Re: Questions about generating keys
Robert J. Hansen wrote: The latest versions of PGP support them. I've got the most up-to-date version of PGP. In fact, it doesn't support them _yet_. The signs are there that they're _almost_ supported - in other words, if you try to add a DSA2 signing subkey the combo boxes have 1536, 2048, and 3072 bit-length options, but when you hit the 'OK' button, you get the message 'Signing key size must be between 1024 and 1024 bits'. A representative from PGP Corporation confirmed (and I quote) that PGP is still prepared to jump to the new DSS standard once it is finalized. Nigel ++ | Give a man a fish and he will eat for a day. Teach him how | | to fish, and he will sit in a boat drink beer all day. | ++ ___ Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
On Fri, Aug 24, 2007 at 09:33:59AM +0100, [EMAIL PROTECTED] wrote: Robert J. Hansen wrote: The latest versions of PGP support them. I've got the most up-to-date version of PGP. In fact, it doesn't support them _yet_. The signs are there that they're _almost_ supported - in other words, if you try to add a DSA2 signing subkey the combo boxes have 1536, 2048, and 3072 bit-length options, but when you hit the 'OK' button, you get the message 'Signing key size must be between 1024 and 1024 bits'. A representative from PGP Corporation confirmed (and I quote) that PGP is still prepared to jump to the new DSS standard once it is finalized. Thanks for checking this. Can you tell me what happens if you import a (GPG created) DSA2 key into PGP? Is PGP then able to verify a DSA2 signature created with GPG? It's reasonably common with this sort of thing to enable reading a new feature before enabling writing it. It's the whole be-liberal-in-what-you-accept thing. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
On Fri, 24 Aug 2007 20:06, [EMAIL PROTECTED] said: Do hash firewalls have any drawbacks (performance decrease, difficult to implement, patent issues etc.)? What's the reason DSA doesn't have one? DSA ist the signature algorithm used with DSS, the Digital Signature Standard. DSS requires the use of DSA along with SHA-1 as the hash algorithms. Similar provisions have been setup for DSA1 i.e. the combination of certain key sizes with certain hash algorithms. Thus there is no need for the hash firewall. OpenPGP OTOH allows to use any suitable hash algorithms with DSA. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
On Fri, Aug 24, 2007 at 09:06:24PM +0300, Oskar L. wrote: Do hash firewalls have any drawbacks (performance decrease, difficult to implement, patent issues etc.)? What's the reason DSA doesn't have one? I suspect a major reason is the main use of DSA is really DSS - and DSS was never intended to be used with any hash other than SHA-1. It gets a little stickier with DSA2/DSS2 where there are several possible hashes. For example, a 1024/160 DSA key can use SHA1, but also SHA224, SHA256, SHA384, or SHA512, by truncating them to 160 bits. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
Oskar L. wrote: So if we start with Bob, we need to have 253 more people, to be able to make 253 different pairs of which Bob is part of. We need 22 more people. In a room of 23 people, there are C(23, 2) different pairs, or 253. You should probably refresh your knowledge of combinatorics before talking about the birthday paradox. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
Robert J. Hansen wrote: In a room of 23 people, there are C(23, 2) different pairs, or 253. D'oh. This will teach me to read things quickly. Oskar was specifically saying pairs of which Bob was a part, not total pairs in the room. (gets out the brown paper bag) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Message: 5 Date: Fri, 24 Aug 2007 08:58:29 -0400 David Shaw wrote: Thanks for checking this. Can you tell me what happens if you import a (GPG created) DSA2 key into PGP? Is PGP then able to verify a DSA2 signature created with GPG? No problem. PGP Desktop accepts the GPG-created DSA2 key quite happily, and verifies the DSA2 signature made in GPG on a separate key. If I import the secret part of the GPG-created DSA2 key PGP will also let me sign keys with it in PGP. hmm... so PGP _does_ support DSA2 really... (but still won't create DSA2 keys) It's reasonably common with this sort of thing to enable reading a new feature before enabling writing it. It's the whole be-liberal-in-what-you-accept thing. Right you are. And I should have known better than to doubt Mr Hansen. ___ Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
Oskar L. wrote: calculators designed to show very large numbers can show the result. Now I compare all the hashes from one picture to all the hashes from the other. Doing a birthday attack is highly nontrivial. E.g., to do a birthday attack on SHA256 requires a minimum, a _minimum_, of over 10**17 joules to be liberated as heat. That's about as much as you'd get from an entire full-out strategic nuclear exchange between the US and Russia. You're talking global climate change at that point, along with potential mass extinction of humanity. It's not pretty. Do hash firewalls have any drawbacks (performance decrease, difficult to implement, patent issues etc.)? What's the reason DSA doesn't have one? Historical reasons. Nobody ever thought DSA would be used with anything other than SHA-1, so if there's only one approved hash function, there's no need for a hash firewall. DSS explicitly requires SHA-1 as a hash. