OpenSSL vs GPG for encrypting files? Security best practices?
Security Experts, I'm considering encrypting a tar archive and optionally a block file system (via FUSE) using either utility. Does anyone have comments on the best practices and tools for either? I read that the OpenSSL AES-CBC CLI mode is prone to a malleable attack vector and it's CLI interface should not be use directly for production. I have also read that GPG is the suggested alternative to OpenSSL CLI due to this. I have followed through with the OpenSSL CLI AES tests and am curious where the malleable attack is (in the pipe?). I am also curious to why GPG, which is an asymmetric key manager, is used for file based encryption when only a single key is required. How does GPG solve this malleable attack vector. A security expert's guidance here is much appreciated. Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?
> From: openssl-users on behalf of Nicholas > Papadonis > Sent: Friday, November 2, 2018 14:29 > I read Where? It's hard for us to determine the quality of your source, or your interpretation of it, if we don't know what it is. > that the OpenSSL AES-CBC CLI mode is prone to a malleable attack vector I don't know what "malleable attack vector" is supposed to mean in this context. CBC, regardless of the cipher, has certain well-known vulnerabilities. Those probably aren't a concern for most personal file-encryption use cases. If you have regulatory/legal requirements, then rolling your own data-protection solution, even using presumed-good crypto implementations, is a Bad Idea. > and [its] CLI interface should not be use directly for production. I would certainly be leery of doing so. It's not what the openssl utility is primarily intended or designed for. There are at least two main drawbacks of using the openssl utility in production: - It primarily exposes primitives, not complete cryptosystems. That means either you're composing those primitives into a complete cryptosystem yourself, which is a process fraught with danger; or you're using an incomplete cryptosystem. In this case, if you use openssl, where is your integrity protection coming from, for example? How are you handling key management, hygiene, and disaster recovery? - Usability is minimal (for good reason - it's meant as an ad hoc toolkit). There's no error logging or auditing, and minimal diagnostics. Failure modes are pretty much "write an error message and give up". > I have also read that GPG is the suggested alternative to OpenSSL CLI due to > this. ... > I am also curious to why GPG, which is an asymmetric key manager, GPG is an implementation of the OpenPGP standard, plus additional functionality. It's much more than a "key manager". > is used for file based encryption when only a single key is required. GPG supports symmetric encryption. A web search should turn up thousands of pages describing that feature. (Some will be out of date regarding the default cipher and other details; consult the documentation for the current GPG version. I think the default now might be AES-128 CBC, with SHA1 as the MDC, but I haven't checked.) > How does GPG solve this malleable attack vector. Hard to say without knowing what the "malleable attack vector" is. GPG *is* intended to provide a complete, if rather minimal, cryptosystem for this use case (symmetric encryption of individual files, under a personal-use threat model). For one thing, it (by default) includes an MDC for integrity validation; for another, it provides slightly more sophisticated features for key hygiene. We don't really know the parameters of your use case, so it's not really possible to make a reasonable recommendation. Do you have regulatory or statutory requirements, or requirements imposed by some other authority (e.g. an employer)? How sensitive is the data? How are you managing your key? What provisions do you need to make for disaster recovery? How are you addressing file integrity? What does your threat model look like? This is why the simplest approach is to find a complete system that addresses all your requirements. It may not be free, but then neither is your time and energy - you can pay money, or you can pay in opportunity costs and cognitive load. Of course, many people simply ignore the issues and roll their own systems. Often they'll get away with it. Sometimes it will come back to bite them. -- Micahel Wojcik ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
