Re: symmetric email encryption
On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote: On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote: A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. Old Hell's Angels saying, 3 people can keep a secret if two of them are dead. Not a very sophisticated bunch but.. Often attributed to Benjamin Franklin. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Mon, Jul 21, 2014 at 09:12:36AM -0400, Mark H. Wood wrote: On Sat, Jul 19, 2014 at 05:46:02PM -0700, Bob Holtzman wrote: On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote: A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. Old Hell's Angels saying, 3 people can keep a secret if two of them are dead. Not a very sophisticated bunch but.. Often attributed to Benjamin Franklin. Wow! Didn't know he was a h.a. or that he could ride. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Bob Holtzman A man is a man who will fight with a sword or tackle Mt Everest in snow, but the bravest of all owns a '34 Ford and tries for 6000 in low. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 18 July 2014 at 8:23:08 PM, in mid:20140718192308.47a05a0...@smtp.hushmail.com, ved...@nym.hush.com wrote: The only annoyance with this type of approach, is that it needs a separate passphrase for each correspondent, How? Running gpg --symmetric test.txt only gives me the opportunity to enter one passphrase for the encryption. Hushmail has a one-way variant of this approach. [snipped] The receiver gets a message that an encrypted e-mail has been sent, and is directed to the Hushmail server where the sender's question is asked, and the receiver has 3 chances to provide the correct answer. A correct answer decrypts the symmetrically encrypted e-mail and the plaintext is displayed on the Hushmail server. The e-mail is removed from the server after 72 hours. It is a good idea to tell the recipient in advance. Otherwise they just see yet another unsolicited email suggesting to follow a link or visit an unfamiliar website. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Don't cry because it is over - smile because it happened -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPKgS5XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pXkgD/j3s56ApdFNwcjFY3SREkocyGxXGDtONA8Z4 nYeO60nOP3w95+p9t49aBfKxNTjoaix3MwlAzSbvtr8JU+0ZoiAZ6Kmlg88eLYYm Zbt2eQqIpqwPhZjBCe9p2ZyTKW5gBnVSbYIZpB7Wj5fle+RoRpJHMMogjmhakdlc YGmDRaVH =8lgV -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 19 July 2014 at 4:41:10 AM, in mid:53c9e8d6.4010...@riseup.net, Mirimir wrote: I just emailed that to myself using Thunderbird + Enigmail in Ubuntu. I was prompted for a password, and foo decrypted the symmetrically encrypted block. I did a similar thing and my email program prompted me to Input OpenPGP key passphrase for unknown recipient. Mine decrypted OK, as well. If I encrypt it to my key as well as to a passphrase, it does not list unknown recipient among the passphrase entry options, but does encrypt with the test passphrase as well as with my key. As an aside, the gui frontend I use for key management has a current window or clipboard encrypt function, which allows to add symmetrical by ticking a box (and prompting to enter the passphrase twice). - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net She looked like butter wouldn't melt in her mouth - or anywhere else. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPKht5XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pR+oD/jOiZ9BXJ8AuOrFkVU90FU+OaXAcr3Oq5lwv ThRMsX7YqXGntJ4etopopt90yPc93iDLpIJJpFjtS4uYbdEN4IozyJQiBUeeERHL 70ziw6aOpo78XykP6TuplNxpZ+1DlAP1LsAN8iXs1ei5Zne/I3dmcKNbqLzhbvtL hfypitfs =C7J1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Friday 18 July 2014 at 11:34:19 PM, in mid:1460534.5jfkcsu...@thufir.ingo-kloecker.de, Ingo Klöcker wrote: Sure. But the NSA already knows the correspondents of all of our mail anyway. Keyserver lookups do not add any additional data (except of the information that you are trying to look up a key resp. that you are talking to a keyserver). Time of use is a big piece of information that a keyserver lookup could add. And, maybe, IP address, operating system, software... Good point. Automatic decryption should be possible for those that want it. My scheme is mostly meant as in-transit encryption which again is way better than our current status quo. And the choice whether to store their emails encrypted or decrypted. Storing decrypted could be an issue, especially if the emails are stored on a server rather than the user's machine. Peter Lebbing wrote: An e-mail system with a default big usability issue will get swapped out for a more pleasant to use one. It might, but Outlook is in widespread use despite major usability issues. Peter Lebbing wrote: Finally, I think people might take issue with their e-mail address automatically being posted to a public keyserver. A certain minority would take exception to this, including myself. It is less of a problem for me with the automatic upload of just a single email address per key and no name/identity information. How exactly does one harvest email addresses from the keyservers? Can I ask keyservers to give me all keys it has in storage? Or do I need to search for keys matching a certain substring? I honestly don't know. Anyway, if this really becomes a problem than key lookup probably needs to be made as inconvenient as trying to send email probes to randomly generated email addresses. Isn't key lookup already more inconvenient than randomly generating email addresses? Or have I missed something? For my scheme to work the keyservers would only need to return keys where the email address part of a uid exactly matches the recipient's email address. The email address could be hashed in the key UID that's automatically uploaded... Moreover, for my scheme to work no key certification is necessary, i.e. crawling from one key to the next via certification signatures wouldn't be possible. Some people have specific use cases where key certification is needed. But most email communication doesn't have a way of being sure who controls the address. The scheme has more issues: For example, there's no message integrity protection (via signing) whatsoever. There's no reason not to have it. