Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Peter Lebbing 
On 25/12/15 06:19, Ineiev wrote:
> I assume the amount of entropy is what really matters. for instance,
> if on every next step you are free to choose any of 4 random words
> taken from 6-word dictionary, you may put it in a grammatically
> correct form[*], then you must get a certain entropy per step.

Yes, however, this characterization seems mathematically incorrect.
Let's assume one in four words in the dictionary fits the grammar. I
hope this concurs broadly with what you assumed. Rather than pick four
random words of the full list, and then pick one of those, you pick one
out of a quarter of the wordlist size.

So that's 2 bits per word you're losing, a lot more than if you were
free to pick one of four random words. And there is a lot more structure
to the sentence given by Matthias than just its grammatical soundness.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread malte 
It's about the randomness/unpredictability/entropy of the passphrase.

There are less grammatically correct sentences with 4 words than there
are combinations of 4 words in total.

So, yes, you can take a sentence that makes sense, but then the whole
passphrase has to be longer. There is an estimate of 1.5 bit of entropy
per character in natural language. So if you want a passphrase with 60
bits of entropy, it would need to be 40 characters long. You could reach
the same strength with 10 random characters (alphanumeric with upper and
lower case).

In the end it depends what you can remember better and what you can type
faster.


Sincerely,

Malte

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Johan Wevers 
On 24-12-2015 17:02, Matthias Apitz wrote:

> I do not fully understand why some 4 random words like 
> 
>   Correct, horse! Battery staple!
> 
> is a better passphrase like, for example 
> 
>   Und allein dieser Mangel und nichts anderes führte zum Tod.

I do know that using accented characters might get you into trouble on
some keyboards. I remember working somewhere where German keyboards were
used but the driver for them was loaded after login. We had to tell the
people not to use a z or y in the password to limit the amount of "I
can't login" calls to the IT department.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: self signing the pub key

2015-12-25 Thread Ingo Klöcker 
On Friday 25 December 2015 18:41:30 Matthias Apitz wrote:
> Hello,
> 
> I read that I should self-sign my pub key, but when I do this after
> creation, it says:
> 
> $ LANG=C gpg2 --sign-key Matthias
> 
> pub  rsa2048/AA1EF4741F9046D4
>  created: 2015-12-25  expires: never   usage: SC
>  trust: ultimate  validity: ultimate
> sub  rsa2048/D6AD2EFF41863FE4
>  created: 2015-12-25  expires: never   usage: E
> [ultimate] (1). Matthias Apitz (GnuPG v2) 
> 
> "Matthias Apitz (GnuPG v2) " was already signed by key
> AA1EF4741F9046D4 Nothing to sign with key AA1EF4741F9046D4
> 
> Key not changed so no update needed.
> 
> What I do wrong?

You didn't do anything wrong. When you create a new key it is automatically 
self-signed. A long time ago this was not necessarily the case. Today the 
above advice is still correct, but probably no longer necessary.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Lachlan Gunn 
I'm a big fan of that list, and for some time I've been meaning to generate
a tweaked version that uses binary numbering, having recently needed to
generate a passphrase without a dice to hand. Using a coin and rejection
sampling isn't too hard, but it's rather annoying to have to throw away 20%
of digits.

Thanks,
Lachlan
Le 25 déc. 2015 17:16,  a écrit :

> If you want a simple random list, look at diceware:
>
> http://world.std.com/~reinhold/diceware.html
>
> Both the page and the diceware lists are available in many languages,
> including German
>
>
> vedaal
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: MIT Tech Review on user error

2015-12-25 Thread Johan Wevers 
On 17-12-2015 21:29, Robert J. Hansen wrote:

> http://www.technologyreview.com/news/544516/user-error-compromises-many-encrypted-communication-apps/

Signal assumes TOFU, and warns if the key is changed. That can have a
ligitimate reason (new installation), or indicate an attempted mitm
attack. Which one it is can not be determined in the application itself.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

self signing the pub key

2015-12-25 Thread Matthias Apitz 

Hello,

I read that I should self-sign my pub key, but when I do this after
creation, it says:

$ LANG=C gpg2 --sign-key Matthias

pub  rsa2048/AA1EF4741F9046D4
 created: 2015-12-25  expires: never   usage: SC  
 trust: ultimate  validity: ultimate
sub  rsa2048/D6AD2EFF41863FE4
 created: 2015-12-25  expires: never   usage: E   
[ultimate] (1). Matthias Apitz (GnuPG v2) 

"Matthias Apitz (GnuPG v2) " was already signed by key 
AA1EF4741F9046D4
Nothing to sign with key AA1EF4741F9046D4

Key not changed so no update needed.

What I do wrong?

