Re: DANE
On Mon, 28 Jul 2014 17:24, enigm...@josuttis.de said: Are you or is someone working on DANE support for GnuPG? Any schedule? We have kind of this for years. There is the original PKA thing which is older than DKIM and there is the flexible kDNS method to locate keys in the DNS. I am not aware of the latest OpenPGP version of DANE but we discussed this here some time ago. What I do not understand is why SHA-224 is used to map the mail address. This sounds pretty overkill, in particular with OpenPGP which uses SHA-1 a lot. SHA-1 is good enough for such kind of mappings and the resulting name is shorter. BTW, with DANE we introduce a hierarchical trust model into the decentralized OpenPGP system. It is probably good for a first time contact and to seed a trust on first use database (TOFU [1]) but I doubt that the DNSSEC part is that important. Yes, I am in favor of DNSSEC but it is not the silver bullet to solve the problem of man in the middle attacks. Shalom-Salam, Werner [1] Trust On First Use or related to your quoting style Text Oben Full-Quote Unten ;-) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to save passphrases?
As much as I'm sure there will be objections to this, I'd like to re-suggest that you utilize the one password for all keyrings method. So long as those keyrings are physically on premises, and you practice good password habits, such as never using your master password for remote services, changing them often, and using a strong password; you should be fine On Jul 28, 2014 12:57 PM, Heinz Diehl h...@fritha.org wrote: On 28.07.2014, Bob (Robert) Cavanaugh wrote: It is a pain to re-enter the passphrase, but is required by our threat model. Maybe a smartcard could be the solution. After you have installed your key on the card, only a numeric PIN is required, which is MUCH easier to enter frequently. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to save passphrases?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 29 July 2014 at 7:31:54 AM, in mid:cacpwn9s9a8y15h6spir1avyjx9cjyu9gy8rsxn17+p2ds-6...@mail.gmail.com, Schlacta, Christ wrote: As much as I'm sure there will be objections to this, I'd like to re-suggest that you utilize the one password for all keyrings method. So long as those keyrings are physically on premises, and you practice good password habits, such as never using your master password for remote services, changing them often, and using a strong password; you should be fine. Do you mean the same password for all private keys? As far as I know, keyrings aren't usually password-protected. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Pain is inevitable, but misery is optional. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPXiPtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pG3QD/0GP/UQb1N9/Fh7IIh6nnoZN1kYayR8XTodF VnKe79xGsuGEmZv12EF0YXcY0Y6DPrWS5mU+9ALybUqd9bevwKdb/BRKuT1ZEfwP +tVDrF+3sFIGcXQIcEkoA92eCR8wG0X7Uv+tdRpdjmhkTevtjQTKlkejXvYIUBVj hN7vKp7x =Qkvd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CRC error
Gnupg-users gnupg-users-boun...@gnupg.org wrote on 07/28/2014 05:33:56 PM: - Message from pedro.mar...@ml1.net on Mon, 28 Jul 2014 23:35:19 +0200 - To: gnupg-users@gnupg.org Subject: Re: CRC error . . . . . . . . . With this method, the day that you try to decrypt your data you wont need to remember a password. Except you'll have to repair your private key every time you want to decrypt anything (unless I'm grossly mistaken). When something is decrypted with your public key, you can only decrypt it with the private key. If you're only encrypting things for long term storage and infrequent access, perhaps this won't be so challenging. But if so, then why not simply store them on some media secured away in something like a safe? If you will need frequent or even occasional access to the encrypted data, I would think it far easier to learn and remember a password. Or better yet a smartcard with a simple PIN--as has been suggested.___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CRC error