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Live your life as though every day it was your last. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlPKlAZXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pFTIEAJ1acb0+CvHLkAuCtqnTed1L6v8xsvbvbNXz TS8oaZ7cCzBo9PK3nllDl1AM/qw4tpopLpwNH5H3ByjrzrPZjyonV8bSZoyFffwd U+hhSeaPEFI5Ox5pAdtnb3Mu0troNatcnKAdbgdykMlwsyEy0ez48qWeudlRy0Nr xiBR99za =wmKi -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Saturday 19 July 2014 03:46:56 Hauke Laging wrote: I guess this discussion does not go well because of a misunderstanding or wrong expectations. You and Ingo are talking about real crypto issues. Actually, concerning your proposal, I'm more talking about usability. To encrypt a message using your proposal the sender needs to * write the message, * tell his mail client that he wants to encrypt the message, * come up with and enter the password that should be used for encrypting the message, (- minor inconvenience) * tell the recipient the password, (- major inconvenience) * and, finally, send the message. That's three more steps than for sending an unencrypted message. And for one of those steps a completely different communication channel needs to be used. This is so inconvenient that I cannot see this helping our cause. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Saturday 19 July 2014 04:37:56 Hauke Laging wrote: Am Sa 19.07.2014, 01:42:19 schrieb Ingo Klöcker: Since you are also using KMail I invite you to test whether KMail is able to decrypt symmetrically encrypted OpenPGP/MIME messages out-of-the-box. It might just work, but I'm too lazy and too tired to test this right now. It does work. It seems not to work with Thunderbird/Enigmail though. But maybe I have done something wrong. The Enigmail console output looks good to me... I have prepared a mail file for those who want to give this a try: http://www.crypto-fuer-alle.de/docs/mail-symmetric/mail.cr-lf.eml Thanks for testing (also to Mirimir and MFPA). And what's your threat model, i.e. what do you want to achieve by your symmetric email encryption scheme? Same answer: This is for users who don't need any threat model consideration. Huh? Why would those users want to encrypt a message if they don't have a threat in mind? I'm not replying to anything else because I think I have nothing more to add. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Sa 19.07.2014, 22:37:24 schrieb Ingo Klöcker: And what's your threat model, i.e. what do you want to achieve by your symmetric email encryption scheme? Same answer: This is for users who don't need any threat model consideration. Huh? Why would those users want to encrypt a message if they don't have a threat in mind? I guess the typical case would be that either the sender or the recipient wants the communication encrypted (probably uses real crypto himself) and would use symmetric encryption as the fastest and easiest way to enable the other one to do that (or the only way the other party accepts at that moment). Furthermore: Usually when people start using a new tool or new technology they don't use it right. Probably at least 90% of the OpenPGP users use OpenPGP in a way I would not consider good. They do it because it's OK for them. They probably haven't put much consideration into that – as you have to know a lot about the area to make these considerations. Noone cares about that with normal crypto. Why should this be a hard criterion in this case? I haven't seen the new Enigmail 1.7 yet but the default settings of 1.6 are a nightmare. GPGTools takes worst practice to a new level by doing the same like Enigmail – but without the (easy to find?) option to change it. And even more showing off on the bad side: Certifying keys *without* showing the fingerprint! GnuPG doesn't tell you at which (maximum) level a certain key has been signed. There is no transparency in authenticity, no transparency in key security (part of that: no transparency about PC security, see (German) http://www.crypto-fuer-alle.de/wishlist/securitylevel/), no trancparency in key usage, the current WoT is crap because it offers nearly none of the information you need... That is the current crypto reality. And people are talking about security problems and thread models for symmetric encryption, fighting for good crypto usage? Really? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