Hello Dirk, Am 02.11.18 um 15:20 schrieb Dirk Gottschalk via Gnupg-users: > You mean, you "tampered" with the file and the signature is still > valid? Are you sure? Then Adome does sometging really bad, IMHO. > > Such a signature should ensure that the file is unmodified completely. > otherwise somebody can modify it in a way that could be used as a > backdoor to the signature, at least in theory. That is correct, that a signature is valid if there is added a timestamp AFTER sign the document. Very simplified it uses the same method for timestamping as for signing, and it is a kind of 2nd signature on the same document. the document is NOT altered or manipulated. regards Juergen -- Juergen M. Bruckner juer...@bruckner.tk smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
On 02.11.2018 15:35, Dirk Gottschalk wrote: > I prefer GPG. And no, GPG does not lack timestamping, a timestamp is > included in every signature. Signature creation date is not the same as timestamping. As for why you may consider the problem of validating signatures made by revoked keys. Without timestamping this kind of signature is inherently insecure (as the compromised key could be used by the attacker to created a backdated signature). For example Authenticode uses timestamping [0] so that old signatures can still be considered valid even when the key expires or is revoked later. Adding something comparable to OpenPGP was discussed [1] on OpenPGP ML recently and previously [2]. Kind regards, Wiktor [0]: https://docs.microsoft.com/en-US/windows/desktop/SecCrypto/time-stamping-authenticode-signatures [1]: https://www.ietf.org/mail-archive/web/openpgp/current/msg09092.html [2]: https://www.ietf.org/mail-archive/web/openpgp/current/msg07136.html -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
Am 02.11.18 um 15:20 schrieb Dirk Gottschalk: Hello Stefan. Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas: Hi Wiktor, thanks a lot! Now this is awesome... i just timestamped my already signed .pdf with Adobe Reader DC and this does not invalidate my qualified signature, when saving the document again! :-) I must admit i did not know this. You mean, you "tampered" with the file and the signature is still valid? Are you sure? Then Adome does sometging really bad, IMHO. Such a signature should ensure that the file is unmodified completely. otherwise somebody can modify it in a way that could be used as a backdoor to the signature, at least in theory. Hi Dirk, i did not tampered with the file, i simply used the function in Adobe Reader DC to let it *add* a time stamp to my document and then saved it again. I strongly assume that it is also possible that someone else can sign my .pdf too with a qualified signature and this will also not invalidate my qualified signature, unless of course someone would *edit* my document. This would then mean in reality, that for example a "boss", team-leader or whoever prepares a contract signs it and then lets other parties sign this document too and all involved parties have then a multiple signed and valid document. You can check two added (one from freetsa and another commercial one which is in the EU list) timestamps i added to my greetings.pdf on keybase. Regards Stefan smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
Hello Wiktor. Am Donnerstag, den 01.11.2018, 20:14 +0100 schrieb Wiktor Kwapisiewicz: > On 01.11.2018 11:19, stefan.cl...@posteo.de wrote: > Do you mean X.509 is technically good or just more widely supported > in software than OpenPGP? For me there are only few cases where X.509 > infrastructure has something that OpenPGP lacks (e.g. timestamping). I prefer GPG. And no, GPG does not lack timestamping, a timestamp is included in every signature. X.509 is more widely spread. I think this is the only reason that it is preferred by some users. I would like to see GPG to be more widely used. For me, x.509 is not more trustworthy than GPG, I trust this system and the signed certificate less in many cases. The signature regulations in the EU are not the best. In the US, I read, ebven PGP is approved in some states. They use it even vor notary approvals. We had a thread describing this a few months ago. The only thing is, that GPG can not do inline signing of PDFs. This would be a nice feature, but, AFAIK the standard for PDF doesn't leave us this option. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
Hello Stefan. Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas: > > Hi Wiktor, > > thanks a lot! Now this is awesome... i just timestamped my already > signed .pdf with Adobe Reader DC and this does not invalidate my > qualified signature, when saving the document again! :-) I must admit > i did not know this. You mean, you "tampered" with the file and the signature is still valid? Are you sure? Then Adome does sometging really bad, IMHO. Such a signature should ensure that the file is unmodified completely. otherwise somebody can modify it in a way that could be used as a backdoor to the signature, at least in theory. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