On 28/07/14 23:35, pedro.mar...@ml1.net wrote: 4) Damage my private key. (Ex: inverse X and X line, Replace X and X characters, etc.) This is a really, really bad idea. Please don't invent your own crypto. For instance, I only need one seventh of your secret RSA key to fully reconstruct it using the public key I also have! Looky here at an RSA private key{1}: :secret key packet: version 4, algo 1, created 1300458324, expires 0 skey[0]: [2048 bits] skey[1]: [17 bits] skey[2]: [2046 bits] skey[3]: [1024 bits] skey[4]: [1024 bits] skey[5]: [1024 bits] I myself can reconstruct your private key if I either have skey[3] or skey[4]. I can decrypt your messages if I just have skey[2]. And I think someone who actually knows his stuff can do it with skey[5]; I might be able too if I read up on the Chinese Remainder Theorem{2}. And I can see whether it worked or not, so I can just take the one you didn't damage. Again: give me your public key and the 1024 bits of skey[3] and I can compute your private key. Using only a seventh of the whole secret key packet. And this secret key packet isn't even the full secret key that you are wilfully damaging; there are even more packets in there, including completely harmless ones that won't bother an attacker the slightest bit. You might make the attacker laugh, though. Don't be creative! You need either a good passphrase or good physical protection or both, not some mangling of data. Pedro Markov, or not?~ Oh, the suspense! Are you Pedro, or not? Tadadada. ;) Oh, I see it. The ~ is a logical not, so it's a double inverse, so either you're Pedro or you converted Pedro to a boolean, depending on whether you ask a logician or a C programmer... HTH, Peter. {1} To reproduce: make a test key that you don't password protect. Suppose the key ID of your test key is AB1256CD34, enter the following: $ gpg2 --export-secret-key AB1256CD34 | gpg2 --list-packets But first understand what that command does, because you shouldn't type in commands that strangers tell you to type in. {2} For context for people who know what I'm talking about but don't know the order of components by heart, the 5 MPI's are, in order: n, e, d, p, q and u (u = p^-1 mod q). -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
crypto code of conduct (Crypto-Knigge)
Hello, I would like to abuse this list for something IMHO important though slightly off-topic... I think we (and we is the Internet users not just those who write on gnupg-users...) are missing a culture of secured communication (which can mean encrypted, signed or anonymous or a combination of that) and that an accpeted (by those who write on gnupg-users ;-) ) code of conduct (my German term: Crypto-Knigge) would be quite useful to get there (or at least nearer). I am not talking about technical recommendations but about organizational (behaviour / attitude) recommendations. It's not the reason for the selection but I assume that it's easier to get a concensus in that area... :-) I have written a draft for that. And now it's getting even more off- topic: It's in German; thus this mainly addresses the Gerrman speaking (i.e. understanding) people on this list who might be interested in contributing: http://www.crypto-fuer-alle.de/crypto-knigge/ https://translate.google.de/translate?sl=detl=enjs=yprev=_thl=deie=UTF-8u=http%3A%2F%2Fwww.crypto-fuer-alle.de%2Fcrypto-knigge%2Fedit-text= The idea is not OpenPGP- / GnuPG-specific but for obvious reasons my view is... But if there is enough interest from people who don't understand German then I would try to make a good translation. I wrote it in German because (a) most of my crypto-related articles are an German and (b) something big (compared to former crypto stuff affecting the general public) is going to happen in Germany later this year which could help a lot to make this more common. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CRC error
On 07/29/2014 08:24 PM, pedro.mar...@ml1.net wrote: On 07/29/2014 12:44 AM, flapflap wrote: pedro.mar...@ml1.net: You lost me with the emails stuff. ( i don't know what do they have to do in this topic) What I'm saying it is pretty easy, I'm bad with passwords, so i rather damage the key than remember a password. After the answers that people gave me, i improved so much my method, so this is a step by step. 1) Create keypair, and give some hint in the comment, so you don't forget it for exmple what was your first girlfriends name? or some silly question. (This is just for extra protection. You could even write the real password on the comment but be aware that this will be public on your public key) 2) Export the public and secure key. 3) Remove the keys from keyring, and re-import the public key. 4) Damage my private key. (Ex: inverse X and X line, Replace X and X characters, etc.) 5) Encrypt everything that you have to encrypt with the public key, you can even make it Public. With this method, the day that you try to decrypt your data you wont need to remember a password. Also, if some Mallory gets in to your computer/server/whatever even if he gets a copy of your private key he won't be able to load it and try to use Brute force on it. He will need to repair the key before ( and good luck for that ) I'm pretty sure (though more knowledgeable people should comment