I guess the typical case would be that either the sender or the recipient wants the communication encrypted (probably uses real crypto himself) and would use symmetric encryption as the fastest and easiest way to enable the other one to do that (or the only way the other party accepts at that moment). When technically savvy people make guesses about the typical use case, we are usually wrong on levels we don't even imagine. This is why real usability studies with real users are essential. At any rate, no one is telling you that you can't do this. All you've heard is that you've not convinced other people to implement it for you. The GnuPG and Enigmail sources are both freely available: start hacking. If you're right and people start using this in droves, I'll cheerfully be the first one to admit I was wrong. With this, I'm out of this thread. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Sat, Jul 19, 2014 at 01:55:45PM -0400, Robert J. Hansen wrote: A factor of two is immense to you...? Yes. A secret that only I know I can keep; a secret known to two people can only be kept for a while. Yes, that's an immense difference. Old Hell's Angels saying, 3 people can keep a secret if two of them are dead. Not a very sophisticated bunch but.. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Bob Holtzman A man is a man who will fight with a sword or tackle Mt Everest in snow, but the bravest of all owns a '34 Ford and tries for 6000 in low. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Evaluate http://bitmail.sf.net Am 18.07.2014 02:04 schrieb Hauke Laging mailinglis...@hauke-laging.de: Hello, is there any OpenPGP mail client which supports symmetric encryption? I think that would be a nice feature for recipients who don't have an asymmetric key (those 99%). Many new communication systems have a fallback option for symmetric encryption in case the preferred way is unavailable. And, quite important: It would not require serious development effort as this possibility is built-in with GnuPGP. Anyone using Linux (and a mail client with OpenPGP support) could use that directly. The others would just have to install e.g. Gpg4win and Enigmail but would not have to configure it. Is there any reason *not* to support symmetric-only encryption in a mail client? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Friday 18 July 2014 02:03:24 Hauke Laging wrote: Hello, is there any OpenPGP mail client which supports symmetric encryption? KMail does not. At least, KMail does not support creating such messages. It's possible that KMail would be able to read such messages since the decryption is delegated to gpgme. And for the odd message (containing an inline PGP MESSAGE block) sent to this list gpg-agent asks for a symmetric encryption password when I open the message in KMail. I think that would be a nice feature for recipients who don't have an asymmetric key (those 99%). Many new communication systems have a fallback option for symmetric encryption in case the preferred way is unavailable. And, quite important: It would not require serious development effort as this possibility is built-in with GnuPGP. I think you underestimate the development effort. Besides, AFAIK, there is no standard for this. Anyone using Linux (and a mail client with OpenPGP support) could use that directly. The others would just have to install e.g. Gpg4win and Enigmail but would not have to configure it. Is there any reason *not* to support symmetric-only encryption in a mail client? There are plenty of reasons. I already mentioned the lack of a standard. Then there's the problem of key exchange which you completely ignore. Related to this, you did not answer Robert's question if you already have a secure channel over which you can send a key, why not just use that channel for your communications?. Instead of support for symmetric encryption I'd rather love to see automatic asymmetric encryption to be added to mail clients: OpenPGP keys are created and uploaded to some key server automatically, and they are looked up and used automatically (e.g. with trust-on-first-sight similar to SSH keys) when sending a message. I'd prefer this to be done in an opt-out fashion, i.e. unless the user explicitly tells the mail client not to do it, the mail client would simply do it. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Fr 18.07.2014, 15:40:34 schrieb Ingo Klöcker: And, quite important: It would not require serious development effort as this possibility is built-in with GnuPGP. I think you underestimate the development effort. That is easily possible. But what would have to be done (at least)? a) You need a new button. b) Pressing this button would replace --recipient 0x12345678 --encrypt by --symmetric in gpg terms – I am not familiar with gpgme but for obvious reasons it has to be quite similar. Besides, AFAIK, there is no standard for this. Of course, there is. Otherwise you would not be asked for a symmetric password for certain messages, would you? gpg --symmetric is not a GnuPG extension. The OpenPGP RfC covers the case of symmetric encryption (which still is hybrid). http://tools.ietf.org/html/rfc4880#section-5.3 Is there any reason *not* to support symmetric-only encryption in a mail client? There are plenty of reasons. I would be satisfied with a single one. I already mentioned the lack of a standard. Yeah Then there's the problem of key exchange which you completely ignore. Which I can easily ignore as it is out of the scope of message handling. How have users ever successfully exchanged encrypted ZIP archives without ZIP providing an infrastructure for key exchange...? Why does OpenPGP cover symmetric encryption without providing an infrastructure for symmetric key exchange...? Users are capable of exchanging sheets of paper or having phone calls. The typical ways for safe fingerprint exchange are safe enough for password exchange, too. This is not about offering a great new concept to the public but about making an already existing (on the file level) and easily understandable feature available for email with very little effort. Related to this, you did not answer Robert's question if you already have a secure channel over which you can send a key, why not just use that channel for your communications?. I not only read it but I think that I gave a quite precise reply to that. Instead of support for symmetric encryption I'd rather love to see There are many features which would be nice to have. What do you think how many orders of magintude this one is more effort to implement than my proposal? