Re: my statements were twisted (was Security of 3DES)
On 09/03/2013 04:49 PM, Peter Lebbing wrote: To expand on what Johan Wevers said: symmetric ciphers do not change the length of the encrypted text (by more than the block size). They certainly do not compress. Usually, data is compressed before encrypting it (compressing it after is pretty useless). If you set your key preferences to not allow compression, files encrypted to your key will not be smaller than the original files. NO TWO PEOPLE ARE THE SAME! The main thing I am saying is to make choices work for you but at the same time consider the others you interact with. Taking my choices is NOT any better than the ones on the Debian page. You have to find your own. If you have a problem with that I will don my Psychologist cap and do analysis instead. I won't answer the other questions because you have grossly misinterpreted me. My major point was that what was picked in that list had the idea that bigger is better and biggest is best. Zipping was required. I dropped my 4096R keys and went from them to 2048R more not from the point of view of which is safer but more from the point of view of being reasonable for others. Ditto for going from the SHA512 hash down to SHA256. Now I realize that there is a lot more going on in GnuPG than just using sha256sum and sha512sum. Nevertheless, doing tests on creating the hashes on 1000 files made it quite evident that SHA256 wasn't that much of a burden over SHA1. But sha512sum consumed gobs more time than using sha256sum. So I switched not only the key sizes but the DIGEST to SHA256 as my first choice. How bad was SHA512 in other ways? There were some times the detached .sig files were as large as or even larger than the base files! But it was NOT what ever I thought was the best for me security-wise driving the decision. It was the needs and desires of others. You don't live in a vacuum. Having that much extra for the task at hand was gross over-kill. There is nothing wrong with 3DES from my point of view. There may be from other people's point of view and that includes people making government specifications that ignore the fact that CAST5 has not had as much crypton-analysis done on it than has been done with 3DES. Have you ever heard the statement there is the right way, the wrong way, and the Navy way? In that case it is NOT your choice driving the decision. If you were not supposed to use 3DES then by golly you better not use it. Didn't I make the statement that you are far more likely to lose your secret documents via a hacker infecting your machine and stealing them that way than attacking any of these ciphers? Didn't I say you are more likely to have somebody go into your house and attach a key-logger to the end of your keyboard than by them attacking any of these ciphers directly? Why did you ignore these statements? I only mentioned that 3DES should be considered for low powered machines. That statement stands. If you want 3DES as your first choice on an umpteen core machine go ahead. Other people with lower powered machines will be delighted with your choice. I will get it implicitly only when that is all they can do but choose not to add it to my list of ciphers. Don't feel people have to pick what you picked. I hope they pick what works best for them and the others they interact with. My whole point is that they lined up things with a bigger is better and biggest is best mentality. There are times when other factors are just as important as the security is. There are also the times as in AES vs. AES-256 where bigger doesn't always mean better - at least according to Bruce Schneier's thinking. If you want to argue that point argue it with Bruce, not me. Me? I took his advice and moved the AES to the head of the AES line-up. I was about to drop the AES-192 for one of the Camellia ciphers (see my PS at the end). It is called free choice but I will make it considering the needs of others, not just slap down the biggest one or the smallest one. As for the zip algorithms I was thinking more along the lines of what is going on in email and the fact that I much prefer 7-zip over all the zip algorithms you can specify. You will NEVER get 7-zip in GnuPG. Now please don't misunderstand me on that as well! All I am saying is that 7-zip will never be added to GnuPG and I prefer 7-zip. So I will do my compressing outside of GnuPG. But there is more going on. First for what is going on in email using one of the malware I got yesterday pretending to come from the Royal Bank of Scotland: 8859 Sep 4 01:26 base64.zip 11978 Sep 4 01:25 DOC_Sue_Wagner.bin 16870 Sep 4 01:21 DOC_Sue_Wagner.eml 8859 Sep 4 01:18 DOC_Sue_Wagner.zip The DOC_Sue_Wagner.eml was the email saved as is from Thunderbird. In adddition to the ASCII-fied zip it has a fair sized headers, MIME markings and other things. The file named DOC_Sue_Wagner.bin was the eml file stripped down to just the ASCII zip. The base64.zip was the conversion from
Re: AES256 AES192. (Was: Can I revitalise an old key-pair?)
