How secure asymmetric encryption to yourself?
Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Thanks. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG Decryption of a PGP encrypted zip file resulting in garbled zip file
Did you ever get a solution to your problem decompressing ZIP.PGP files? I think someone I am working with is having a similar problem. Robert Mundkowsky Employers Sr. Applications Developer 500 N. Brand Blvd Glendale, Ca 91203 rmundkow...@eig.com mailto:rmundkow...@eig.com Tel: (818) 549-4559 Fax: (818) 552-4844 - * Notice: This e-mail, including any attachment(s), is confidential and intended solely for the above named individual(s). It constitutes non-public information and may contain information subject to certain legal privileges. If you are the intended recipient, your use of any confidential or personal information may be restricted by federal and state privacy laws. Any use of this communication by others is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me immediately by replying to sender and delete this e-mail and any attachment(s). Thank you. * - ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.
http://support.apple.com/kb/HT1620 How to use the Apple Product Security PGP Key http://www.apple.com/support/security/pgp/ Protecting Security Information F.Y.I.: I've not noticed anything similar from Microsoft and other software companies. Most seem to be happy with MD5 and SHA1 for files and nothing else. Also, Apple even provides links to PGP Corporation and GnuPG plus its key and key ID. This is our PGP key which is valid until May 15, 2010 Key ID: 0x8A648901 Key Type: RSA Expires: 5/15/10 Key Size: 2048/2048 Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901 UserID: Apple Product Security This from Apple is like an endorsement of PGP/GPG technology. So few people use PGP/GPG technology openly. The Internet took off when Microsoft, for better or worse, included and promoted Internet Explorer in Windows 95, thus beginning the so called browser wars. I would be surprised and also happy to see Microsoft promote PGP/GPG technology. I do not actually expect that to happen. If it did, it would be good if Microsoft could stimulate PGP/GPG technology with more user friendliness since at the moment there's much to learn to understand and begin using PGP/GPG technology. Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.
On Feb 23, 2009, at 8:49 AM, gerry_lowry (alliston ontario canada) wrote: http://support.apple.com/kb/HT1620 How to use the Apple Product Security PGP Key http://www.apple.com/support/security/pgp/ Protecting Security Information F.Y.I.: I've not noticed anything similar from Microsoft and other software companies. Most seem to be happy with MD5 and SHA1 for files and nothing else. Also, Apple even provides links to PGP Corporation and GnuPG plus its key and key ID. This is our PGP key which is valid until May 15, 2010 Key ID: 0x8A648901 Key Type: RSA Expires: 5/15/10 Key Size: 2048/2048 Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901 UserID: Apple Product Security This from Apple is like an endorsement of PGP/GPG technology. One of the bugs I filed with Apple is how their Product Security group uses PGP signatures for the advisories, but their own Mail application only supports S/MIME and certificates. This is fine, but I'd like to see them be a bit consistent. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want
Robert and David, thank you for increasing my understanding and pointing out the errors I made. g. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
a paranoid's answer to your question: your passphrase is also required ... so my best guess is that you are more or less safe; others on this list would know better than myself. Here's the paranoid part: if your system became compromised with a keylogger, you could be vunerable to having your passphrase stolen. More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), your text is at least temporarilly vunerable. a paranoid's solution: have a second computer, even a small pocket something or other that supports PGP/GPG technology and also is NEVER connected to the rest of the connected world; keep your secured information on the second computer only; external backups excluded (you can never have too much backup; some backup is better than none). Regards, Gerry (Lowry) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please select what kind of key you want ~~ suggestion to developers
The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices Sample help: Choice/Description If you choose a sign only key, you may also need to (1) DSA and Elgamal (default) Phasellus interdum nunc eget libero. In ante dui, ... (2) DSA (sign only) Vivamus ut libero eget tortor lobortis ... (5) RSA (sign only) Aliquam sit amet risus auctor felis ... Real and useful text should replace the random lorem ipsum* used in the above example.B-) Additionally, build more help/guidance text into PGP/GPG technology. Users are more likely to implement technologies that they understand once they have achieved a level of comfort with those technologies. Regards, Gerry (Lowry) * source: http://www.lipsum.com/. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Hi! Chris Poole schrieb: How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? The simple answer is: It doesn't matter, both methods are equally secure (with the security determined primarily by the strength of your passphrase). The asymmetric approach could have its advantages, because I can imagine some scenarios where an attacker might obtain the encrypted data and the passphrase but would be unable to get access to the secret key file (e.g., because it is not a file but rather in a smartcard or because the private key is on offline media at the time of compromise of the data). Not having the private key leaves an attacker with the requirement to either brute-force the symmetric session key or crack the public key to obtain the secret key. Both things are supposed to be infeasible given GnuPG's algorithms/keylengths and the current state of cryptanalysis. However, there is the risk that a cryptanalytical advancement would allow easy breaking of asymmetric keys which could enable an attacker to fully bypass your passphrase by cracking the public key (thereby getting the private key and thereby decrypting the data). IMHO, this risk is negligible and if it happens anyway, people would probably have nastier things to do than cracking specifically *your* key (e.g. forging SSL certificates of banks etc)... On the other hand, asymmetric has one disadvantage: The private key file is something that must be stored as safe as the encrypted data. (I mean backups etc.) No matter whether you know the passphrase, if the private key file is deleted, you won't get your data back! As a sidenote: Is it possible to find out a public key just from looking at data encrypted to that public key?(Assume the key is not on a keyserver, of course.) If the public key could also be hidden from an attacker (e.g. the attacker has just the encrypted data file and the passphrase), it would leave brute-forcing of the symmetric algorithm as the only attack option... Plausible scenarios for this are more difficult to imagine, though. cu, Sven PS: IMHO there are more usable ways of managing one's passwords than storing them in a GnuPG file (although much can be accomplished by wrapping access to that file through a number of shell scripts, I assume). ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Date: Mon, 23 Feb 2009 11:36:49 -0500 From: gerry_lowry \(alliston ontario canada\) gerry.lo...@abilitybusinesscomputerservices.com Subject: Re: How secure asymmetric encryption to yourself? a paranoid's answer to your question: More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), well, in case anyone is paranoid about superhumans, here is a spoof i wrote about clairvoyancy decryption of pgp messages ;-)) http://www.angelfire.com/pr/pgpf/fdca.pdf vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Jumpstart your career with Six Sigma certification from top programs. http://tagline.hushmail.com/fc/BLSrjkqmwwv0BdNEqt8zY788jcfxH8eSipk15FYq2yJvJlOK7nNVVI2fDiM/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. I'm also unsure what Sven apparently means by more usable? (While they need to be decrypted, one would only occasionally need to decrypt them because for most of the time, until forgotten, those passwords that one uses frequently reside in one's biological memory.) I guess one downside of the GnuPG file is that if one loses her/his private key or forgets her/his passphrase, then the passwords in the GnuPG file will be secure forever or at least until she/he acquires her/his quantum computer in the future. regards, gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
I'm curious what more usable ways there are that Sven and others can recommend. I'm fond of writing down my passwords on the back of a business card and keeping it in my wallet. For the overwhelming majority of these passwords, the site's most confidential information of mine they possess is my credit card number. But if my wallet gets stolen or goes missing, I'm going to cancel my credit cards anyway. Likewise, you can say, but you might leave your wallet on your desk, and a co-worker could steal those passwords. Sure. They could also steal my credit card number, driver's license information, voter registration ID, or all manner of other things more important than my passwords. This takes care of 90% of all my logins, meaning I can much more easily memorize those few high-value, high-secrecy passwords. Memorizing three unique passwords is doable; memorizing thirty unique ones isn't. I'm also unsure what Sven apparently means by more usable? Unlike your solution, my solution works when I'm on the road and logging on from a coffeeshop's web kiosk. I don't need to install anything. Open up my wallet, fish out the list, and there it is. The moral of this story is simple -- don't make things more complicated than you have to. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. There's a discipline in computer science called human-computer interaction (HCI). I took two courses in this in grad school: not enough to make me an expert, but definitely enough to open my eyes. One of the things my instructor, Juan-Pablo Hourcade, drilled into us is that we genuinely don't know what will speed adoption of new technologies. All we know is what successful technologies look like. Imagine there's a new hotness in IT. (IT: Information Technology.) This new hotness has the potential to change the world in ways that can barely even be explained to people who don't already have the technology. Everyone you meet who has this new technology -- let's call it flerbage -- they've got this magical ability to /know things/. Know things they can't possibly know, that they couldn't possibly have learned. Flerbage is where it's /at/. The only problem is that flerbage is ridiculously