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Hauke, I think you skated past a previous question about your idea, and I'm also interested in the answer so I'll ask it again. :) If you have a secure channel of communication by which you can exchange the symmetric password (which you would need to make your scheme work), why don't you use that channel for communication, rather than e-mail? Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Fr 18.07.2014, 09:46:14 schrieb Doug Barton: Hauke, I think you skated past a previous question about your idea, and I'm also interested in the answer so I'll ask it again. :) If you have a secure channel of communication by which you can exchange the symmetric password (which you would need to make your scheme work), why don't you use that channel for communication, rather than e-mail? If I have understood everything right then this is not the same question. But I am really surprised that you ask why you should communicate via email with someone though you e.g. meet him once per month. Or with someone whom you could call instead. Is that really your question? Symmetric keys and fingerprints have to be exchanged through a secure channel only once. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Symmetric keys and fingerprints have to be exchanged through a secure channel only once. Whoa, let's back that up a moment. Fingerprints and symmetric keys need to be exchanged *as often as they change*. Which, in the case of symmetric keys, is quite frequently. If/when a key is compromised, all traffic that has been generated or will be generated with that key gets compromised, and there's no guarantee about whether you'll know the key is compromised -- so it's only sane to have an agreed-upon rekeying policy. Keys will be used for three days tops, for instance, limits your exposure to a three-day window, but it requires you to rekey every few days. Key management is a killer problem. If you don't take it dead seriously it'll hug you and love you and name you George[*]. [*] http://www.youtube.com/watch?v=ArNz8U7tgU4 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On 18/07/14 15:40, Ingo Klöcker wrote: OpenPGP keys are created and uploaded to some key server automatically, and they are looked up and used automatically This creates a privacy issue with key lookup. It exposes correspondents to the keyserver, including time-of-use. Also, you need to define some negative-acknowledge time to live (terminology borrowed from DNS). If on first contact an address does not exist at the keyserver, when do you re-check? And since it can, in unfavourable circumstances, take a while for a public key to propagate through the keyserver network, if somebody just created an e-mail address and key and uploaded it, then starts communicating, people will check a keyserver and not see the key. Now their client will wait the defined period before re-checking, adding even more to the propagation delay. Thirdly, if this is the default mode of operation, I think you need automatic decryption before storing the mail, because searching mail is an important feature, and searching encrypted mails a big usability issue. An e-mail system with a default big usability issue will get swapped out for a more pleasant to use one. Finally, I think people might take issue with their e-mail address automatically being posted to a public keyserver. And if it catches wind, and many, many people use it, I think spammers might look again at harvesting addresses versus generating them. Now it's a small pool to fish from, but if most people have their address on the keyserver network, the odds might change. Given all the issues, I agree with Hauke when he wrote: There are many features which would be nice to have. What do you think how many orders of magintude this one is more effort to implement than my proposal? That said, I'm not commenting on the symmetric encryption proposal, purely on your encryption-by-default proposal. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On 7/18/2014 at 1:52 PM, Robert J. Hansen r...