Is it possible to have the same authentication key on several smartcard ?
Hi werner, I think I've the solution, could you confirm it please : gpg2 --edit-key commande > addkey RSA (sign only) Thanks in advanced for your answer Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Jeudi 24 Septembre 2009 22h44:01 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: choosing an encryption target from a User ID
On Thursday 24 September 2009, Daniel Kahn Gillmor wrote: > On 09/23/2009 06:04 PM, Ingo Klöcker wrote: > > I'm pretty sure that this will break horribly as soon as the user > > ID contains non-ASCII characters (as does my user ID). For exactly > > this reason I made KMail use the key ID instead of the user ID > > about 7 years ago. > > What makes you think that non-ASCII characters would break a match? > Presumably, all the tools are passing UTF-8 strings to each other, > and GPG can easily find a match based on such a string. Does it also work with keys like 0xCB0D4CAF or 0xAB1BC4E6 created with PGP 6 (or earlier) where the user ID is not UTF-8 encoded? KMail applies some heuristics to guess the correct encoding if UTF-8 doesn't seem to work, but even if KMail guesses wrong and is not able to decode the user ID properly it's still possible to use such a key for encryption. Moreover, user IDs are not unique while key IDs (usually) are. So if you want to be sure that the correct key is used you cannot use the user ID. > For example, it certainly works fine from the shell: > > 0 d...@pip:~$ echo test | \ > > > gpg --encrypt --trust-model always -r 'Ingo Klöcker' | \ > > gpg --list-packets > > > :pubkey enc packet: version 3, algo 16, keyid 30CFDDC732319538 > > data: [2047 bits] > data: [2048 bits] > > :encrypted data packet: > > length: 64 > mdc_method: 2 > gpg: encrypted with 2048-bit ELG-E key, ID 32319538, created > 2000-10-16 "Ingo Klöcker " > gpg: decryption failed: secret key not available > 2 d...@pip:~$ Good to see that it works nowadays for UTF-8 encoded user IDs on systems using a UTF-8 locale. > > Is enigmail really still using the user ID? > > I haven't dug into it deeply, but what i observed from my tests was > that if i switched the order of keys in my gpg keyring, enigmail > selected a different key for a recipient who had two keys with > matching User IDs. > > So i suspect that Enigmail is indeed passing the e-mail address at > least (if not the name) to gpg to select a reasonable key for > encryption. Yeah, not very clever if you ask me. But, of course, I'm biased. :-) Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is it possible to have the same authentication key on several smartcard ?
Hi Werner, Sorry, but I've need more informations about it. I tried this : gpg2 --edit-key commande > genkey => commande invalide , may be you wanted to say addkey ?, but in this case what choice : RSA (sign only) or RSA (encrypt only) ? Thanks in advanced for these informations and your answer. Best Regards - Mail Original - De: "tux tsndcb" À: "Werner Koch" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 14h45:37 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Is it possible to have the same authentication key on several smartcard ? Hi Werner, Many thanks for your answer, I will try it. Best Regard - Mail Original - De: "Werner Koch" À: "tux tsndcb" Cc: gnupg-users@gnupg.org Envoyé: Mercredi 23 Septembre 2009 13h36:49 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Is it possible to have the same authentication key on several smartcard ? On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: > Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. > Is it possible to done an authentication key backup when it has been > generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two tidbits of potential interest
On Thu, Sep 24, 2009 at 2:21 PM, David Shaw wrote: > On Sep 24, 2009, at 12:30 PM, M.B.Jr. wrote: > >> Hi David, >> >> about the first "tidbit": >> >> >> On Tue, Sep 22, 2009 at 6:08 PM, David Shaw wrote: >>> >>> First of all, someone has factored a 512-bit RSA key (the one used to >>> protect a TI programmable calculator, it seems). It took 73 days on a >>> dual-core 1900Mhz Athlon64. It took just under 5 gigs of storage and >>> around >>> 2.5 gigs of RAM. In other words: not much at all. It's not some big >>> distributed project - rather it's a single guy who wanted to factor it >>> and >>> just left it running in the background for 2 and a half months. (This is >>> actually a month old - forgot to send it before now). >>> >>> http://www.unitedti.org/index.php?showtopic= >>> >> >> >> dummy question: >> >> by factoring a public key integer, one can get somehow to its >> corresponding private key? > > Yes, that's exactly what happens. If you factor the public key, you can > derive the private key. > Is this a generic asymmetric premise? I mean: is it valid both to the (computational) Mathematics behind OpenPGP's and X.509's public keys' integers? Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two tidbits of potential interest
On Sep 24, 2009, at 12:30 PM, M.B.Jr. wrote: Hi David, about the first "tidbit": On Tue, Sep 22, 2009 at 6:08 PM, David Shaw wrote: First of all, someone has factored a 512-bit RSA key (the one used to protect a TI programmable calculator, it seems). It took 73 days on a dual-core 1900Mhz Athlon64. It took just under 5 gigs of storage and around 2.5 gigs of RAM. In other words: not much at all. It's not some big distributed project - rather it's a single guy who wanted to factor it and just left it running in the background for 2 and a half months. (This is actually a month old - forgot to send it before now). http://www.unitedti.org/index.php?showtopic= dummy question: by factoring a public key integer, one can get somehow to its corresponding private key? Yes, that's exactly what happens. If you factor the public key, you can derive the private key. In the case above, it seems TI was using that 512-bit key to ensure that only TI could generate software images for their calculator. With the key factored, anyone can sign a software image. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two tidbits of potential interest
Hi David, about the first "tidbit": On Tue, Sep 22, 2009 at 6:08 PM, David Shaw wrote: > First of all, someone has factored a 512-bit RSA key (the one used to > protect a TI programmable calculator, it seems). It took 73 days on a > dual-core 1900Mhz Athlon64. It took just under 5 gigs of storage and around > 2.5 gigs of RAM. In other words: not much at all. It's not some big > distributed project - rather it's a single guy who wanted to factor it and > just left it running in the background for 2 and a half months. (This is > actually a month old - forgot to send it before now). > > http://www.unitedti.org/index.php?showtopic= > dummy question: by factoring a public key integer, one can get somehow to its corresponding private key? Regards, Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: choosing an encryption target from a User ID
On Wed, 23 Sep 2009 19:04, d...@fifthhorseman.net said: > Has this been made this clear to collaborating MUA/plugin developers? I > think the "auto select a key" step for MUAs or plugins is often > implemented as "let gpg pick the key based on the user ID". I added PGP/MIME crypto to several MUA and as far as I can remember I always used the approach to listy all keys and then select the bext matching one. Mutt used this even before gpg; in recent code bases grep for crypt_getkeybyaddr. I have not looked at the enigmail code but I recall that the first PGP/MIME implementation for Mozilla (~2000) worked as I described. Unfortunately they refused this code. > https://bugs.g10code.com/gnupg/issue1143 Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users