Re: Updating of Keys
W dniu pon, 11.05.2020 o godzinie 17∶22 -0700, użytkownik Mark napisał: > Kinda of a stupid question here about updating your keys. I'm curious > as > to what changes would require you to re-upload it to a keyserver. > > I assume updating the passphrase would not because that is tied to > the > private key but does it change anything in the public key where that > might be require it to be updated? No, this does not change anything about the public key. > How about changing the expiration date of the primary and secondary > keys? I assume that would be needed to be updated to the keyserver. Yes, that adds new signatures to the key that need to be uploaded for new expiration dates to be seen by other people. > Which then brings me to another question, what happens when you > re-upload your key to a keyserver. Does it overwrite the older one or > ?? > This depends on the keyserver implementation. Generally, the new key gets merged into the old one. Sometimes the stale data is cleaned up, sometimes it remains. The same happens when you fetch updated key from the keyserver. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
vedaal via Gnupg-users wrote: > On 5/11/2020 at 6:15 PM, "Robert J. Hansen" wrote: > > > >This arrived in my inbox: I'm presenting it here without comment. > >My > >response will be following in a moment. > > > > > > Forwarded Message > >Subject: The GnuPR FAQ > >Date:Mon, 11 May 2020 14:19:07 -0600 > >From:James Long > >To: r...@sixdemonbag.org > - > >You've advised people to use a HORRIBLE practice of using > >dictionary words solely for their password. I tested this theory myself back > >in the day, so I can 100% guaranty you of this fact: A brute force > >dictionary based attack can crack a password like that in LESS THAN 5 > >minutes!! > > = > How many words were in your passphrase?? > > Here is some data on the Diceware list: > https://theworld.com/~reinhold/diceware.html > > The Diceware list has only 7776 words. A complete dictionary has almost 2 > orders of magnitude more. > > "Webster's Third New International Dictionary, Unabridged, together with its > 1993 Addenda Section, includes some 470,000 entries. The Oxford English > Dictionary, Second Edition, reports that it includes a similar number." > https://www.merriam-webster.com/help/faq-how-many-english-words > > 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg > session key for older defaults of CAST-5) > ( 7776^10 = 8.08x10^382^128 = 3.40×10^38 ) > > 20 Diceware words provides a greater Brute Force space, than 2^256 > ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) > > Even using only English words greater than 5 letters and unrelated to each > other, an extremely low-bound estimate, would be 77760 words. (in reality, > far greater, but let's use an example people would agree on). > > So using 8 words chosen semi-randomly from a dictionary, 77760^8 = > 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. > > So, not only is is NOT *horrible* advice, it should be enough for anyone's > threat model. I can only assume that James must have thought that a *single* dictionary word was what was meant, not a large number of randomly-chosen dictionary words. I love diceware passwords. Sometimes you even get lucky and generate a funny one. > vedaal > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Mon, May 11, 2020, at 5:15 PM, Mark wrote: > I'm trying to understand the differences in strength between an RSA key > and an elliptical one such ed25519 with cv25519. I know with RSA it is > pretty easy to "gauge" the strength 1024 vs 2048 vs 4096. > > I could not really find anything to say how strong these elliptical keys > are and how they compare to RSA ones. Good question! Broadly, and with several assumptions, elliptic curves have the same security level as symmetric (e.g., AES) keys that are half the elliptic key's length. See https://en.m.wikipedia.org/wiki/Key_size and the references therein as a starting point. For example, a 256 bit elliptic curve key has a similar strength to a symmetric key of 128 bits. Due to various reasons, not all ECC keys are powers of 2 in length. For example, NIST P-521 is 521 bits long rather than 512 bits, and has equivalent security to a 256 bit symmetric key. Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Updating of Keys
Kinda of a stupid question here about updating your keys. I'm curious as to what changes would require you to re-upload it to a keyserver. I assume updating the passphrase would not because that is tied to the private key but does it change anything in the public key where that might be require it to be updated? How about changing the expiration date of the primary and secondary keys? I assume that would be needed to be updated to the keyserver. Which then brings me to another question, what happens when you re-upload your key to a keyserver. Does it overwrite the older one or ?? Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Comparison of RSA vs elliptical keys