@sixdemonbag.org wrote: Symmetric keys and fingerprints have to be exchanged through a secure = I think what Hauke meant was an exchange of the *passphrase* for the symmetric encryption, not the session key. The symmetric keys would always change with each new email message, using gnupg symmetric encryption. The only annoyance with this type of approach, is that it needs a separate passphrase for each correspondent, (which we don't bother with ordinarily, since encrypting the symmetric session key to a correspondent's public key makes it unnecessary). Hushmail has a one-way variant of this approach. A Hushmail user can send an encrypted message to someone who does not have encryption or Hushmail, by having the Hushmail user give the recipient an answer to a question. The email message is encrypted symmetrically using that answer as a passphrase. (Hushmail makes it intentionally easier, (albeit less secure), by making the 'answer' case insensitive, and ignoring spaces and punctuation characters). The receiver gets a message that an encrypted e-mail has been sent, and is directed to the Hushmail server where the sender's question is asked, and the receiver has 3 chances to provide the correct answer. A correct answer decrypts the symmetrically encrypted e-mail and the plaintext is displayed on the Hushmail server. The e-mail is removed from the server after 72 hours. A few people who have received this type of message from me, thought it was interesting and convenient, and signed up for their own hushmail accounts, and are now well on their way to learning gnupg, so it might be an approach to get people who have never used encryption, to try it. (My apologies, Hauke, in advance if I mis-understood you and this discussion). vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
I think what Hauke meant was an exchange of the *passphrase* for the symmetric encryption, not the session key. Same issue, although now you're sharing the seed to a random number generator for which you want the seed to expire very quickly. You can mitigate this somewhat using gating and some other RNG tricks, but fundamentally it's the same problem: once the passphrase goes, the security of the entire system goes, so therefore change the passphrase frequently. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On 2014-07-18 at 19:39, Ingo Klöcker wrote: Sure. But the fingerprint is only used once (for verifying the key). And it's not even secret information, so exchange via an insecure channel is not an issue (at least, not a severe issue). OTOH, symmetric keys really should be exchanged via a secure channel. The fact is that you can use symmetric-keys when the other doesn’t have yet a public key. So you can send her this understandable message and *then* say her “here the key that’ll allow you to read the message”. That could be used if the message *must* be transmitted by mail, because it’s a file, because it’s large, because it have to be *before* or other reason, so in some rare cases it can be useful, and since the message has already been sent, it’s easier to convince the other to begin using cryptography. Then she could decrypt the mail, and you can start trying to convince her to use asymmetric cryptography, at this point it’ll be easier. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Friday 18 July 2014 21:01:54 Peter Lebbing wrote: On 18/07/14 15:40, Ingo Klöcker wrote: OpenPGP keys are created and uploaded to some key server automatically, and they are looked up and used automatically This creates a privacy issue with key lookup. It exposes correspondents to the keyserver, including time-of-use. Sure. But the NSA already knows the correspondents of all of our mail anyway. Keyserver lookups do not add any additional data (except of the information that you are trying to look up a key resp. that you are talking to a keyserver). Okay, the keyserver owner may collect data. But the keyserver (owner) has to be trustworthy anyway. Also, you need to define some negative-acknowledge time to live (terminology borrowed from DNS). If on first contact an address does not exist at the keyserver, when do you re-check? And since it can, in unfavourable circumstances, take a while for a public key to propagate through the keyserver network, if somebody just created an e-mail address and key and uploaded it, then starts communicating, people will check a keyserver and not see the key. Now their client will wait the defined period before re-checking, adding even more to the propagation delay. So what? My scheme is not supposed to work instantaneously. It is supposed to work eventually, i.e. it will work after the propagation delay has passed. This is way better than our current status quo: No encryption at all for almost all email. Thirdly, if this is the default mode of operation, I think you need automatic decryption before storing the mail, because searching mail is an important feature, and searching encrypted mails a big usability issue. Good point. Automatic decryption should be possible for those that want it. My scheme is mostly meant as in-transit encryption which again is way better than our current status quo. An e-mail system with a default big usability issue will get swapped out for a more pleasant to use one. Exactly. Finally, I think people might take issue with their e-mail address automatically being posted to a public keyserver. And if it catches wind, and many, many people use it, I think spammers might look again at harvesting addresses versus generating them. Now it's a small pool to fish from, but if most people have their address on the keyserver network, the odds might change. How exactly does one harvest email addresses from the keyservers? Can I ask keyservers to give me all keys it has in storage? Or do I need to search for keys matching a certain substring? I honestly don't know. Anyway, if this really becomes a problem than key lookup probably needs to be made as inconvenient as trying to send email probes to randomly generated email addresses. For my scheme to work the keyservers would only need to return keys where the email address part of a uid exactly matches the recipient's email address. Moreover, for my scheme to work no key certification is necessary, i.e. crawling from one key to the next via certification signatures wouldn't be possible. The scheme has more issues: For example, there's no message integrity protection (via signing) whatsoever. But that's the current status quo anyway. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