on this to clarify) that the changes/damaging you do (basically symmetric operations via you keyboard) are much weaker than real cryptographic operations. GnuPG - if you specify a passphrase - stores the secret key encrypted. If an attacker gets his/her hands on the secret key, s/he can do nothing with it. So GnuPG already does what you need/want. I understand that you don't like to remember the passphrase, but it's less secure and convenient to manually fuddle with the keyfile (which is also some kind of passphrase, but much weaker than using GnuPG). Are you aware ofhttps://xkcd.com/936/ ? It should be pretty easy to get to an easy-to-remember passphrase, just think of some strange situation/image/... that's worth to remember. E.g. eleven camels climb on mt. everest for skiing (don't use that one of course as it's public now) Note. I think that for extra security i will generate the keys in a usb stick that i'll overwrite with zeros after corrupting the private key. This will prevent some smart mallory from using software as testdisk to recover deleted data. Caution! https://tails.boum.org/doc/encryption_and_privacy/secure_deletion/index.en.html#index2h1 Logically overwriting contents on a flash drive does not necessarily overwrite the data on the physical medium. Flash drives use wear-leveling algorithms that map the logical to physical addresses, to limit the damages/wear-out due to writing the same physical locations too often. So if you overwrite a logical address, your written data actually goes to another physical cell and the old data is still there. An attacker that just unsolders the flash ICs could read the entire physical data, including what's not visible from the logical/software layer. ~flapflap This was very interesting, thanks for the information, i didn't know it! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: CRC error
¯¯\\---/¯¯ ßå-ßå-ßå-ßî$ÞÎN! On 07/29/2014 08:47 PM, pedro.mar...@ml1.net wrote: On 07/29/2014 07:02 PM, Peter Lebbing wrote: On 28/07/14 23:35, pedro.mar...@ml1.net wrote: 4) Damage my private key. (Ex: inverse X and X line, Replace X and X characters, etc.) This is a really, really bad idea. Please don't invent your own crypto. For instance, I only need one seventh of your secret RSA key to fully reconstruct it using the public key I also have! Looky here at an RSA private key{1}: :secret key packet: version 4, algo 1, created 1300458324, expires 0 skey[0]: [2048 bits] skey[1]: [17 bits] skey[2]: [2046 bits] skey[3]: [1024 bits] skey[4]: [1024 bits] skey[5]: [1024 bits] I myself can reconstruct your private key if I either have skey[3] or skey[4]. I can decrypt your messages if I just have skey[2]. And I think someone who actually knows his stuff can do it with skey[5]; I might be able too if I read up on the Chinese Remainder Theorem{2}. And I can see whether it worked or not, so I can just take the one you didn't damage. Again: give me your public key and the 1024 bits of skey[3] and I can compute your private key. Using only a seventh of the whole secret key packet. And this secret key packet isn't even the full secret key that you are wilfully damaging; there are even more packets in there, including completely harmless ones that won't bother an attacker the slightest bit. You might make the attacker laugh, though. Don't be creative! You need either a good passphrase or good physical protection or both, not some mangling of data. I wasn't aware of this, thanks for the info! (i made good to ask here before doing creative stuff.. haha ) Pedro Markov, or not?~ Oh, the suspense! Are you Pedro, or not? Tadadada. ;) Oh, I see it. The ~ is a logical not, so it's a double inverse, so either you're Pedro or you converted Pedro to a boolean, depending on whether you ask a logician or a C programmer... This one was funny!, should i respond or let the suspense? xD I 13iu1ccy 81i5 c, 9 ausi 4o uyi8on uro7r1mm9n7 1n4 21s8 so i85 3omm5ni w1s 6unny :) T89s 19n'i my r51c n1m5, 9 ausi 4on'i c9b5 my n1m5 1n4 5m19c io 25 uu2c9s8 ov5r i85 uu2c93 9ni5rn5i 2531us5 i85 m19c9n7 c9sis :) HTH, Peter. {1} To reproduce: make a test key that you don't password protect. Suppose the key ID of your test key is AB1256CD34, enter the following: $ gpg2 --export-secret-key AB1256CD34 | gpg2 --list-packets But first understand what that command does, because you shouldn't type in commands that strangers tell you to type in. {2} For context for people who know what I'm talking about but don't know the order of components by heart, the 5 MPI's are, in order: n, e, d, p, q and u (u = p^-1 mod q). I'll really check this its seems pretty interesting ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: crypto code of conduct (Crypto-Knigge)