I'm trying to understand the differences in strength between an RSA key and an elliptical one such ed25519 with cv25519. I know with RSA it is pretty easy to "gauge" the strength 1024 vs 2048 vs 4096. I could not really find anything to say how strong these elliptical keys are and how they compare to RSA ones. Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
On 5/11/2020 at 6:15 PM, "Robert J. Hansen" wrote: > >This arrived in my inbox: I'm presenting it here without comment. >My >response will be following in a moment. > > > Forwarded Message >Subject: The GnuPR FAQ >Date: Mon, 11 May 2020 14:19:07 -0600 >From: James Long >To:r...@sixdemonbag.org - >You've advised people to use a HORRIBLE practice of using >dictionary words solely for their password. I tested this theory myself back >in the day, so I can 100% guaranty you of this fact: A brute force >dictionary based attack can crack a password like that in LESS THAN 5 >minutes!! = How many words were in your passphrase?? Here is some data on the Diceware list: https://theworld.com/~reinhold/diceware.html The Diceware list has only 7776 words. A complete dictionary has almost 2 orders of magnitude more. "Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number." https://www.merriam-webster.com/help/faq-how-many-english-words 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5) ( 7776^10 = 8.08x10^382^128 = 3.40×10^38 ) 20 Diceware words provides a greater Brute Force space, than 2^256 ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on). So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The GnuPR FAQ
> This was back in the Pentium II days!! Processors these days could > likely crack a dictionary based password in a matter of seconds. Tell you what: try it. :) If you choose only from the thousand most-common English words (a keyspace of about 2^10), a six-word passphrase gives a work factor of 2^60. The key derivation function means you're spending at least 2^-10 seconds for each attempt, which means you've got 50/50 odds of breaking the passphrase after 2^49 seconds -- or about 18 million years. A four-word passphrase could be broken after 2^29 seconds, or about 17 years. It's parallelizable, of course, if you want to rent out 18 million AWS instances. But at present, the sense of the community is that the FAQ advice, which gives people between 17 years and 18 million years of resistance to a brute-force attack, is sufficient. > I'm sorry, but that particular bit of advise is terrible and needs to be > changed. I have forwarded your criticism on to the community and invited them to give their own feedback. The FAQ is the collective opinion of the community, not just myself -- all I do is write the thing. If the community concurs with your sentiments, I'll change the text. > If you guys accept public assistance, I could go through the > instruction / FAQ pages for you, update them, then submit them to you > for approval. We welcome any useful contributions. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: The GnuPR FAQ
This arrived in my inbox: I'm presenting it here without comment. My response will be following in a moment. Forwarded Message Subject:The GnuPR FAQ Date: Mon, 11 May 2020 14:19:07 -0600 From: James Long To: r...@sixdemonbag.org Greetings! I'm just getting started on a write-up with instructions explaining how to use all of the new options in GnuPG to set it up in the various email clients and browsers. I noticed on this page: https://www.gnupg.org/faq/gnupg-faq.html You've advised people to use a HORRIBLE practice of using dictionary words solely for their password. I tested this theory myself back in the day, so I can 100% guaranty you of this fact: A brute force dictionary based attack can crack a password like that in LESS THAN 5 minutes!! I once stretched that out to 20 minutes by cleverly picking words that I already knew were at the opposite ends of the dictionary. This was back in the Pentium II days!! Processors these days could likely crack a dictionary based password in a matter of seconds. I'm sorry, but that particular bit of advise is terrible and needs to be changed. If you guys accept public assistance, I could go through the instruction / FAQ pages for you, update them, then submit them to you for approval. Since I'm already writing updated instructions anyway. ;) - James T. Long There are 10 kinds of people in the world - those who understand binary, and those who don't. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