On Friday 18 July 2014 17:20:27 Hauke Laging wrote: Am Fr 18.07.2014, 15:40:34 schrieb Ingo Klöcker: And, quite important: It would not require serious development effort as this possibility is built-in with GnuPGP. I think you underestimate the development effort. That is easily possible. But what would have to be done (at least)? a) You need a new button. Yeah. Let's add yet another button to the UI. Let's add an Encypt symmetrically button and let's rename the Encrypt button to Encrypt assymmetrically. If we add enough buttons then users will eventually start pressing them. (Sorry, for being sarcastic, but I really don't see how adding another button can possibly improve the users' willingness to use email encryption.) b) Pressing this button would replace --recipient 0x12345678 --encrypt by --symmetric in gpg terms – I am not familiar with gpgme but for obvious reasons it has to be quite similar. There is a difference between symmetric and assymmetric encryption that could make it a bit more difficult than simply calling a different gpgme function. The latter doesn't require any user input, hence it can be done synchronously. OTOH, the former requires user input, the password to use for symmetric encryption, so it's advisable to do it asynchronously. BTW, additionally to the above mentioned new button the user has to press he also has to enter a password for each message he wants to send encrypted. How this additional inconvenience is going to win us more OpenPGP users is beyond me. Besides, AFAIK, there is no standard for this. Of course, there is. Otherwise you would not be asked for a symmetric password for certain messages, would you? This is for inline OpenPGP and that's not part of any standard about email encryption I know of. Since you are also using KMail I invite you to test whether KMail is able to decrypt symmetrically encrypted OpenPGP/MIME messages out-of-the-box. It might just work, but I'm too lazy and too tired to test this right now. Is there any reason *not* to support symmetric-only encryption in a mail client? There are plenty of reasons. I would be satisfied with a single one. I already mentioned the lack of a standard. Yeah Then there's the problem of key exchange which you completely ignore. Which I can easily ignore as it is out of the scope of message handling. How have users ever successfully exchanged encrypted ZIP archives without ZIP providing an infrastructure for key exchange...? Probably by using the same trivial password for all encrypted ZIPs they exchange with anybody. Which brings me to another issue I have with your proposal: How do you want to prevent the users from using the same trivial symmetric encryption password for all encrypted messages? And what's your threat model, i.e. what do you want to achieve by your symmetric email encryption scheme? Why does OpenPGP cover symmetric encryption without providing an infrastructure for symmetric key exchange...? Let's check the PGP 2.6.3i User's Guide (ftp://ftp.pgpi.org/pub/pgp/2.x/doc/pgpdoc1.txt). = Using Just Conventional Encryption -- Sometimes you just need to encrypt a file the old-fashioned way, with conventional single-key cryptography. This approach is useful for protecting archive files that will be stored but will not be sent to anyone else. Since the same person that encrypted the file will also decrypt the file, public key cryptography is not really necessary. To encrypt a plaintext file with just conventional cryptography, type: pgp -c textfile This example encrypts the plaintext file called textfile, producing a ciphertext file called textfile.pgp, without using public key cryptography, key rings, user IDs, or any of that stuff. It prompts you for a pass phrase to use as a conventional key to encipher the file. This pass phrase need not be (and, indeed, SHOULD not be) the same pass phrase that you use to protect your own secret key. [...] = Apparently, Phil Zimmermann had a specific use-case in mind for conventional encryption. And this specific use-case does not require any symmetric key or passphrase exchange with a second user. I doubt that Phil Zimmermann meant conventional encryption to be used for exchanging encrypted messages. Users are capable of exchanging sheets of paper or having phone calls. The typical ways for safe fingerprint exchange are safe enough for password exchange, too. I very much disagree, but I think we have very different threat models in mind. This is not about offering a great new concept to the public but about making an already existing (on the file level) and easily understandable feature available for email with very little effort. Little effort for whom? For the developers of email clients? Maybe. Maybe not. For the users of those email clients? I don't see coming up
Re: symmetric email encryption