On 09/02/2013 06:28 PM, Nicholas Cole wrote: On Mon, Sep 2, 2013 at 5:04 AM, Henry Hertz Hobbit hhhob...@securemecca.net wrote: [snip] Paradoxically, AES256 AES192 had weaknesses that made them less safe than AES (AES-128) several years back. May I humbly suggest TWOFISH or one of the CAMELLLIA ciphers as a first choice UNTIL you determine whether or not the fixes for AES-256 and AES-192 are retroactive? DID THEY GET THEM FIXED? I am just assuming they did but that means I HOPE the older implementation and the newer one can easily be discerned when you do the decipher. [snip] I was curious about this. The wikipedia page mentions the Related Key Attack on these cyphers, but is vague about whether they were ever fixed. Does anyone know? And did fixes make it into the version used by Gnupg? Short answer - it wasn't changed and Bruce Schneier still considers AES-128 to be more secure than AES-256. Now you can tap delete. It is time for Werner, Robert, and the others to speak up. I usually tailor my statements to novices just getting started. It is just that AES-256 is NOT necessarily twice as secure as AES-128. In fact going up in bits sometimes gets you only marginal improvements that are closer to logarithmic than straight line. But this time it seems AES-256 is STILL not as secure as AES (AES-128): First of Schneier's blogs: http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html Second of Schneier's blogs: http://www.schneier.com/blog/archives/2009/07/another_new_aes.html [Note that Serpent is referenced as a backup plan. If you look at Bruce's 1:22 PM comment he recommends AES-128 (AES) over AES-256 due to the poor key-schedule for AES-256. I changed my cipher order several weeks later with no evidence to the contrary. For novices you can do that any time you change your mind - but I have always had TWOFISH first despite his deprecating remarks about his own 32-bit world cipher.] Note the figures at the start of Abstract. Even those are practically unbreakable. The quick fix was to use more rounds but my research is drawing a blank so I suspect nothing was done. Even so, infecting your machine or hacking into it somehow which may include personal visits and real world physical lock-picking is more likely to get them what they want than attacking any of these ciphers with ANY sort of cipher attack. There are also different ways for doing the AES family depending on where they are used with some being weaker implementations than others. E.g., in OpenSSL you cannot afford the luxury of a single machine munching away like it is in GnuPG which means GnuPG most likely has the strongest implementation of the AES family. It will be what ever is in the RFC: https://www.ietf.org/rfc/rfc4880.txt All I was pointing out was that AES-256 versus AES-128 does NOT imply AES-256 is twice as secure as AES-128. The idea that just because it is twice the size then it must be twice as secure is just a novice point of view. The quick fix was to use more rounds and I just assumed that may have been done. Evidently I assumed wrong. Most ciphers have known weaknesses. But there are lots of crypto people that work over-time on analyzing them for weaknesses. That includes a lot of people here who should speak up because they know more than me. I am too busy processing the three variants of the mini-downloader trojans and wondering why they delivered the almost same code all at once. They do a lot of experiments so it is probably to measure how much the same time reduces their effectivenes over spreading them out with as little as 8 hours or as much as 48 hours between each release. Only 1-2/47 of the AV at VirusTotal were detecting both the the zips and the exes. It takes a week or longer for detection to reach the halfway mark. Even after a month about 10-25% of the AV still won't detect and probably never will - Zeus variant mini-downloader. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can I revitalise an old key-pair?
On 09/01/2013 09:15 PM, Pete Stephenson wrote: On Sun, Sep 1, 2013 at 2:57 PM, MartinHvidberg mar...@hvidberg.net wrote: I'm returning to GPG, and Enigmail, and not for the first time. This means that I have earlier generated key-pairs and uploaded them to servers like keys.pgp.net or something like that. I did this first time in 1999 and have done several new attempts later, and now have seven key-pairs on the server. Latest I have generated a key-pair in 2011. While it can be tempting to use particularly old keys (such as those made in 1999), the maximum length at the time (1024-bit DSA keys) makes them borderline too-short for modern usage. Even if you regain access to your 1999-era secret key, you should probably consider transitioning to a new, stronger keypair. See http://www.debian-administration.org/users/dkg/weblog/48 for some useful information on the subject. Pete, it is not your advice which I agree with whole-heartedly but Debian's choice of order for their digests and to a certain extent their symmetric ciphers where they made the unwarranted assumption that bigger is better and biggest is best. Remember the person on the other side may NOT have your latest and greatest umpteen-core machine. Taking those people into account this may be better choice (and is NOT what I use but is close): setpref SHA256 SHA512 SHA384 SHA224 Actually I have SHA1 as the option before SHA384 and don't have SHA224 due to some statements that lead me to believe it could cause problem. Maybe there wouldn't be problems. But what if SHA1 is all they can do? Okay, you can do it but I don't like it. But SHA1 is better than nothing especially if it is for just a one-off message. The reason why is if you pick SHA512 first, while more secure (unless the argument that they are all vulnerable to the same attack since they are all the same family) your detached signatures will be awfully large. SHA384 and SHA224 may have limited or no support. Paradoxically, AES256 AES192 had weaknesses that made them less safe than AES (AES-128) several years back. May I humbly suggest TWOFISH or one of the CAMELLLIA ciphers as a first choice UNTIL you determine whether or not the fixes for AES-256 and AES-192 are retroactive? DID THEY GET THEM FIXED? I am just assuming they did but that means I HOPE the older implementation and the newer one can easily be discerned when you do the decipher. If that can not be done then you would have needed to decipher the old style AES-256 before the change happened and will be hosed if