP support RSA, so there's not much of a differance. - original DSA limited to 1024 bit keys and 160 bit hashes. - DSA signatures are smaller. - updated DSA, aka DSA2, equal to RSA when it comes to the lenghts of keys and hashes. - Of PGP, only the newest version support DSA2 keys. - RSA has a hash firewall If there are no other significant differences that I have missed, since I want a key larger that 1024 bits, it must be a DSA2 or RSA key. RSA gets a minus for not being required by OpenPGP, but only a small one since it is supported anyway. DSA2 gets minus points both for lack of support in older versions of PGP, and for lack of a hash firewall. RSA still seems better to me, but not by as much as I previously thought. - --snip -- Oskar PGP 8.1 verifies SHA-256 hashes made by large RSA-keys, but NOT any signatures made by DSA2-keys. Signing algorithm not supported. To create DSA2-keys with GPG you have to use the option enable-dsa2. Snoken -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFGzXNCWisObvnr8tQRAuSVAJ9p0FHy+Xgp+qetg00FBDDlf2/7eACfTu6t RONfGdW5At2219R7Y4VZXL4= =QFqQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using an old .gnupg directory
Hello, I recently reinstalled cygwin from scratch on my Windows machine, after copying the .gnupg directory and its contents to an USB key. Now, I would like to decrypt files encrypted with the private key in that .gnupg directory, in my new cygwin installation. Obviously, I should copy the .gnupg directory to my new home directory. But what should I do next? Many thanks. phiroc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using an old .gnupg directory
On Thu, Aug 23, 2007 at 01:22:14PM +0200, [EMAIL PROTECTED] wrote: Hello, I recently reinstalled cygwin from scratch on my Windows machine, after copying the .gnupg directory and its contents to an USB key. Now, I would like to decrypt files encrypted with the private key in that .gnupg directory, in my new cygwin installation. Obviously, I should copy the .gnupg directory to my new home directory. But what should I do next? You shouldn't have to do anything else. Once you have a .gnupg directory in your home directory, GPG will find it and use it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Thu, Aug 23, 2007 at 12:40:02PM +0300, Oskar L. wrote: Robert J. Hansen wrote: In the battle between armor and warhead, _always_ bet on the warhead. Playing defensively and trying to make an email address invisible is going to be an exercise in frustration. They always get seen. They always get spammed. Play defensively and you lose. Well if you need to have an e-mail address available to the general public then this is certainly true. Spammers have even been known to hire cheap labor to surf the web looking for e-mail addresses and filling in spam in forms, so even hiding your address in a blurred upside-down JPEG won't help. [] I'll tell you something. I have three public email addresses that I use almost exclusively, and one doubles as my Jabber ID, and I never used obsfuctaion or protection: all they do is irritate users and decrease chance that someone who should be able to contact me, can't. Yet, I receive much less spam to my mbox than for example to comments on my blog. Why? I use some not very complicated precautions. Actually, as I said before one of two spams slip in a month, sometimes one more, sometimes none at all. All those things that you describe involve lot of effort on your and your correspondent's side, and are weak - if someone who has your address gets a trojan, your address leaks out. If someone accidentally puts server log files on the net, your address leaks out, when someone writes to your wrong address (like sending private reply to email address) the communication won't work. What are you tring to do, is like full time wearing full biosafety hazmat suit with closed air circulation just to avoid getting common cold. It won't work this way or another, the air will run out at some point or the suit will wear and tear where and when you are not looking. And you are a big inconvenience to your peers. What I'm saying is that this approach is stupid, and wasteful of time and resources. It seems secure, gives this warm and fuzzy feeling, but it isn't. It is like taking your shoes in the airport, but what if someone smuggles some C4 in a buttplug and blows it with electronics of his ipod? If you have security unaware friends who type in your address on send your friend an ecard type of sites, or have you in their address book on their Windows box full with spyware, then the spammers will get your address, no matter what you do. All people are security unconscious and some point.s But if you don't need a public address, and only have security conscious friends, then I would think you have a good change of staying of the spammers lists. And what if I haven't such friends? Whitelisting, graylisting, blacklisting, Bayesian filters, even lawsuits if you're so inclined--those are all active measures which force the spammers to adapt to your actions. That gives you a measure of initiative back. You're no longer playing pure defensive. Those are all good things, but just because we have them does not mean that it's not a good idea to try to stay of the spammers list in the first place. Personally I'd like to see more aggressive anti-spam measures, like the ones taken by Blue Frog. It is not good idea, because you can't in the same way you can't quit address lists of influenza viruses and meteorite strikes. User IDs do not provide any authentication, so security wise they are useless. The most secure thing would be not to have one at all, and have my friends remember that key number belongs to me. This way, if heh you are expecting big things of people and if someone offers them chocolate[1] to give out your secret number? [1] research shows that people are willing to give out actual passwords in exchange for chocolate my friends get raided, it will be more difficult or impossible for the police to figure out that it's my key. But since this is very inconvenient, I decided to sacrifice a little security for convenience, by putting my first name in the user ID. I don't provide an e-mail address mainly because it's easier to change my e-mail address if I don't have to update my key, but this undeniably also makes things a little harder for spammers, since it's one less place they can find my e-mail address. It might also help in a deniability claim. I don't however think that it's too much to ask that people remember witch e-mail address goes with witch key. if you do things that can get you raided by police, that changes the threat model but on the other hand, surveillance usually means communication intercepts so the interceptors will know that communciations encrypted with this particular key and id go to you Alex -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Oskar L. [EMAIL PROTECTED] writes: Yahoo! has a nice free service called AddressGuard. [...] Spamgourmet¹ has offered this and more since October 2000. Footnotes: ¹ http://www.spamgourmet.com/ -- Steven E. Harris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