user-unfriendly. Most people who use flerbage, this smoking-hot new thing in IT, say it took them between ten and fifteen years to really learn it. The learning curve looks like the freaking Matterhorn. Also, flerbage can't be made easy for beginners to understand. You want flerbage, you're looking at a decade or more of serious, concentrated study. Sure, it's cool, but ... is it worth it? Would you say flerbage was a successful technology? Do you think flerbage will ever catch on? Flerbage is real, by the by. You're using it right now, this very instant. Scroll down and I'll tell you what it is. Literacy. Literacy is the original information technology. People who are literate have an enormous advantage over those who aren't. Wherever you look today you see signs, posters, advertisements, menus, whiteboards, warnings, labels and every other thing imaginable that's written down. Literacy gets taken for granted by almost everyone -- despite the fact that it takes most of your childhood and teenage years to get good at it. So no, I don't agree with your proposition. OpenPGP doesn't need to get easy for beginners to use. If it was that simple, we'd be there already. What needs to happen is the populace needs to understand the risks of electronic communication, and needs to become committed to doing something about it. If you can achieve that, then you will have done something great for humanity. But the world doesn't need another easy to use GnuPG interface. You're essentially saying, what the world needs is a really good book! What I'm saying is, the world first needs to learn to read. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
Robert J. Hansen wrote the following on 2/23/09 1:42 PM: [...] Open up my wallet, fish out the list, and there it is. The moral of this story is simple -- don't make things more complicated than you have to. Robert, from the bottom of my heart, thank you! Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, yes, literacy is important, too. Your counter proposition also has validity. I point out, however, that by the time one is looking at Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices she/he has likely already proceeded far enough along to have achieved some degree of literacy. Having reached that point, with regards to understanding PGP/GPG technology, she/he may still be a novice. Of course, had Michael W. Lucas been a bit clearer in his book, the (h) help on the above choices might not have been of benefit to myself. OTOH, it would nevertheless benefit many of those beginners who might not be aware of MWL's book and who might not have access to anything else written for novices. One problem is that many writers write for an audience that has already achieved domain erudition. Fortunately, for the rest of us, there are authors of __ for Dummies, et cetera. (where __ represents some subject of interest to the reader). So, Robert, I restate my proposition as The easier it is for informed, literate beginners to understand the need for PGP/GPG technology, and the easier it is for them to become aware of the existence of PGP/GPG technology, the faster the adoption of PGP/GPG technology into broad general use by the public will likely occur. Regards, Gerry P.S.: I finished high school in 1965 and went straight into working. In 1967, I became a programmer. Long before user friendliness was a broadly known and often abused concept, I was writing software that truly qualified as user friendly. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert J. Hansen wrote the following on 2/23/09 2:52 PM: [...] What I'm saying is, the world first needs to learn to read. As far as I am concerned, this sentence is a most gratifying conclusion to this thread. I am not suggesting to close the thread, on the contrary, keep them coming. Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, yes, literacy is important, too. Your counter proposition also has validity. You missed the point. Refer to my last three sentences. The world doesn't need another easy to use GnuPG interface. You're essentially saying, what the world needs is a really good book! What I'm saying is, the world first needs to learn to read. With respect to claims of experience, I don't put any stock in them, really. Or, as Rodney Whitaker wrote, do not fall into the error of the artisan who boasts of twenty years experience in his craft while in fact he has only one year of experience -- twenty times. As near as I can see, the principal problems are: 1. Gross ignorance 2. Fear of social disapproval With respect to #1... one of the most prestigious crypto conferences out there is called Financial Cryptography. A few years ago some enterprising grad students asked each FC attendee to fill out a very short questionnaire as part of their sign-in process. The results were astonishing: 60% of FC attendees did not know if their email client supported crypto, period -- even fewer knew if it supported OpenPGP or S/MIME. Only 50% were interested in switching to email clients with better crypto support. If only 40% of FC attendees know if their email client supports crypto, and only 50% care enough about crypto to consider changing their email clients, do you really think the general public will jump on board OpenPGP just if we create a snazzy interface with a lot of chrome? That's delusional. With respect to #2... Ed Felten has a really good sociological paper out on the intersection of computer security and the workplace. He and some of his grad students interviewed