On 07/29/2014 01:35 PM, Hauke Laging wrote: Hello, I would like to abuse this list for something IMHO important though slightly off-topic... I think we (and we is the Internet users not just those who write on gnupg-users...) are missing a culture of secured communication (which can mean encrypted, signed or anonymous or a combination of that) and that an accpeted (by those who write on gnupg-users ;-) ) code of conduct (my German term: Crypto-Knigge) would be quite useful to get there (or at least nearer). I am not talking about technical recommendations but about organizational (behaviour / attitude) recommendations. It's not the reason for the selection but I assume that it's easier to get a concensus in that area... :-) I have written a draft for that. And now it's getting even more off- topic: It's in German; thus this mainly addresses the Gerrman speaking (i.e. understanding) people on this list who might be interested in contributing: http://www.crypto-fuer-alle.de/crypto-knigge/ https://translate.google.de/translate?sl=detl=enjs=yprev=_thl=deie=UTF-8u=http%3A%2F%2Fwww.crypto-fuer-alle.de%2Fcrypto-knigge%2Fedit-text= The idea is not OpenPGP- / GnuPG-specific but for obvious reasons my view is... But if there is enough interest from people who don't understand German then I would try to make a good translation. Please :) The Google translation is quite coherent, but then I don't know German. I wrote it in German because (a) most of my crypto-related articles are an German and (b) something big (compared to former crypto stuff affecting the general public) is going to happen in Germany later this year which could help a lot to make this more common. Are you looking for comments? Hauke ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: crypto code of conduct (Crypto-Knigge)
Am Di 29.07.2014, 14:04:13 schrieb Mirimir: Are you looking for comments? Sure but not on this list; I don't want it to be flooded by an OT discussion. Those who want to contribute should send me an email. Depending on the number of people I would move that to a dedicated mailing list or something more suitable. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: crypto code of conduct (Crypto-Knigge)
Am Di 29.07.2014, 21:25:07 schrieb Smith, Cathy: Hi If you've posted here, are you trying to determine the level of interest out-side of the German-speaking community? Both communities because they would require different reactions by me. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: crypto code of conduct (Crypto-Knigge)
Hi If you've posted here, are you trying to determine the level of interest out-side of the German-speaking community? I certainly would be interested in reading an English translation. Regards, Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnnl.gov -Original Message- From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Hauke Laging Sent: Tuesday, July 29, 2014 12:36 PM To: gnupg-users@gnupg.org Subject: crypto code of conduct (Crypto-Knigge) Hello, I would like to abuse this list for something IMHO important though slightly off-topic... I think we (and we is the Internet users not just those who write on gnupg-users...) are missing a culture of secured communication (which can mean encrypted, signed or anonymous or a combination of that) and that an accpeted (by those who write on gnupg-users ;-) ) code of conduct (my German term: Crypto-Knigge) would be quite useful to get there (or at least nearer). I am not talking about technical recommendations but about organizational (behaviour / attitude) recommendations. It's not the reason for the selection but I assume that it's easier to get a concensus in that area... :-) I have written a draft for that. And now it's getting even more off- topic: It's in German; thus this mainly addresses the Gerrman speaking (i.e. understanding) people on this list who might be interested in contributing: http://www.crypto-fuer-alle.de/crypto-knigge/ https://translate.google.de/translate?sl=detl=enjs=yprev=_thl=deie=UTF-8u=http%3A%2F%2Fwww.crypto-fuer-alle.de%2Fcrypto-knigge%2Fedit-text= The idea is not OpenPGP- / GnuPG-specific but for obvious reasons my view is... But if there is enough interest from people who don't understand German then I would try to make a good translation. I wrote it in German because (a) most of my crypto-related articles are an German and (b) something big (compared to former crypto stuff affecting the general public) is going to happen in Germany later this year which could help a lot to make this more common. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users