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Nigel Brown wrote: Right you are. And I should have known better than to doubt Mr Hansen. In fact, I was wrong--I said PGP supported creating DSA2 keys, which apparently it doesn't. I foolishly thought that just because I'd seen PGP support using DSA2 keys, that it meant PGP supported creating DSA2 keys. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Robert J. Hansen wrote: This is not my experience. I've received spam addressed to my amateur radio call sign (KC0SJE) at a domain that's not directly associated with me. I don't know how it was discovered, but for right now I'm leaning towards the hypothesis that spammers have made pacts with the Devil and learned dark arts. My first guess would be that you are in one of your friends address book, and your friend has spyware that got it. If I know that one sort of antispam measure is going to reduce the spam I receive 100-fold over the reduction produced by another antispam measure... and the 100-fold measure takes the same amount of resources as the other one... then why should I ever use the second measure? If the amount of resources are so small that even combined they are insignificant, then why not use both? Everyone who gets sent spam isn't on one single list, which all the spammers use. Spammers get their addresses in different ways, so different spammers will have different lists. Lists are valuable, you can make money by selling a list of working addresses, so they are not likely freely shared between spammers. The fewer lists you are on, the less spam you will be sent. It's not an all or nothing deal. Just because you won't be able to be totally free from spam, is that a good reason to carelessly leave your address all over the Internet? I get a 100-fold reduction from X amount of time and labor, or a 101-fold reduction from a 2X amount of time and labor. This is really simple to me; I'm going to take the 100-fold reduction and spend the extra X time goofing off, or visiting my nephews, or grabbing lunch with my sister, or doing thesis research, or... Yes, it's logical to use the measure(s) that gives the best results for your amount of time and effort. It's also logical to use all of the measures that gives you or you contacts no inconvenience at all. User IDs do not provide any authentication, okay, that much is true. If you want authentication, you're really looking for a trusted signature on the user ID, fine. You are confusing authenticity and trust. I you visit Bob and he gives you his fingerprint, and when you get home you see that it matches the one on his key, then the key is authenticated. If you now get Marys key, with a signature from Bob, this does not make Marys key authenticated! Bob might not know much about security, and have been tricked to signing a false key. He might secretly hate you and have created Marys key himself. Someone might hold his cat hostage and force him to sign false keys. The point is that even if Bob is your best friend and a security guru who has no cat, his signature is still not a 100% guarantee that the key really belongs to Mary. All the signature provides is various degrees of trust. You are apparently not up to date on something called traffic analysis. I suggest you look into it. What you're talking about here is probably a pipe dream. I have an account on a server run by a trusted party, which has an encrypted connection for accessing e-mail accounts. Most of my friends have accounts on the same server, so our messages to each other never leaves the server. Traffic analysis will reveal what time you are active, and how much data you are transferring. To only way to protect against it is to download and upload all the time at a constant rate. Not worth it in my situation. 1. Stop posting to crypto mailing lists that keep public archives. Creating an electronic paper trail of yourself saying I'm concerned about getting raided by the cops, please help me figure out how to protect my electronic privacy is not a very smart thing to do. I don't think there's anything wrong with saying that I want to protect my privacy. I think if asked if they care about privacy, most people would answer yes. I have been sent letters by the police on several occasions telling me that my phone has been listened to (by law they have to inform you of this some time after). I had my car confiscated and searched. So if I know they are interested in me, surely the strange thing would be if I did not try to protect my privacy? I never said I was concerned about getting raided, I said if someone else got raided it's not good if they find info about me there. 2. Hire an information security professional. GnuPG can be part of a security solution, it can even be a very effective part, but it is not magic fairy dust. You will not find privacy or security just by sprinkling a little magic fairy dust here and there and thinking that it will just work. Heh, I certainly don't think that only encrypting e-mail and signing backups with GnuPG will somehow make all aspects of my life secure. I don't know how you got this impression. I also use TrueCrypt for whole disk encryption, BCWipe for secure deletion, TOR for anonymity, a good firewall, and all my machines run Linux and my supersecure machine is never connected to the Internet.
