Re: How secure asymmetric encryption to yourself?
Thanks for the reply. I now feel a little safer doing what I'm doing :) PS: IMHO there are more usable ways of managing one's passwords than storing them in a GnuPG file (although much can be accomplished by wrapping access to that file through a number of shell scripts, I assume). Yes, I wrote some quick scripts to move the encrypted file to a tmpfs are (i.e., stored in RAM), then unencrypted. So the actual passwords should be in RAM only, not on disk. I then remove with secure rm, just incase. I have looked for free software password managers (that are ideally cross platform as I use Mac OS X as well as Linux), but can't find one that is used enough for me to think it safe. Some of them just get in my way too; I store my passwords as a CSV file, so it's easy to import to a new password manager too if I want to try something new. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Consider keepassx Yes I have used this before; I may give it another go. Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: How secure asymmetric encryption to yourself?
Consider keepassx from www.keepassx.org, it is cross platform mac, win and linux and opensource. Fully compatible with www.keepass.info I have used it for a few years and it is also available on WM5 and as a portable app for use when out and about. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How secure asymmetric encryption to yourself?
Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
a paranoid's answer to your question: your passphrase is also required ... so my best guess is that you are more or less safe; others on this list would know better than myself. Here's the paranoid part: if your system became compromised with a keylogger, you could be vunerable to having your passphrase stolen. More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), your text is at least temporarilly vunerable. a paranoid's solution: have a second computer, even a small pocket something or other that supports PGP/GPG technology and also is NEVER connected to the rest of the connected world; keep your secured information on the second computer only; external backups excluded (you can never have too much backup; some backup is better than none). Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Hi! Chris Poole schrieb: How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? The simple answer is: It doesn't matter, both methods are equally secure (with the security determined primarily by the strength of your passphrase). The asymmetric approach could have its advantages, because I can imagine some scenarios where an attacker might obtain the encrypted data and the passphrase but would be unable to get access to the secret key file (e.g., because it is not a file but rather in a smartcard or because the private key is on offline media at the time of compromise of the data). Not having the private key leaves an attacker with the requirement to either brute-force the symmetric session key or crack the public key to obtain the secret key. Both things are supposed to be infeasible given GnuPG's algorithms/keylengths and the current state of cryptanalysis. However, there is the risk that a cryptanalytical advancement would allow easy breaking of asymmetric keys which could enable an attacker to fully bypass your passphrase by cracking the public key (thereby getting the private key and thereby decrypting the data). IMHO, this risk is negligible and if it happens anyway, people would probably have nastier things to do than cracking specifically *your* key (e.g. forging SSL certificates of banks etc)... On the other hand, asymmetric has one disadvantage: The private key file is something that must be stored as safe as the encrypted data. (I mean backups etc.) No matter whether you know the passphrase, if the private key file is deleted, you won't get your data back! As a sidenote: Is it possible to find out a public key just from looking at data encrypted to that public key?(Assume the key is not on a keyserver, of course.) If the public key could also be hidden from an attacker (e.g. the attacker has just the encrypted data file and the passphrase), it would leave brute-forcing of the symmetric algorithm as the only attack option... Plausible scenarios for this are more difficult to imagine, though. cu, Sven PS: IMHO there are more usable ways of managing one's passwords than storing them in a GnuPG file (although much can be accomplished by wrapping access to that file through a number of shell scripts, I assume). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Date: Mon, 23 Feb 2009 11:36:49 -0500 From: gerry_lowry \(alliston ontario canada\) gerry.lo...@abilitybusinesscomputerservices.com Subject: Re: How secure asymmetric encryption to yourself? a paranoid's answer to your question: More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), well, in case anyone is paranoid about superhumans, here is a spoof i wrote about clairvoyancy decryption of pgp messages ;-)) http://www.angelfire.com/pr/pgpf/fdca.pdf vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Jumpstart your career with Six Sigma certification from top programs. http://tagline.hushmail.com/fc/BLSrjkqmwwv0BdNEqt8zY788jcfxH8eSipk15FYq2yJvJlOK7nNVVI2fDiM/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. I'm also unsure what Sven apparently means by more usable? (While they need to be decrypted, one would only occasionally need to decrypt them because for most of the time, until forgotten, those passwords that one uses frequently reside in one's biological memory.) I guess one downside of the GnuPG file is that if one loses her/his private key or forgets her/his passphrase, then the passwords in the GnuPG file will be secure forever or at least until she/he acquires her/his quantum computer in the future. regards, gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
I'm curious what more usable ways there are that Sven and others can recommend. I'm fond of writing down my passwords on the back of a business card and keeping it in my wallet. For the overwhelming majority of these passwords, the site's most confidential information of mine they possess is my credit card number. But if my wallet gets stolen or goes missing, I'm going to cancel my credit cards anyway. Likewise, you can say, but you might leave your wallet on your desk, and a co-worker could steal those passwords. Sure. They could also steal my credit card number, driver's license information, voter registration ID, or all manner of other things more important than my passwords. This takes care of 90% of all my logins, meaning I can much more easily memorize those few high-value, high-secrecy passwords. Memorizing three unique passwords is doable; memorizing thirty unique ones isn't. I'm also unsure what Sven apparently means by more usable? Unlike your solution, my solution works when I'm on the road and logging on from a coffeeshop's web kiosk. I don't need to install anything. Open up my wallet, fish out the list, and there it is. The moral of this story is simple -- don't make things more complicated than you have to. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Robert J. Hansen wrote the following on 2/23/09 1:42 PM: [...] Open up my wallet, fish out the list, and there it is. The moral of this story is simple -- don't make things more complicated than you have to. Robert, from the bottom of my heart, thank you! Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: How secure asymmetric encryption to yourself?