people at a politically- active nongovernmental organization (NGO) with an awful lot of enemies. Many (most) of the employees had been trained with PGP and found it reasonably easy to use. Despite that, they still didn't use it for email. Felten and his grad students wanted to find out why. It turns out that social disapproval played a very heavy role. There were a couple of people in the NGO who were privacy enthusiasts and active PGP users, and they were considered paranoids by the other workers in the office. Employees said things to the effect of yeah, I know email is dangerous, but I don't want to turn into, you know, one of _those_ guys. ... the general public does not know what email crypto is, does not want to know what email crypto is, does not want to care about email crypto. They just want to send email. Making GnuPG easier to use is a fine goal and worth pursuing in its own right, but it's not going to substantially improve GnuPG's adoption in the world. Saying the world needs a good book, that's why book sales are down! may be a true statement, and may be worth pursuing in its own right. However, the real problem is first we need to learn to read. GnuPG needs a good interface, that'll improve its usage numbers! may be a true statement, and may be worth pursuing in its own right. (In fact, I think it is.) But the real problem is that people don't know, don't want to know, and to the extent they do know they really don't care. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert, excellent points. I shall return to my thinking board. Amazing that, in today's world, with events like the infamous 9/11, identity theft, debit and credit card fraud, a plethora of Bernhard Madoffs making Carlo Ponzi sit up in his grave and take notice, and jobs going down the toilet daily, it surprises me that there is so little paranoia. I'm willing to share my paranoia. I've got enough for everybody. Perhaps it can be made into a vaccine.B-) I appreciate your always interesting, knowledgeable, and thoughtful ideas. Regards, Gerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Required reading: Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Some results from this paper were presented at FC2005, but is not the survey I mentioned in my previous message. That said, the results are substantially similar. The following is excerpted from the paper. If possible, though, I highly recommend you read the entire paper; it's an excellent overview of why secure email has failed to take off. Our survey consisted of 40 questions on 5 web pages. Respondents were recruited through a set of notices placed by Amazon's employees in the Amazon Seller's Forum. Participation was voluntary and all respondents were anonymous. ... A total of 1083 respondents [participated], with 417 of those respondents completing all five pages. ... Average age of our respondents was 41.5. Respondents were highly educated, with more than half claiming an advanced or college degree. Most described themselves as very sophisticated (18.0%) or comfortable (63.7%) using computers and the Internet. Roughly half the correspondents had obtained their first email account in the 1990s. The majority of respondents (94.4%) used computers running Microsoft Windows for email. The two other leading platforms were Apple Macintosh (8.5%) and some kind of mobile computing device such as a cell phone (5.8%). ... A majority (54%) of respondents understood the difference between digital signatures and sealing with encryption; that prior receipt of digitally signed mail significantly increased understanding of that difference; and that having previously received digitally signed email from Amazon increased respondents' overall trust in email. ... The majority (59%) didn't know [if their email client supported encryption], while another 9% chose the answer, what's encryption? ... Respondents with S/MIME-capable mail readers were more than twice as likely to know that their programs were capable of encryption, and half as likely to select the answer What's encryption? Nevertheless, the majority of [S/MIME-enabled] correspondents (54%) did not know the cryptographic capabilities of the software they were using. Almost half of our respondents (44.9%) indicated that they would be willing to upgrade their client in order to get more protection for their email... ... Although roughly half of our respondents indicated that they didn't use cryptography because they didn't know how, the free- response answers from the more knowledgeable respondents indicated that they either didn't think that encryption was necessary or else that the effort, if made, would be wasted. * I don't because I don't care. * I doubt any of my usual recipients would understand the significance of the signature. * Never had the need to send these kinds of emails. * I don't think it's necessary to encrypt my email frankly it's just another step something else I don't have time for! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
On Mon, Feb 23, 2009 at 11:55:51AM -0500, gerry_lowry (alliston ontario canada) wrote: The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices While I more or less agree with Robert, and would note that the GPG built-in help is more intended as a reminder for those who already have some understanding of the concepts (you're not going to learn to code in C from the man pages), try typing a '?' here. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: How secure asymmetric encryption to yourself?
