This thread reminded me of the attached...
Ben
attachment: security.png___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Benjamin Donnachie escribió:
This thread reminded me of the attached...
LOL, right... but it could be even worst... a few drops of Scopolamine
(prepared as Burundanga) in your beer, and the attacker would be able to
make you tell him your
On Feb 11, 2009, at 3:00 AM, Benjamin Donnachie wrote:
This thread reminded me of the attached...
http://www.xkcd.com/538/
Even more amusing (and accurate) is the ALT text you can see when you
mouse over the picture.
David
___
Gnupg-users
David Shaw dshaw at jabberwocky.com
wrote on Sun Feb 8 22:41:10 CET 2009 :
In OpenPGP, a secret key is just a public key with some
extra stuff (the secret numbers) tacked on to the end. That's how
paperkey makes the keys so small - it can safely leave off all the
public key information.
On Feb 10, 2009, at 10:49 AM, ved...@hush.com wrote:
is there a way to get paperkey to reconstruct both the public and
secret keys, given the secret key ?
You don't need paperkey to do this. Just use GPG. If you import a
secret key and you don't have the matching public key, GPG will
On Tue, 10 Feb 2009 11:30:07 -0500 David Shaw
ds...@jabberwocky.com wrote:
You don't need paperkey to do this. Just use GPG. If you import
a
secret key and you don't have the matching public key, GPG will
automatically create a public key from the secret key.
but i need paperkey to
On Tue, Feb 10, 2009 at 12:41:12PM -0500, ved...@hush.com wrote:
On Tue, 10 Feb 2009 11:30:07 -0500 David Shaw
ds...@jabberwocky.com wrote:
You don't need paperkey to do this. Just use GPG. If you import
a
secret key and you don't have the matching public key, GPG will
ved...@hush.com wrote:
uses a public key generated for only this purpose,
not put up on any keyserver,
This seems to be a misapplication of asymmetric crypto. Asymmetric
crypto is generally inappropriate for session keys.
is there a way to get paperkey to reconstruct both the public and
Hi!
David Shaw schrieb:
If you can't remove the redundant parts, then you're basically storing
a secret key, unchanged.
Apart from the encoding and line-wise checksums which paperkey adds,
that is...
Maybe this posting from a thread when I asked to extend paperkey for use
with revocation
Robert J. Hansen rjh at sixdemonbag.org
wrote on Tue Feb 10 19:18:22 CET 2009 :
uses a public key generated for only this purpose,
not put up on any keyserver,
This seems to be a misapplication of asymmetric crypto. Asymmetric
crypto is generally inappropriate for session keys.
the situation
The hexidecimal approach works well for a whole secret key. I tried this with
the OCRA font and appears to work very well and means that you do not need to
get the public key from keyservers.
Using this method my secret key printed comes to two sides of A4. Hex is
easier to re-enter and this
Message: 8
Date: Tue, 10 Feb 2009 16:44:01 -0500
From: Robert J. Hansen r...@sixdemonbag.org
Subject: Re: paperkey // ? feature request
[1] 'very-important-secret' encrypted in ascii armored form to
unpublished public key using throw-keyid option
So only someone with the private key can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Robert J. Hansen escribió:
...
So only someone with the private key can decrypt it. Okay. How do you
communicate the private key with your intended recipients? And how is
communicating the private key with your intended recipients different
ved...@hush.com wrote:
but unless you choose a sufficiently long and random passphrase,
symmetric crypto with a passphrase string-2-key is much less
protected than when the session key is encrypted to an unknown
asymmetric key
The moral of the story is to (a) use the right tool for the job,
Faramir wrote:
IMHO, the difference is the recipients can send it's public to me by
some way, and check the fingerprint by telephone...
It's not a disposable session key if the recipients need to contact the
sender afterwards. If you're assuming a high threat environment, you
kind of need to
On Tue, Feb 10, 2009 at 04:44:01PM -0500, Robert J. Hansen wrote:
[2] above mentioned message posted anonymously to newsgroup like
comp.security.pgp.test
from internet cafe,
(pre-paid in cash, using new usb drive with nothing else on it)
USB tokens have GUIDs, Globally Unique
the latter cannot be attacked without the keypair and the
passphrase,
Keep in mind that we are talking about a hybrid crypto system. Your
hidden assumption seems to be that the session key which is generated
during encryption to a public key is not worth attacking. Then, nothing
prevents you
David Shaw wrote:
Not exactly: http://www.wpi.edu/News/Journal/Summer98/secured_opus.html
Thank you for the link -- I was going by my recollection of journalistic
coverage after the attack, but apparently either it or my memory was in
error.
___
David Shaw wrote:
I don't know if I'd go so far as to call it a GUID as it is only
unique relative to the vendor and device type
Must be my luck, then -- the ones I've looked at have all had per-device
serial #s.
There is also no guarantee that the host computer will log the device
serial
On Feb 10, 2009, at 9:51 PM, Robert J. Hansen wrote:
David Shaw wrote:
I don't know if I'd go so far as to call it a GUID as it is only
unique relative to the vendor and device type
Must be my luck, then -- the ones I've looked at have all had per-
device
serial #s.
I suspect the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Robert J. Hansen escribió:
David Shaw wrote:
I don't know if I'd go so far as to call it a GUID as it is only
unique relative to the vendor and device type
Must be my luck, then -- the ones I've looked at have all had per-device
serial #s.
On Feb 10, 2009, at 11:21 PM, Faramir wrote:
Robert J. Hansen escribió:
David Shaw wrote:
I don't know if I'd go so far as to call it a GUID as it is only
unique relative to the vendor and device type
Must be my luck, then -- the ones I've looked at have all had per-
device
serial #s.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
David Shaw escribió:
...
and capable. The Timothy McVeigh example from earlier is particularly
good here: the US government really, really wanted to find him, and
fast. That is certainly sufficiently motivated and capable.
Right, but if I
Faramir wrote:
Right, but if I understood it well, he had done more than 700 calls
from a rechargeable prepaid card... that is not a disposable card.
That wasn't his problem. That was, honestly, mostly irrelevant.
This was his problem: when you're trying to cover your tracks, there are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Robert J. Hansen escribió:
Faramir wrote:
Right, but if I understood it well, he had done more than 700 calls
from a rechargeable prepaid card... that is not a disposable card.
That wasn't his problem. That was, honestly, mostly irrelevant.
25 matches
Mail list logo