Re: New smart card / token alternative

2017-11-06 Thread Seby 
Hello,


"Tim Steiner"  wrote:

We have been working on a project to build a direct interface for PGP/GPG
usage using U2F for web apps and browser extensions. This is similar to
existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP
message, or send this message, or open this file, or sign this file, but I
don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it
works even on a computer where you can't install software -
https://www.kickstarter.com/projects/1048259057/onlykey-
quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

Tim Steiner
CISSP-ISSAP, C|EH, OSCP, PMP
Email: t...@crp.to
CryptoTrust | crp.to


Your product provides a false sense of security. Educating users that is is
somehow safe is a terrible mistake. Telling users it is safe to plug in any
computer and encrypt decrypt stuff is a terrible idea.

How was your budget distributed? What hardware and firmware do you use what
security audit have you done?

Even if the things in second paragraph are fixed first paragraph still
stands.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPGv2 & 'pinentry' on Linux w/ remote access

2017-11-06 Thread Ryan Beethe 
Hi Sander,

I also was frustrated with how GPG pinentry worked by default.  In
particular, I *almost* always want to use the ncurses pinentry, unless
through a key shortcut my window manager tries to call gpg (for my
password manager).  But if I want to encrypt a file with mutt, I don't
want a popup!  I hate popups!

What I did was write a custom pinentry wrapper, which I call rpinentry.
It just dispaches either the curses-based pinentry or a gui pinentry
based on the environment variable PINENTRY_USER_DATA which is read by
gpg and passed to the pinentry program, for jobs like this:

#!/bin/sh

if [ "$PINENTRY_USER_DATA" == "terminal" ] ; then
# always use the terminal if one is handy
/usr/bin/pinentry-curses
else
# otherwise DISPLAY info is passed on command line, just forward it
/usr/bin/pinentry-qt "$@"
fi

Then in ~/.gnupg/gpg-agent.conf I set it to be my default pinentry
program:

pinentry-program /path/to/rpinentry

In my ~/.bashrc I have the following two lines:

export PINENTRY_USER_DATA="terminal"
export GPG_TTY=$(tty)

Then in the config file for my window manager, I have the equivalent of:

export PINENTRY_USER_DATA=qt

So this covers all of my bases.  If I do something that calls GPG from a
terminal, I get a curses-based pinentry prompt, because each individual
terminal has PINENTRY_USER_DATA set to "terminal" and GPG_TTY set
properly as soon as it is opened, thanks to my ~/.bashrc.

If my window manager does something which calls GPG (just my password
manager, really), then when the window manager spawns gpg it passes
PINENTRY_USER_DATA set to "qt" and I get a gui popup.

I think my setup might be almost a drop-in fix for your gpg-over-ssh
issue, although you will have to figure out where to set the environment
variable for your particular window manager.

Ryan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPGv2 & 'pinentry' on Linux w/ remote access

2017-11-06 Thread Sander Smeenk via Gnupg-users 
Hi!

Some time ago in March i was asking about the way the pinentry works and
i have not yet been able to get this working properly.

I have this vim macro that automatically decrypts and encrypts files
named .gpg. I use this in a terminal through SSH on my server and it
basically pipes a buffer through 'gpg -qd' and 'gpg -ae'.

Recently upgraded that server, and now this does not work anymore.
GPG just exists stating 'No secret key' while running that exact
command on the shell pops up the pinentry thingy and works fine.

Another situation (still) is my PC at work. It has my X session running
mostly always. I access it through SSH too with the same user account
and like to work there, but i can't do anything with GPG on a remotely
connected shell to this machine: The pinentry will consistently pop up
on the X display on that machine instead of the controlling tty (my ssh)
requesting the decryption. 

I've had varying success with exporting GPG_TTY and updatestartuptty,
usually having to restart gpg-agent. To try and keep this workable i
ended up wrapping gpg in a script that sets GPG_TTY, kills all
gpg-agent, starts it, runs gpg...

Then when a tool is not using the wrapper this results in pinentry
plopping up on terminals where i did not expect them, but it is the
terminal i last used the wrapper in.

It's rather cumbersome and very dodgy at least. How do others deal with
this? Or is everyone using GPG solely in GUI environments nowadays? ;)

Any insights welcome!
Sorry for the ranty mail.
I'm a nice guy. Really.

Rgds,
Sndr.
-- 
| Rookworst zonder 'r' is ook worst!
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New smart card / token alternative

2017-11-06 Thread vedaal 


On 11/6/2017 at 4:55 PM, "Tim Steiner"  wrote:

\We have been working on a project to build a direct interface for PGP/GPG 
usage using U2F for web apps and browser extensions. This is similar to 
existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP 
message, or send this message, or open this file, or sign this file, but I 
don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works 
even on a computer where you can't install software - 
https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

=

Using this on anything except your own computer, or laptop, is problematic, 
as the 'host' computer can have a key-logger or screen capturer, and copy the 
decrypted plaintext, or the plaintext to be encrypted.

Can it be made to work with Tails/Tor which uses GunPG ?

(The  'insecure' browser on Tails not involving Tor, is a Firefox variant.   
If it can work on that, then booting from the Tails USB avoids a 
screencapturer, and using on on-screen keyboard avoids a hardware keyboard 
logger.

But even so, there are problems with using it on an 'unknown' computer :

https://tails.boum.org/doc/about/warning/index.en.html#index2h1


vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

New smart card / token alternative

2017-11-06 Thread Tim Steiner 
We have been working on a project to build a direct interface for PGP/GPG usage 
using U2F for web apps and browser extensions. This is similar to existing 
smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP 
message, or send this message, or open this file, or sign this file, but I 
don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works 
even on a computer where you can't install software - 
https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

Tim Steiner
CISSP-ISSAP, C|EH, OSCP, PMP
Email: t...@crp.to
CryptoTrust | crp.to

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users