Hi guys. Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas: > On Fri, 2 Nov 2018 12:20:43 +0100, Wiktor Kwapisiewicz wrote: > > On 02.11.2018 10:53, Stefan Claas wrote: > > > Simply one can use a time stamping service, based on blockchain > > > technology. I can then time stamp the .pdf. and put also a > > > statement in the .pdf that the file is timestamped and don't must > > > worry in the future if one MITM would try (and why?) to alter my > > > documents. > > > > PDFs can be also timestamped when signing with standard RFC 3161 > > [0] > > timestamping service. > > > > Here's one example: > > > > https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat > > > > But there are numerous free RFC 3161 timestamping services. > > > > Of course that's not the same as blockchain, but it's already > > supported by numerous tools (like Adobe Acrobat). > > [0]: https://tools.ietf.org/html/rfc3161 > > Hi Wiktor, > > thanks a lot! Now this is awesome... i just timestamped my already > signed .pdf with Adobe Reader DC and this does not invalidate my > qualified signature, when saving the document again! :-) I must admit > i did not know this. freetsa offers a free timestamping service based on blockchain technology, AFAIK. I use it myself to stamp PDFs. The free service offers 10 timestamps per day what should be enough for normal usage. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
On Fri, 2 Nov 2018 12:20:43 +0100, Wiktor Kwapisiewicz wrote: > On 02.11.2018 10:53, Stefan Claas wrote: > > Simply one can use a time stamping service, based on blockchain > > technology. I can then time stamp the .pdf. and put also a > > statement in the .pdf that the file is timestamped and don't must > > worry in the future if one MITM would try (and why?) to alter my > > documents. > > PDFs can be also timestamped when signing with standard RFC 3161 [0] > timestamping service. > > Here's one example: > > https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat > > But there are numerous free RFC 3161 timestamping services. > > Of course that's not the same as blockchain, but it's already > supported by numerous tools (like Adobe Acrobat). > [0]: https://tools.ietf.org/html/rfc3161 Hi Wiktor, thanks a lot! Now this is awesome... i just timestamped my already signed .pdf with Adobe Reader DC and this does not invalidate my qualified signature, when saving the document again! :-) I must admit i did not know this. Regards stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
On 02.11.2018 10:53, Stefan Claas wrote: > Simply one can use a time stamping service, based on blockchain > technology. I can then time stamp the .pdf. and put also a > statement in the .pdf that the file is timestamped and don't must > worry in the future if one MITM would try (and why?) to alter my > documents. PDFs can be also timestamped when signing with standard RFC 3161 [0] timestamping service. Here's one example: https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat But there are numerous free RFC 3161 timestamping services. Of course that's not the same as blockchain, but it's already supported by numerous tools (like Adobe Acrobat). Kind regards, Wiktor [0]: https://tools.ietf.org/html/rfc3161 -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Slightly OT - i need the proper wording for a signed document
On Thu, 1 Nov 2018 23:50:48 +0100, Stefan Claas wrote: Hi veedal, > > A simple, but slightly tedious workaround, would be to GnuPG Armor > > Sign the .pdf > > > > The elDAS signature will still work, but the Armored Signed message > > is much harder to alter, and such alteration is detectable as > > malicious rather than a 'mistake. > > Thank you very much for this valuable information, much appreciated! > > It is now a bit late, but i will try this out tomorrow. O.k. i played a bit with it, but as you said "slightly tedious workaround"... I will use another method, which does not allow an attack imho. I did this in the past with detached signatures, when i posted files, and it should be used more widely, imho! Simply one can use a time stamping service, based on blockchain technology. I can then time stamp the .pdf. and put also a statement in the .pdf that the file is timestamped and don't must worry in the future if one MITM would try (and why?) to alter my documents. https://opentimestamps.org Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas pgpl5ld9bhOha.pgp Description: Digitale Signatur von OpenPGP ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users