Re: Web of Trust itself is the problem
On Thu, Jan 7, 2010 at 9:08 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
Dmitri Minaev min...@gmail.com writes: On Thu, Jan 7, 2010 at 9:08 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. Sites such as http://biglumber.com/x/web can help with this. My perception of it is that it does not exclude non-geeky people. /Simon ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Fri, Jan 8, 2010 at 8:21 PM, Mario Castelán Castro mariocastelancas...@gmail.com wrote: IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. Well, you really don't *need* to be within WoT to use crypto, the confidence level will be less but for most people it is enougth. Actually, you don't really *need* to use crypto in email, the confidence level will be less, but to most people it is enough :) -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
very short plaintexts symmetrically encrypted
have been playing around with symmetrical encryption, and noticed something potentially concerning. Here are 6 symmetrically encrypted short plaintexts: -BEGIN PGP MESSAGE- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIml0qMoARY01g0kUBK8nPnLhmkn4QbxiOvxyn9eqhkzr5mNIwcsw6VBZ1 NN7uq1nmgognD0kmJgkGDNU4oz/vV+ejeWLVO3SmcHUy6u6w+Ms= =XWY4 -END PGP MESSAGE- -BEGIN PGP MESSAGE- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIOndbAQsuZBZg0kUBK3MlS0cZpFiAOxryAQxURcemcoUU1rnXMWM4xKi0 W/uV+hvidvaT2TvSA/2xIbySxm73TXyls+bDlhD8MbZgtry6c9s= =gedo -END PGP MESSAGE- -BEGIN PGP MESSAGE- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMI/nsO48zBbAFg0kUBq5wMSDD10nk1pVWEEBpvqwGz7WJhJ7IeM8C98p9G Yt5MC9ttIMAkPiBZCngeGdj8nPGb4euDc1zd+7kma6vOJ8O1REM= =pCzG -END PGP MESSAGE- -BEGIN PGP MESSAGE- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIPXDKy8Ndvc1g0kYBknfVVdjMwW+69k1zvJ1r5UAh9RpGglqqhBTDx2t7 VUGkCEzvbvg4JgaPji7yxtV+/YWKDq3vNCryVvWgTqjvP72VdJcr =mJ2N -END PGP MESSAGE- -BEGIN PGP MESSAGE- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIYMx0p8nncL1g0kYByHXygeoyXbZfxf5ePIYlXqxVfqthNhw62xjx7tFQ VwzfcRlmL1ngUHs0LBPT5Ze/eBOOqIGc2DJKUlzJYy3dxBrEbiZ0 =3xs4 -END PGP MESSAGE- Version: GnuPG v1.4.10 (MingW32) Comment: passphrase sss jA0ECgMIJ3YsA8JXXAZg0kYBvvU4H/c+d/D+nu8Dbc4WM9fRdKuzu/MVBFOGeq/f Z+pQA6buwnRzlvXsliFZkt1GHCDuxWKaqtR7RBzL6U8G4hUfJINx =+8HY -END PGP MESSAGE- The first 3 encryptions are of the word 'no', while the second 3 are of the word 'yes'. All 6 are with the same passphrase 'sss' and the same algorithm, twofish. For the first 3, where only 2 letters of plaintext are encrypted, the pgp encryption (before the checksum), ends in the '=' padding character. For the second 3, where 3 letters are encrypted, the message ends in a different character (no padding). Should it be 'this easy' to distinguish the relative lengths of plaintexts just by looking at the ascii armor?? Obviously, encryptions of much longer plaintexts can't be expected to be the same size as that of a 2 character plaintext, and I haven't taken a long careful look at this, but I suspect that by increasing the plaintext one character at a time, and looking at the encrypted outputs, it should be possible to detect 'ranges' of plaintext length that correspond to a particular ciphertext length for symmetrically encrypted unsigned messages. At any rate, it seems disturbingly easy to distinguish between symmetrically encrypted messages having only the word 'yes' or 'no' just by 'looking' at the ciphertext. --vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Fri, Jan 08, 2010 at 10:21:51AM -0600, Mario Castel�n Castro wrote: Did you count the citys in the list, they are just 11 of thoustands and thoustands