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎ 
+49-176-38902045

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Ingo Klöcker 
On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote:
> Hello,
> 
> I do not fully understand why some 4 random words like
> 
>   Correct, horse! Battery staple!
> 
> is a better passphrase like, for example
> 
>   Und allein dieser Mangel und nichts anderes führte zum Tod.
> 
> i.e. some phrasing which could be memorized better?

The second sentence is found by search engines (2 hits in DuckDuckGo). Don't 
use it or any other phrase that's has been published on the internet. A phrase 
of 4 random words has a high probability that it has not been published on the 
internet (or anywhere else). The tricky part is that you must never put your 
4-random-words phrase into a search engine to check this.

Instead of using a 4-random-words phrase you can use a proper sentence with 
equivalent entropy provided that you do not use a sentence that has been 
published anywhere. Come up with your own sentence. Ideally come up with a 
sentence that doesn't make any sense like "The horse was correct. You cannot 
staple batteries." This phrase might be easier to remember and has a similar 
entropy as the above mentioned 4-random-words phrase.


Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Ineiev 
On Fri, Dec 25, 2015 at 10:57:06AM +0100, Peter Lebbing wrote:
> On 25/12/15 06:19, Ineiev wrote:
> Let's assume one in four words in the dictionary fits the grammar. I
> hope this concurs broadly with what you assumed. Rather than pick four
> random words of the full list, and then pick one of those, you pick one
> out of a quarter of the wordlist size.

Agreed.

> So that's 2 bits per word you're losing, a lot more than if you were
> free to pick one of four random words.

6/4 is more than 13 bits; 2 bits is not a lot compared to 13,
but the result may be much easier to remember.

> And there is a lot more structure
> to the sentence given by Matthias than just its grammatical soundness.

I see; it's a different issue.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread Matthias Apitz 
El día Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Klöcker escribió:

> > Und allein dieser Mangel und nichts anderes führte zum Tod.
> > 
> > i.e. some phrasing which could be memorized better?
> 
> The second sentence is found by search engines (2 hits in DuckDuckGo). Don't 
> use it or any other phrase that's has been published on the internet. A 
> phrase 
> of 4 random words has a high probability that it has not been published on 
> the 
> internet (or anywhere else). The tricky part is that you must never put your 
> 4-random-words phrase into a search engine to check this.
> 
> Instead of using a 4-random-words phrase you can use a proper sentence with 
> equivalent entropy provided that you do not use a sentence that has been 
> published anywhere. Come up with your own sentence. Ideally come up with a 
> sentence that doesn't make any sense like "The horse was correct. You cannot 
> staple batteries." This phrase might be easier to remember and has a similar 
> entropy as the above mentioned 4-random-words phrase.

Ofc, I would not have used this phrase, which is part of my signature :-)
This was only an example. I'd have used something from a book or
poem which was written before Internet-times and perhaps never published
afterwards.

Thanks for all hints in this thread.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de,  http://www.unixarea.de/  ☎ 
+49-176-38902045
«(über die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes 
führte zum Tod.
Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch 
keins verdient.»
«(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llevó 
a la muerte.
Y quien no está de luto, no tiene corazón, y quien no se lanza a luchar de 
nuevo, no se merece
corazón.», junge Welt del 3 de octubre 2015, p. 11

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread vedaal 
If you want a simple random list, look at diceware:

http://world.std.com/~reinhold/diceware.html

Both the page and the diceware lists are available in many languages,
including German
vedaal
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread gnupg 
Matthias Apitz wrote:

> El día Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Klöcker 
> escribió:
> 
> > >   Und allein dieser Mangel und nichts anderes führte zum Tod.
> > > 
> > > i.e. some phrasing which could be memorized better?
> > 
> > The second sentence is found by search engines (2 hits in DuckDuckGo). 
> > Don't 
> > use it or any other phrase that's has been published on the internet. A 
> > phrase 
> > of 4 random words has a high probability that it has not been published on 
> > the 
> > internet (or anywhere else). The tricky part is that you must never put 
> > your 
> > 4-random-words phrase into a search engine to check this.
> > 
> > Instead of using a 4-random-words phrase you can use a proper sentence with 
> > equivalent entropy provided that you do not use a sentence that has been 
> > published anywhere. Come up with your own sentence. Ideally come up with a 
> > sentence that doesn't make any sense like "The horse was correct. You 
> > cannot 
> > staple batteries." This phrase might be easier to remember and has a 
> > similar 
> > entropy as the above mentioned 4-random-words phrase.
> 
> Ofc, I would not have used this phrase, which is part of my signature :-)
> This was only an example. I'd have used something from a book or
> poem which was written before Internet-times and perhaps never published
> afterwards.

that's no good. if it's been published ever, then google has probably
obtained a copy and digitized it and re-published it at books.google.com.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!'

2015-12-25 Thread malte 
Hi,

do you have an estimate on the number of unique sentences published on
the Internet?


Sincerely,

Malte

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users