Hi! gerry_lowry (alliston ontario canada) schrieb: Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. /First of all, @Listowner: Let me know if this should be taken off-list because it's too OT.../ I mean tools like Keepass/KeepassX, PasswordSafe, or similar (even the Firefox password manager can encrypt stored passwords with 3DES and a master password). I also mean a Truecrypt volume or loopback container for storing the password file. For Linux, encfs or ecryptfs come to mind, too. The reasons are as follows: With GnuPG, you have encrypted one file. To be secure, you must now delete the original copy, which is not easy in itself, although recent research [1] seems to show that a single overwrite is sufficient for secure wiping. Didn't we have a discussion about secure deletion not too long ago? Now, to access your encrypted passwords, you need to decrypt the file, resulting in an unencrypted version of it on your drive. When you are done, you have to securely delete it again. If you have modified the file, you have to remember to encrypt it between having saved the changes and deleting it. Of course, you can set the thing up in a way that the unencrypted file is written to a RAM-only disk, but keep hibernation and swapfile issues in mind. You can also have GnuPG output the data to the console only, if you just have to read a password (I have no idea if there are possibilities that console output find its way into logfiles or similar, though). Depending on the size of your password file, you have quite a number of lines written to the console where you have to find the password that you need for the moment. If you'd format the file like: purpose1 - password1 purpose2 - password2 you could do something like gpg passwords.gpg | grep purpose2 to find the password you need. As mentioned, some shellscripts could automate the process (create a ramfs mountpoint, decrypt the password file to there, grep it to find a desired password, or launch a text editor, re-encrypt the file after the editor closes, unmount the ramfs). KeepassX, e.g., supports organizing your password file into groups, adding metadata such as URLs to the passwords, comfortable hotkeys, integrated random password generator, password entropy estimation etc. The main difference, though is the transparent way to access your passwords (this is also true for Truecrypt and the other mentioned encrypting filesystems): Enter the master-password, work with the password file(s), lock the storage again. Done. No unencrypted copy on disk, ever (apart from the abovementioned swapfile and hibernation). Given these tools I also disagree with the notion that frequently used passwords reside in one's memory (although I remember quite some passwords, myself). Password-reuse is one of the greatest problems with passwords (and, btw, becomes quite infeasible once you have to deal with varying complexity-policies, different expiration-intervals etc) and passwords you have to remember tend, in general, to be weaker than those that you don't have to remember. With Keepass, you can have a different 20-character pseudo-random password for every stupid web forum (not to mention the more important things). It just doesn't matter whether your password is 123 or las2ieu7hxalm5iuemalie if it's just pressing Ctrl-Shift-A to auto-type username and password into the login form. I do not mean to endorse specific pieces of software here, nor do I mean to belittle GnuPG. But I think you need the right tool for right task. And GnuPG IMHO has its strengths not in providing protection to frequently accessed (and modified) files. If you need to archive a backup copy of your passwords on a remote server, that's a wholly different issue, though. GnuPG will do an excellent job there and digital signatures are even a bonus. cu, Sven [1] http://www.springerlink.com/content/408263ql11460147/ -- unfortunately only the abstract is free for general access ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
On Mon, Feb 23, 2009 at 01:42:32PM -0500, Robert J. Hansen wrote: Open up my wallet, fish out the list, and there it is. Although I think this one of the most secure but usable places, what if a real life phisher gets your wallet? No problem to cancel credit cards. But are you able to reset all those login passwords? Probably by using answers that either anybody knows or that you can't remember? Will you even remember all your logins? Before they are abused? The moral of this story is simple -- don't make things more complicated than you have to. But don't forget the backup. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
Robert J. Hansen wrote: Required reading: And let's add to that: Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1124772.1124862 Again, read the entire thing. Email crypto is seen as the mark of a fearful or paranoid mind. The excerpt here should give you an idea of the paper, and will hopefully inspire you to read it for yourself. Abe worked in development. ... Because he handled financial data, Abe used encryption frequently, particularly when he received records from online donations (I tend to try and be sure I PGP everything that has a credit card number on it). He also communicated with an external vendor for recruitment. They used encryption to protect financial data when they synchronized their copies. Abe believed this setup was simple; he also thought some people ... needed to be more vigilant. He described how he tried to convince the head of campaigns in his home country to use encryption: Why? Because it was just good. If the ... police ever come and bust into the office, you shouldn't have a document saying, 'hey, I'm discussing how I'm going to campaign against [a controversial issue].' It's not the kind of information you want them to have. Despite his reasoned argument, his colleagues were uncooperative: most people see this as more work and want things simpler. ... Many of the employees interviewed ... had limits to their willingness to be more secure. In fact, moving beyond that limit was seen as abnormal or paranoid. ... Abe explained how someone could go overboard when he described how a representative of the PGP Corporation visited [the NGO]. Instead of a typical password authentication, the representative took off his necklace and used a removable flash drive that held his private key. The demonstration discouraged Abe: It was too over-the-top and definitely too complicated. It was like a movie. ... Yeah, I admire him because he comes in and puts his passphrase every single day, three times a day, so that's very dedicated to his stuff. He must either be very scared or very motivated. He was not sure whether this vigilance was justified. In fact, he associated it with being fearful, perhaps irrationally fearful. Abe reiterated this when asked to speculate on why a colleague sent every e-mail message encrypted. He figured this man has an automated system for encrypting e-mail or else he's nuts. ... [big snip here, switching to a different employee, 'Jenny', who has used PGP in the past and understands its use in contexts where secrecy is essential:] ... Jenny also thought it was abnormal to encrypt non-secret information. When the interviewer abstractly explained that people in security suggest all users encrypt all messages, Jenny was baffled: So you're saying that ... people should just -- even _normal_ people? That ... you're sending email to ... your mom, like, 'hey, things are going [pause]'? That you should encrypt your e-mail. That people should do all that. Jenny emphasizes normal people. _Normal_ people wouldn't encrypt normal messages. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure asymmetric encryption to yourself?