around the world; it helps of course, but very little. You obviously didn't try to use the search box to find more cities. -- Bob Holtzman Key ID: 8D549279 If you think you're getting free lunch, check the price of the beer signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On 07.01.2010, Mario Castelán Castro wrote: I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. I think the overall stats for people using cryptography is that low because it is or seems too complicated for them. A lot of people in the world do not even know how to install Windows, and a whole lot of people even can't install programs on their computers properly. This is not meant in a discriminating way at all, this is the real life. Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 768-bit RSA factored
So let's hope the ECC draft makes it soon to be finished :) ... and implemented in gpg ;) Cheers, Chris. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: very short plaintexts symmetrically encrypted
2010/1/8 ved...@hush.com: At any rate, it seems disturbingly easy to distinguish between symmetrically encrypted messages having only the word 'yes' or 'no' just by 'looking' at the ciphertext. i. Don't send such short messages ii. Don't use symmetric encryption. Ben ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win for OpenPGP Card 2 ?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi Stefan, gpg: Prüfung der erstellten Unterschrift ist fehlgeschlagen: Bad signature gpg: Beglaubigung fehlgeschlagen: Bad signature gpg: make_keysig_packet failed: Bad signature Schlüsselerzeugung fehlgeschlagen: Bad signature No, I don't know what's causing it. But before examining further, I recommend to follow these steps to avoid any user settings to influence the test: Backup and/or move your GnuPG settings aside (homedir: keyrings, gpg.conf etc.) Uninstall all GnuPG and GPG4Win versions and wipe what's left in the program directory. Make *sure* you only have one gpg.exe on your system. Check by searching your system drive / PATH. Install GPG4Win Reset your card* to factory presets Retry using CLI to create a card key using defaults and an empty keyring If that doesn't succeed, try to provide a more detailled error description (-v). === * How to reset a OpenPGP Card v2: 1. Create a FILE with this content: ___ /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo card has been reset to factory defaults ___ 2. Issue the command gpg-connect-agent FILE === Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschlüsselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJLR7EYAAoJEKGX32tq4e9WqCML/22Gw30qNPTYjJ4fxRDEmNYt +HZ0mdpYnECwZ6VxNuYU8arDgUUIAsE/iVRotBZZUvVWvpebmf+4+h1V3S17FV17 OIkqnDg+2GQEZZUOYtzhMGhh222o5W70l8E7K1KmnpScejRrV1yNJ7Fmp2/XufXG WPiiPJkrxlwhNxtrXtcJwieH0XSw2IAnY3optPnEEcvtHRIAk5ONoPtw81nritzY s301TWuj9uE7jedLmifKe74w1tGC3MAqIWmNfjefZeI1q3a3yZqoE1lbAMcqj4lq C21UVMdqw0KZRDpPeiAf4HlvaFkYJnqUlzhYFAQFsIfJB8jA2R1fDiTE3/HiisH/ XZWtWeRAaGLBRn4kCB0vg/MFWjt9L98YxDFmGEIxkLBaZXcfmKNFxAxZlYacKY79 wfLiHrPv0owpKKtEniuJK7oCPJ+sbcokVi5PGjF4CRXaXdHoMJJqzzPinZwtWcr4 y8kZzduzjz8D/u1vAyk5aDfLIY3Ssp53Tb+dC7/vkw== =h5Ld -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Import of old keys
Hallo, For a long time I have used debian sid and gnupg with three keys for different purposes. After moving to Ubuntu (OT: for multimedia reasons) I fail to use these keys with the newly created account. I have access to all the old files and directories and would like to get some help for the incorporation of the old keys into the new system. Thanks a lot! Bernhard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users