Re: Questions about generating keys
Oskar L. wrote: My first guess would be that you are in one of your friends address book, and your friend has spyware that got it. This is not the case. No one had it except me. If the amount of resources are so small that even combined they are insignificant, then why not use both? Because there is no such thing as an 'insignificant' amount of resources. Everything has a price associated with it. The trick is to get the most bang for your buck. User IDs do not provide any authentication, okay, that much is true. If you want authentication, you're really looking for a trusted signature on the user ID, fine. You are confusing authenticity and trust. Please read the manual. I am not confusing the two. Authentication of a user ID is provided by a trusted signature. Period, end of sentence. I you visit Bob and he gives you his fingerprint, and when you get home you see that it matches the one on his key, then the key is authenticated. No. You also have to trust that Bob isn't playing a game with you. If you now get Marys key, with a signature from Bob, this does not make Marys key authenticated! Yes. Like I said: you're really looking for a _trusted_ signature. Clearly, in this case you do not trust Bob to make signatures that are in accordance with your security policy. point is that even if Bob is your best friend and a security guru who has no cat, his signature is still not a 100% guarantee that the key really belongs to Mary. All the signature provides is various degrees What world do you live in which offers total assurances of anything other than the inevitability of death and taxes? This is not a game of certainties. Security is a game of probabilities. Anyone who insists on absolutes needs to stop using computers. Traffic analysis will reveal what time you are active, and how much data you are transferring. More importantly in the case you're describing, to whom. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Nigel Brown wrote: I should have known better than to doubt Mr Hansen. Nonsense! Mr. Hansen thrives on being doubted as this is what keeps Him on His toes. :-D *LOL* Seriously; any time You Question a statement for reasons other than That's not what I wanted to hear You should challenge the speaker. :) JOHN ;) Timestamp: Friday 24 Aug 2007, 18:56 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4570: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGz2JLAAoJEBCGy9eAtCsPjUUH/1OmIxnxFdOqmPUjsHI0V+yv fbknTTCACxWVzmRLVl5WuE/aLgfvywTQ4bp/ldOAj03FbDd25sI5KxNSi0jB60E1 PAFmiayRNY5bdchGzwRivD4i/ygQ0Iuu4l8x5r9amV02Iyw7OybhQ05NrVIkNKjN QC5ZdYXSPiq9VfpZrO8nMNkaJbBo4AVnu9EfU9Yo8AJXEDaQKXzEB2KiJgS5xLc+ hf4ZbY+KHzJw5guQHK52s9wX58oyFjVY5jLi9MaMopaDHAXhJzuH3Dtft9Fu0cUH FbANWSx8JKy63Um78jnDUWMa6+vrisu4l4yHYnJmYNnTDxN0m3GnhIHzeXINL5k= =ionx -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Oskar L. wrote: Traffic analysis will reveal what time you are active, and how much data you are transferring. To only way to protect against it is to download and upload all the time at a constant rate. Not worth it in my situation. It will also reveal just who communicates with whom and how often; as well as the amount of data sent. This data, with analysis is the basis behind targeting where missiles search warrants are delivered. Think of it as a blind man locating the hub of a bicycle wheel by feeling the spokes. :-D JOHN ;) Timestamp: Friday 24 Aug 2007, 19:03 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4570: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJGz2P0AAoJEBCGy9eAtCsPXSgH/3YE7/bnna8gtpzYW7G+EPaw v9Wt/W0qJHNrl2sxkS4x7ekf+zwfYyAFSeKs0GeZbOC5SYJQs73mC0HDbeq39tGu nJjbGhC+JQBDxjaxjozZQhGEd+ifsmrNrmOH1kEREI4EqQFnnj8DzTG+Iiu//HNX +sQlLU1QH+ePMcwkzeKFb0RjQ2JyRo6g0eAY/3q9BdtWrR5ylv9433TNu6hQ6ahI 98ESyjQf6mDd5gq1z4FDf/h9YSpu4SKCAnrWllVrJ8sxLWMzbVfVzg9c7ufQaf6+ n0eb8NRT4FFcHwtNUHs/f/g9JxNTuo/KVs+mcI98VwSZ/M04qRgxVjaTuDT8Z18= =yBzc -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