Hi! gerry_lowry (alliston ontario canada) schrieb: Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. /First of all, @Listowner: Let me know if this should be taken off-list because it's too OT.../ I mean tools like Keepass/KeepassX, PasswordSafe, or similar (even the Firefox password manager can encrypt stored passwords with 3DES and a master password). I also mean a Truecrypt volume or loopback container for storing the password file. For Linux, encfs or ecryptfs come to mind, too. The reasons are as follows: With GnuPG, you have encrypted one file. To be secure, you must now delete the original copy, which is not easy in itself, although recent research [1] seems to show that a single overwrite is sufficient for secure wiping. Didn't we have a discussion about secure deletion not too long ago? Now, to access your encrypted passwords, you need to decrypt the file, resulting in an unencrypted version of it on your drive. When you are done, you have to securely delete it again. If you have modified the file, you have to remember to encrypt it between having saved the changes and deleting it. Of course, you can set the thing up in a way that the unencrypted file is written to a RAM-only disk, but keep hibernation and swapfile issues in mind. You can also have GnuPG output the data to the console only, if you just have to read a password (I have no idea if there are possibilities that console output find its way into logfiles or similar, though). Depending on the size of your password file, you have quite a number of lines written to the console where you have to find the password that you need for the moment. If you'd format the file like: purpose1 - password1 purpose2 - password2 you could do something like gpg passwords.gpg | grep purpose2 to find the password you need. As mentioned, some shellscripts could automate the process (create a ramfs mountpoint, decrypt the password file to there, grep it to find a desired password, or launch a text editor, re-encrypt the file after the editor closes, unmount the ramfs). KeepassX, e.g., supports organizing your password file into groups, adding metadata such as URLs to the passwords, comfortable hotkeys, integrated random password generator, password entropy estimation etc. The main difference, though is the transparent way to access your passwords (this is also true for Truecrypt and the other mentioned encrypting filesystems): Enter the master-password, work with the password file(s), lock the storage again. Done. No unencrypted copy on disk, ever (apart from the abovementioned swapfile and hibernation). Given these tools I also disagree with the notion that frequently used passwords reside in one's memory (although I remember quite some passwords, myself). Password-reuse is one of the greatest problems with passwords (and, btw, becomes quite infeasible once you have to deal with varying complexity-policies, different expiration-intervals etc) and passwords you have to remember tend, in general, to be weaker than those that you don't have to remember. With Keepass, you can have a different 20-character pseudo-random password for every stupid web forum (not to mention the more important things). It just doesn't matter whether your password is 123 or las2ieu7hxalm5iuemalie if it's just pressing Ctrl-Shift-A to auto-type username and password into the login form. I do not mean to endorse specific pieces of software here, nor do I mean to belittle GnuPG. But I think you need the right tool for right task. And GnuPG IMHO has its strengths not in providing protection to frequently accessed (and modified) files. If you need to archive a backup copy of your passwords on a remote server, that's a wholly different issue, though. GnuPG will do an excellent job there and digital signatures are even a bonus. cu, Sven [1] http://www.springerlink.com/content/408263ql11460147/ -- unfortunately only the abstract is free for general access ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
On Mon, Feb 23, 2009 at 01:42:32PM -0500, Robert J. Hansen wrote: Open up my wallet, fish out the list, and there it is. Although I think this one of the most secure but usable places, what if a real life phisher gets your wallet? No problem to cancel credit cards. But are you able to reset all those login passwords? Probably by using answers that either anybody knows or that you can't remember? Will you even remember all your logins? Before they are abused? The moral of this story is simple -- don't make things more complicated than you have to. But don't forget the backup. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
On Mon, Feb 23, 2009 at 01:15:58PM -0500, gerry_lowry (alliston ontario canada) wrote: Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. If you're already carrying around a PDA or smartphone, try: http://linkesoft.com/secret/palm.html http://agilewebsolutions.com/products/iphone (etc - there are at least half a dozen others depending on what PDA or smartphone you have) These are more usable as you always (as per the first statement) have your PDA/smartphone with you, so you don't need access to any other hardware or software to get your passwords. They're searchable, and can be backed up. It's a reasonable question, of course, how secure these are. Obviously their authors claim they are very secure. Neither publish source, but the 1Password people have a design document which (assuming they followed it) shows them avoiding a lot of the common mistakes people make when implementing this sort of thing (notably, they were smart enough to not write their own crypto). In practice, for me, it doesn't matter all that much. Certainly they are at least secure against casual snooping, which is all I need them for. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Yes, this is correct, and what I thought would be the answer. I was just concerned that an attacker (say, a thief that steals my laptop), would have both my secret key and something encrypted with that secret key. I wasn't sure if this would somehow reduce the effectiveness of the encryption (even though I use a good passphrase). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How secure asymmetric encryption to yourself?
Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
On Feb 17, 2009, at 10:15 AM, Chris Poole wrote: Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Let me make sure I understand the question - you are storing the (encrypted) password file on the same drive as your public and secret keys and you want to know if it makes a difference whether you you use public key or symmetric encryption for encrypting that password file? No, it doesn't matter either way. If you use symmetric encryption, you are relying on a passphrase to keep your encrypted password file safe. If you use public key (asymmetric) encryption, you are relying on your secret key to keep your encrypted password file safe but you are relying on a passphrase to keep your secret key safe. Either way, you have a passphrase to protect. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