On Mon, Feb 23, 2009 at 01:15:58PM -0500, gerry_lowry (alliston ontario canada) wrote: Sven Radde wrote, in part: ... there are more usable ways of managing one's passwords than storing them in a GnuPG file. I'm curious what more usable ways there are that Sven and others can recommend. If you're already carrying around a PDA or smartphone, try: http://linkesoft.com/secret/palm.html http://agilewebsolutions.com/products/iphone (etc - there are at least half a dozen others depending on what PDA or smartphone you have) These are more usable as you always (as per the first statement) have your PDA/smartphone with you, so you don't need access to any other hardware or software to get your passwords. They're searchable, and can be backed up. It's a reasonable question, of course, how secure these are. Obviously their authors claim they are very secure. Neither publish source, but the 1Password people have a design document which (assuming they followed it) shows them avoiding a lot of the common mistakes people make when implementing this sort of thing (notably, they were smart enough to not write their own crypto). In practice, for me, it doesn't matter all that much. Certainly they are at least secure against casual snooping, which is all I need them for. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.
gerry_lowry (alliston ontario canada) wrote: The Internet took off when Microsoft, for better or worse, included and promoted Internet Explorer in Windows 95, thus beginning the so called browser wars. That's quite arguable. Why do you assume that MS introducing IE *cause* the internet to take off instead of being their (delayed) reaction to the internet taking off without them? :) I would be surprised and also happy to see Microsoft promote PGP/GPG technology. I do not actually expect that to happen. If it did, it would be good if Microsoft could stimulate PGP/GPG technology with more user friendliness since at the moment there's much to learn to understand and begin using PGP/GPG technology. Not that I care whether MS uses, promotes, or maligns PGP/GnuPG, but: https://www.microsoft.com/technet/security/bulletin/pgp.mspx (Personally, I find that MS using PGP to sign their security notices amusing. That must be the most secure thing about their OS. :-) -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Truth is like a well-known whore. Everybody knows her but it's embarrassing to meet her in the street. -- Wolfgang Borchert pgp5MZw5SZbL1.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
encrypt and detached signature
opensuse 11.0 and 11.1 gpg2 -r name -be file Creates a detached signature file, but does not encrypt the file. I could do it in two steps (gpg2 -e file ; gpg2 -b encrypted-file) but can it be done in one? Felipe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please select what kind of key you want ~~ suggestion to developers
While in general I agree with what you've said in this thread Robert, I do want to present one small ray of hope. At my last job we dealt with a great deal of sensitive information (usually time sensitive, i.e., it would be released eventually but needed to be just right first) and being the dreaded technologist in a managerial role I strongly advocated the use of PGP in preference to other methods of secure communication for the obvious reasons (availability, cost, etc.). Once the IT department signed off, I actually started sitting with my colleagues and walking them through the process of generating keys, integrating with outlook, etc. Then the fun part, I started sending people encrypted stuff. This often required another round of walking people through the process, but eventually it became sort of accepted, and generally (although sometimes grudgingly) acknowledged as a Good Idea. When I got my first unsolicited encrypted item in the mail, I knew I that progress was being made. :) It's probably worth noting that this was a technology-friendly workplace, and before I arrived there was already a culture of acceptance for things like encrypted chat, etc. But my point is, it's not all bad news out there. hope this helps, Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users