Am Fr 18.07.2014, 13:49:54 schrieb Robert J. Hansen: If/when a key is compromised, all traffic that has been generated or will be generated with that key gets compromised, and there's no guarantee about whether you'll know the key is compromised -- so it's only sane to have an agreed-upon rekeying policy. Keys will be used for three days tops, for instance, limits your exposure to a three-day window, but it requires you to rekey every few days. Key management is a killer problem. If you don't take it dead seriously it'll hug you and love you and name you George[*]. Are symmetric keys more probable to be compromised than asymmetric ones? Who even on this list makes a keyring update at least every three days? I guess this discussion does not go well because of a misunderstanding or wrong expectations. You and Ingo are talking about real crypto issues. BTW: I had thought that meanwile my image here should be that I take key management (and other stuff) too seriously instead of not seriously enough. Usually I suggest something and the reaction is something like Let's not make it more complicated; who is supposed to use it yet? What I am suggesting is neither an alternative to regular OpenPGP encryption nor meant as real crypto at all. I think we all can agree that those 99% have decided not to use e2e crypto at all. Let alone real e2e crypto. Snowden has caused only a small change to that. I could tell you stories (a few days old) from German universities and IT security associations which would probably make you cry. So nobody knows if, when and why this may change. Maybe Ingo's suggestion does the job. Haven't herad about STEED for quite a while though. And I appreciate every effort in this area. But I don't think that it can be implemented only if mine is not... I am talking about a feature for those who don't care to use crypto *at all*. I would like to offer something easy to these people. Not easy in a You have 30 contacts and have to send 5 emails to each scenario or even in a well calculated sense but easy as in a) You just have to install a software (people are used to installing software and not afraid of it) and You need not configure it b) You just need a password. Everyone knows what a password is and isn't afraid of using one. Nobody knows what key pairs are and why you should authenticate them. This is not a replacement feature for people who often encrypt mails. This is supposed to be for people who want to encrypt a single mail or a few of them. And these I have no clue people most probably do not expect the same security level from such an ad hoc solution like from real crypto technology - which they would have to understand and learn first. Thus IMHO it does not make sense to discuss possible security glitches about this because they are not an issue for the group of people who would otherwise not use crypto at all. Like vedaal I assume that people who use this feature often would probably change to asymmetric crypto. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Are symmetric keys more probable to be compromised than asymmetric ones? Immensely. An asymmetric key is a secret held by one person; a symmetric key is a secret shared by two or more. What I am suggesting is neither an alternative to regular OpenPGP encryption nor meant as real crypto at all. If you're not interested in providing real solutions, then I'm not interested in having this conversation. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Fr 18.07.2014, 22:51:13 schrieb Robert J. Hansen: Are symmetric keys more probable to be compromised than asymmetric ones? Immensely. An asymmetric key is a secret held by one person; a symmetric key is a secret shared by two or more. A factor of two is immense to you...? Furthermore it seems to me that you ignore the fact that in a typical scenario you need only one of the asymmetric keys in order to be able to read the whole communication between two (or even more as long as all are part of it) people as the default behaviour is to encrypt for the recipient's key and also for the sender's key. Thus every mail can be read by each of the private keys. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Sa 19.07.2014, 01:42:19 schrieb Ingo Klöcker: If we add enough buttons then users will eventually start pressing them. (Sorry, for being sarcastic, but I really don't see how adding another button can possibly improve the users' willingness to use email encryption.) Yeah and this works the other way round, doesn't it? Doing nothing about the GUI will finally magically improve the situation... https://bugs.kde.org/show_bug.cgi?id=318005 (Please not that this was written before the Cryptoparty community became well known.) BTW, additionally to the above mentioned new button the user has to press he also has to enter a password for each message he wants to send encrypted. Yes, until someone decides to combine this with kwallet... How this additional inconvenience is going to win us more OpenPGP users is beyond me. That is quite easy to understand though: As the handling of asymmetric keys is easier (and the encrypt symmetrically feature would point the user at this fact every time) there is a certain pressure upon the user to switch to asymmetric keys. Is there any easier solution with symmetric encryption? Sometimes poeple are told to use encrypted ZIP archives. I have no idea how often this is done. But this is a how big is your desire to encrypt this email? problem. If the user wants it encrypted then he will enter the password. If people who are not prepared to use asymmetric crypto (those 99%) want password encryption in a certain situation then I don't want them to have to use something different from OpenPGP. I don't want them to have an This big thing can't even handle password encryption experience. I want them to have a This can handle password encryption but it can do better and more convenient if you spend some time learning how experience. Since you are also using KMail I invite you to test whether KMail is able to decrypt symmetrically encrypted