Oskar L. wrote: I only meant to point out that a birthday attack would have a much better chance of finding a collision than a second preimage attack. I'm sorry if I made it sound trivial, I know it's not. I just tried to give an example of how it works that would be easy to understand. Well, except that your attack isn't a birthday attack. A birthday attack involves making a ton of different messages and checking _all_ messages created to find _any_ collision. Your attack involves taking one particular message and creating permutations of it, one after another, looking for a collision with your particular message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys
Robert J. Hansen wrote: Because there is no such thing as an 'insignificant' amount of resources. Everything has a price associated with it. The trick is to get the most bang for your buck. Well I guess what's insignificant to one person might not be to another. I know some spammers get addressed by scanning common names, so I would get [EMAIL PROTECTED] instead of [EMAIL PROTECTED] I consider having to type 3 digits more a day to be an insignificant hassle, and well worth the extra security. Robert J. Hansen wrote: I you visit Bob and he gives you his fingerprint, and when you get home you see that it matches the one on his key, then the key is authenticated. No. You also have to trust that Bob isn't playing a game with you. That the key is authentic means that it is the key Bob wanted you to have, and has not been changed in a man-in-the-middle attack or by any other means. That's all. You can be sure of this if the fingerprint matches. You do not need to trust Bob for the key to be authentic. Bob can be the biggest liar in the world, you still have his authentic key. To be secure you also need to trust him. Authentication can exist without trust, and trust can exist without authentication, but only both combined creates security. Think of it this way. Let's say you don't trust Google for some reason. Then you go to https://mail.google.com, and verify that the SSL certificate is correct, so you can be sure your not on a phishing site. Would you now claim that the site isn't authentic, just because you don't trust Google? Or if you see someone you don't trust, can your eyes then not authenticate to you that the person is who you think they are? Of course they can, because authentication does not require trust, it's security that does. If you do not trust Bob, you can do gpg --edit-key Bob, then type trust. You will be given these options: 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately If you now get Marys key, with a signature from Bob, this does not make Marys key authenticated! Yes. Like I said: you're really looking for a _trusted_ signature. Clearly, in this case you do not trust Bob to make signatures that are in accordance with your security policy. Even if we trust Bob completely, then his signature would still just add trust to Marys key, not authentication. We _trust_ that Bob has checked Marys fingerprint carefully before signing her key, we have not _verified_ that he has. What world do you live in which offers total assurances of anything other than the inevitability of death and taxes? A world in which medical advances will get rid of death and crypto-anarchism will get rid of taxes? But seriously, when it comes to people trust is the best you can have. You know your friend is able to hit you in the face, but you have good reasons for strongly believing he/she won't. But that's as good as it gets. There's no proof. You can't be 100% sure. Total assurance can be found in mathematics. You don't trust that 5+5=10, you know it. Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about generating keys (hash firewalls)
Well, except that your attack isn't a birthday attack. A birthday attack involves making a ton of different messages and checking _all_ messages created to find _any_ collision. Your attack involves taking one particular message and creating permutations of it, one after another, looking for a collision with your particular message. No, in my example I used two, not one messages (pictures) and created permutations of both, and then compared both groups of hashes against each other. Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users