Re: GnuPG in the media
On Thu, 07 Feb 2013 22:16:23 -0500 Robert J. Hansen r...@sixdemonbag.org wrote: GnuPG was mentioned (somewhat inaccurately, but still mentioned) in the _Daily Mail_. It's not exactly 'respectable journalism', but it's still very high-visibility. http://www.dailymail.co.uk/sciencetech/article-2274388/MI5-install-black-box-spy-devices-monitor-UK-internet-traffic.html Heheh... HushMail - JavaApplet + 1024 RSA key, lovely stuff :) -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Feature request for future OpenPGP card: force PIN
Hello Werner and list, I'd like to do a feature request for a new version of the OpenPGP card, whenever such a new version would be designed. The current OpenPGP cards have a force signature PIN flag which can be set so only one signature is issued with one PIN entry. I'd like to request similar flags for the other two keys on the card, the encryption key and the authentication key. To me, it seems that the rationale for such a flag on the authentication key is the same as for the signature key; both are a form of signatures. However, I'm not familiar with the rationale for adding the force signature PIN flag. I think there's an obvious use case for not setting the force PIN flag on decryption: if you're searching your mail archive for a certain string, and you have lots of encrypted mails, not forcing the PIN will mean you only need to enter the PIN once for the search. But offering the option to force the PIN for each decryption just means people with this use case will not set the flag; it does not get in their way. I don't have a mail archive with encrypted mails. To me, decryption is just as much a once only action as signatures. So I would personally set the force decryption PIN flag for the same reasons I set the force signature PIN flag. It seems to me this is a simple and harmless addition, so I hope it can be accepted on the grounds that it is useful to some, not harmful to others and not that much work. I hope I see that right. I regret not doing this feature request between the card v1.1 and v2.0 :). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 2013-02-08 10:48, Peter Lebbing wrote: On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. I'm no expert, but isn't that only useful if you have a card-reader with pin-entry? If you use your compromised PC to enter your PIN, the malware can just replay that PIN to the card. Niels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard reader with pin-pad: working combo?
On 2013-02-08 11:23, Hendrik Jäger wrote: Hello Niels On Fri, 08 Feb 2013 10:10:56 +0100 Niels Laukens ni...@dest-unreach.be wrote: How likely is it that this is going to work? The card seems to be supported by GnuPG, even for 4096RSA keys (which I plan to use). On the card’s page it says: Schlüssellänge jetzt bis zu 3072 Bits What makes you think it works with 4096-bit keys? These: http://www.corsac.net/?rub=blogpost=1548 https://chris.boyle.name/2011/02/gnupg-4096-bit-keys-openpgp http://wiki.debian.org/Smartcards/OpenPGP#Features http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042750.html http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042761.html together with this reader: SCM SPR-332 I bought this reader as well after I could not get the pinpad of Gemalto PC Pinpad USB Reader (http://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=122) to work with GnuPG. It works just fine and (almost) out of the box, at least on Debian Linux. That's good to hear. thank you! Niels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 08/02/13 10:55, Niels Laukens wrote: I'm no expert, but isn't that only useful if you have a card-reader with pin-entry? If you use your compromised PC to enter your PIN, the malware can just replay that PIN to the card. Yes, I agree. Not that I am an expert. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard reader with pin-pad: working combo?
Hello Niels On Fri, 08 Feb 2013 10:10:56 +0100 Niels Laukens ni...@dest-unreach.be wrote: Which brings me to my main question: I'm thinking of buying this smartcard: OpenPGP SmartCard V2 https://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=42 together with this reader: SCM SPR-332 https://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=61 And would like to get this to work on my MacBook Pro with 10.6.8 (snow leopard). I'm not afraid to compile from applications from source, but would prefer not to mess with kernel modules. How likely is it that this is going to work? The card seems to be supported by GnuPG, even for 4096RSA keys (which I plan to use). On the card’s page it says: Schlüssellänge jetzt bis zu 3072 Bits What makes you think it works with 4096-bit keys? But I'm not sure about the card reader. So to guard this topic: I'm also interested in the security-considerations of my intentions, but my main question is: what are the experiences with the mentioned card cardreader? I bought this reader as well after I could not get the pinpad of Gemalto PC Pinpad USB Reader (http://shop.kernelconcepts.de/product_info.php?cPath=1_26products_id=122) to work with GnuPG. It works just fine and (almost) out of the box, at least on Debian Linux. Best regards Hendrik signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature request for future OpenPGP card: force PIN
On Fri, 8 Feb 2013 11:09, pe...@digitalbrains.com said: the same as for the signature key; both are a form of signatures. However, I'm not familiar with the rationale for adding the force signature PIN flag. That is simply a requirement due to the German law about qualified signatures. If someone wants to use the OpenPGP card specification to setup a qualified signature system, this feature is needed. This is not that I think this will ever be done, but back when we worked out the specs it seemed to be a good idea to have such a feature. In any case it is not a security measure because the host may simply cache the PIN and and silently do a verify command before each sign operation. To avoid that simple workaround, a pinpad reader which filters the VERIFY command would be needed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
LiveCD with GPG 2.0.18+
Is there any LiveCD that has GPG 2.0.18 (or higher) on it? I plan to generate some secret keys to store on a smartcard, and to backup on a USB device. To minimize the risk of Key compromise, I'd like to do the key generation on an offline machine. I could do a regular install for this, and wipe the harddrive after I'm done, but it would save a lot of work if I could boot off a LiveCD. But since I'd like to move a 4096bit key to a smartcard, I need 2.0.18 (or higher). Are there LiveCDs that have this version on them? Thx, Niels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: LiveCD with GPG 2.0.18+
Is there any LiveCD that has GPG 2.0.18 (or higher) on it? A quick check shows that Knoppix claims to have gnupg2 2.0.19-1 on Knoppix DVD versions 7.0.4 and 7.0.5. The version number is probably a Debian version number. There are files called dpkg-l-dvd-704.txt and ..705.txt in the DVD mirrors of Knoppix that give a listing of all installed packages along with version numbers. Note that the CD version does not have GnuPG 2! Only 1.4.x. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 08-02-2013 6:48, Peter Lebbing escribió: On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. Maybe it would be interesting to add a big sign button to the pad. Probably you would not like to enter a PIN for each signature, but maybe 1 button to press for each signature (after the PIN has been entered for the first one) would be interesting. Of course, probably that would require to modify readers and cards, and maybe very few people would want it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRFWE6AAoJEMV4f6PvczxAZtMH/2oRg2tBUupSXsOfg9h0o/PK f704aBb3gMGMezVYI//MH7QQJIjVxGPDJbaK2vWGJTyEtLl2wh5+c82EnQEnpq19 wDMzK8FcDL5AzKdLltznLn/iIu+EygOUOMa9/tzD+vQ/9X4R+sJGpDw6rJD6ytku 8THUwPGBcVX4pnYdDBjGQYOxr94R8qGa4FaqRxW6iOWp9Nf63QKgTM6miV/Pf37Q 7Bf8SAQ8KSu0Sf9M9wCVv3T+Qsa+Pmk0LPOEizZ9Pt7UGguakwcce0KQxo4A0qf8 Tdylc35BwctW+8tpM1dRUzlrqvgdLklhguhA1YnFx0RxQBYHurF5T3PYg4fzycI= =FuKE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users