Re: default keyring file formats
On Wed, 20 Feb 2013 06:05, jw72...@verizon.net said: Hi, David. I appreciated your prompt reply. So with a concatenated keyring in the format foo.pub would I first use a command like the following one if I want to get the keys out of it in order to move No, please don't do that! The API to access the keyrings are the --import and --export commands. It might work now but may change at any time. It is not a good idea to suggest this use. For example the file ~/.gnupg/pubring.gpg and ~/.gnupg/secring.gpg use private extensions to the OpenPGP format. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent forwarding
Hi all, Wondering if someone can help me out with gpg key forwarding in the same style that you can do with ssh. This is the best answer I've found so far: http://superuser.com/questions/161973/how-can-i-forward-a-gpg-key-via-ssh-agent Wondering if anyone could point me towards a cleaner soloution. -John signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Piping tar into gpg
On 02/20/2013 04:29 PM, Stefan Malte Schumacher wrote: I want to create encrypted backups with tar and gpg, which I then want to upload to my online storage. Strangely I can't get it working. find /mnt/raid/Dokumente/ -type f -print0 |tar cfzv | gpg --symmetric --output 1.tar.gz.gpg if you want to pipeline like this, i don't think you want the f flag for tar. I also don't think you're using find and tar together properly -- i think you want xargs in the mix. here's a functional example, along with a verification step (i'm using gpg-agent to prompt for the symmetric passphrases): 0 dkg@alice:/tmp/cdtemp.cD3zXc$ mkdir t 0 dkg@alice:/tmp/cdtemp.cD3zXc$ echo test t/a 0 dkg@alice:/tmp/cdtemp.cD3zXc$ echo whatever t/b 0 dkg@alice:/tmp/cdtemp.cD3zXc$ find t -type f -print0 | xargs -0 tar czv | gpg --symmetric foo.tgz.gpg t/b t/a 0 dkg@alice:/tmp/cdtemp.cD3zXc$ gpg --decrypt foo.tgz.gpg | tar tz gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected t/b t/a 0 dkg@alice:/tmp/cdtemp.cD3zXc$ --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation on symmetric key options for GPGME
On 02/20/2013 06:41 PM, Jim Treinen wrote: I am new to GPG, specifically GPGME. I am trying to familiarize myself with programming against the GPGME C library. I was wondering if it is possible to explicitly specify the use of AES 256 and choose a block mode when using the OpenPGP protocol ? It is possible to force the use of AES-256 whenever possible: add --cipher-algo aes256 to the GnuPG command line. However, this is thoroughly not advised. It's possible to create traffic your recipient will not be able to decrypt, for instance (not every OpenPGP implementation supports AES). There are also other edge cases in which using cipher-algo can get you in trouble. OpenPGP specifies its own block mode, which is basically CFB64 with some special sauce added -- it's a hack which dates back many years. Every now and again there's some talk about replacing it with something more modern, like Galois counter mode or somesuch, but so far nothing's come of it. So the answer to this one is no, you really can't specify a block mode. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Patch add support for different algorithms in the agent private key storage
On 02/20/2013 07:11 PM, Laila Vrazda wrote: Very well, theoretically AES-256 is less secure than AES-192. The current best attack on AES-256 maxes out at 11 rounds; the full AES-256 has 14 rounds. Nobody's ever demonstrated that full AES-256 is easier to break than AES-192; and even if they had, it would still be a nonissue. Theoretically, a reduced-round AES-256 is less secure than a reduced-round AES-192 would be more accurate, and as the sentence gets more accurate it seems to become less relevant. Besides, cryptosystems very rarely fail as the result of cryptologic flaws. It's so rare I'm having a hard time thinking of any off the top of my head; WEP fell to an implementation defect in RC4, SSL had problems with side channels, there are a lot of systems that have fallen to timing attacks, and so on. But I'm scratching my head here trying to think of the last time a system fell to cryptanalysis. The DVD Content Scrambling System, maybe? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Patch add support for different algorithms in the agent private key storage
On 02/20/2013 08:23 PM, Robert J. Hansen wrote: The current best attack on AES-256 maxes out at 11 rounds; the full AES-256 has 14 rounds. Doing a little more research, I found a theoretical attack on the full -256 and -192; I was wrong to say the current best attack only worked on a reduced-round variant. The new hotness is a related-key attack, wherein the attacker chooses two keys and a relationship between them and uses that to attack the full cipher. It's definitely an exotic: that sort of condition is unlikely to occur in the real world, especially in GnuPG where AES is used for randomly-generated session keys -- there's no relationship between them to be exploited. Still, I was incorrect to say the best attack is on a reduced-round variant. Mea culpa. :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users