OpenPGP/MIME messages out-of-the-box. It might just work, but I'm too lazy and too tired to test this right now. It does work. It seems not to work with Thunderbird/Enigmail though. But maybe I have done something wrong. The Enigmail console output looks good to me... I have prepared a mail file for those who want to give this a try: http://www.crypto-fuer-alle.de/docs/mail-symmetric/mail.cr-lf.eml Probably by using the same trivial password for all encrypted ZIPs they exchange with anybody. Which brings me to another issue I have with your proposal: How do you want to prevent the users from using the same trivial symmetric encryption password for all encrypted messages? The only thing I want to prevent them from doing is using some other technology for symmetric encryption. I am not going to advocate this as the way to go. It seems to me that you (and Rob) are completely missing the intention. And what's your threat model, i.e. what do you want to achieve by your symmetric email encryption scheme? Same answer: This is for users who don't need any threat model consideration. What do you think what the computers of people who didn't care to create a key pair yet look like? Stronger crypto is the last thing they need. Even bad crypto is the most secure part of their digital life. I don't want to achieve anything technical by this. I want to achive something social by this. I want to exploit people's familiarity with passwords for pushing them in the right direction. [PGP 2.6.3i User's Guide] Since the same person that encrypted the file will also decrypt the file, public key cryptography is not really necessary. Doesn't make any sense to me. If I encrypt data for myself then I encrypt it for my own key. The exception to this rule is data which may be needed on systems which don't have my private key installed. And that's precisely the same for my proposal: It's for encryption for people who don't have a private key at all. Little effort for whom? For the developers of email clients? Maybe. Maybe not. For the users of those email clients? I don't see coming up with and exchanging passwords as very little effort for the users. And you are probably right if the number of emails or contacts exceeds a certain value. But this is probably not how users act. They will not try to understand both systems in order to calculate what is easier (in the long run). They will compare a) install software and do something I understand (password) with b) install software, configure software which I don't understand and do something I don't understand (asymmetric key handling). I bet the majority of the 99% prefers to start with (a). This is a smaller step which prepares them for the next one (which has become smaller due to their getting familiar with encryption). Contrast this with my proposal: More effort for the developers, but, in the extreme case where the mail client does everything automatically, no additional effort at all for the user. I am in no way trying
Re: symmetric email encryption
On 07/18/2014 08:37 PM, Hauke Laging wrote: SNIP I have prepared a mail file for those who want to give this a try: http://www.crypto-fuer-alle.de/docs/mail-symmetric/mail.cr-lf.eml I just emailed that to myself using Thunderbird + Enigmail in Ubuntu. I was prompted for a password, and foo decrypted the symmetrically encrypted block. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
symmetric email encryption
Hello, is there any OpenPGP mail client which supports symmetric encryption? I think that would be a nice feature for recipients who don't have an asymmetric key (those 99%). Many new communication systems have a fallback option for symmetric encryption in case the preferred way is unavailable. And, quite important: It would not require serious development effort as this possibility is built-in with GnuPGP. Anyone using Linux (and a mail client with OpenPGP support) could use that directly. The others would just have to install e.g. Gpg4win and Enigmail but would not have to configure it. Is there any reason *not* to support symmetric-only encryption in a mail client? Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
I think that would be a nice feature for recipients who don't have an asymmetric key (those 99%). But given the overwhelming majority of GnuPG users have an asymmetric key, this is ... kind of pointless. Is there any reason *not* to support symmetric-only encryption in a mail client? Besides, if you already have a secure channel over which you can send a key, why not just use that channel for your communications? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: symmetric email encryption
Am Do 17.07.2014, 21:02:06 schrieb Robert J. Hansen: I think that would be a nice feature for recipients who don't have an asymmetric key (those 99%). But given the overwhelming majority of GnuPG users have an asymmetric key, this is ... kind of pointless. You haven't understood whom I want that for. People who have a certificate usually would not use this with each other, of course. But even the majority of people who use GnuPG (without being aware of that) don't have one: The Linux users who have GnuPG installed because the package manager needs it. And the 99% aren't even GnuPG users. My claim is that it is easier to make someone just install GnuPG and e.g. Enigmail than to make him do that plus care about certificates. I would not advise using OpenPGP without certificates but often it may end up as take this or nothing. Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