time rolls on and that was not done. CAST5 is a good last choice because some of the time that is all others can handle. Make sure CAST5 is always a last or next to last choice because that may be all that they can do with a limited horsepower box. You may even want 3DES as a last option for those that got stuck there for some reason. IDEA? Your call. I assume everybody can handle CAST5. http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt Compression? The symmetric ciphers seem to always have better compression than either zlib (gzip) or zip. They are on par with either bzip2 or 7-zip (7-zip is not available in OpenPGP). I would just use and do use Uncompressed. Even if the orginal writer can dig up their old keys (the key-servers have only the public side), do they remember their pass-phrase? I know others will disagree with me on this but that is why I say you should have (unless you work for Amnesty International, a government attache, high levels of a company with confidential data, etcetera): 1. Keys created with a time to expire. I know my 10 year lifetime is ambitious and they will probably have to be revoked before then. But keys with no expire dates are just crazy. If for no other reason a reasonable time-span (10 years is really stretching it) allows people to walk away and their old keys on the key servers will gracefully and mercifully expire. What happens if you got struck by a Peterbilt and were killed? But even if you didn't get killed you can NOT use them forever. Time marches on and what was good 10+ years ago (3DES) is no match for modern CPU power. Actually all those top-secret places should be creating keys that expire as well. Keys that last forever are an impossible hope. 2. A revoke file created with --gen-revoke redirected to a file and then the file enciphered. See number 4. 3. The pass-phrase written down on a sheet of paper and stored in a safe place. Remember this is advice for normal people. Did I do this with mine? No, but that is because I use them almost every day. Store this in a DIFFERENT LOCATION than where the backup of the keys and the backup of revoke are stored (see next). Ditto for the passwords of the zips. Store them with the pass-phrase, NOT with the zips. But be sure to store both where you can get them later. 4. If possible, the backup of the keys themselves in an an enciphered file, along with the enciphered revoke all
Re: Recommended key size for life long key
On 08/31/2013 08:27 PM, Anthony Papillion wrote: Personally, I trust my 4096 bit key for now until ECC is integrated into GnuPG. Then, I'll recreate my keys. Looking for a key that will never be broken is like looking for the fountain of youth: it's a nice idea but not realistic to plan your life around. Security is always moving. You have to be prepared to move with it. And I was flamed for suggesting a 4096 bit key just a short six years ago. Currently I am using 2048R/2048R but I don't have top-secret needs. You should tailor your keys lengths and other factors to both yours AND OTHERS needs. The last time I checked I wasn't enciphering top-secret level embassy communiques. Make your keys to match their intended uses and part of that is what others can handle. But other than your key size maybe being too large for an iPhone (currently) all the rest of the advice you have given here is good. I noticed my previous 4096R/4096R did take a little bit of time and would not be appropriate for a person with s single core CPU so my current keys are 2048R/2048R so they can handle it. I especially like your fountain of youth analogy. It lets people know that there is no totally secure. There is only what is currently best for yours and others you communicate with needs. My main concern is that they don't upload those keys instantly to the key-servers after creating them. Play around with them for a while. Many people create keys with the following factors - no expire date - my current ones were for ten years but I can always revoke them if the key sizes finally become too small. They have lasted 2+ years now and I see no reason for them not to last at least another 3-5 years. But the day will come when they will no longer be adequate. There is no such thing as keys that can be used forever. - key sizes too large for THEIR needs and most especially for other people's needs. The key size really should be created to match OTHER people's needs more than yours. - passphrases that are either too short and simple or the opposite of being so long and and convoluted that even a top Jeopardy champion couldn't remember them. - no thought or knowledge of changing the preferences of their ciphers, digests and other factors. It isn't just the key sizes. http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt - uploaded WAY too soon to the key-servers without playing around with them for a while. This last issue is CRITICAL. They just don't understand the need to play and think for a sufficiently long time. They want to use what they have with others immmediately. LEARN PATIENCE! - don't immediately generate a key revoke and encipher the revoke file. I think most beginners would actually be better off with writing down their pass-phrase and storing it in a safety box but at the same time giving their keys a reasonable expire date. That is better than a key that they don't use enough, forget the pass-phrase, and then their key is lodged on the key-servers forever with no expration date and no chance for it to gracefully expire and pass on into history. It would also give them the opportunity to revoke the keylater on. I know. I said they should generate a revoke key file but they didn't do it. But at least with with the pass-phrase in a strong box they have the opportunity to revoke and upload the revoked keys to the key-servers. The 10K bit key size being spoken should be a play-toy to find out why it should NOT be used. That ten minutes to generate with the hottest CPU out there would probably be a pain for me even with my dual-core and lower level quad-core systems. I suspect it may take as long as ten seconds to verify a signed message. They would have no problems sending me an enciphered message with my shorter 2048R key and even a TWOFISH cipher. But I would suspect me sending them a PK enciphered message even with a CAST5 symmetric cipher as their first choice would take a LONG time. For an iPhone user it would be utterly impossible. PITA my foot! Just remember there are probably more iPhone users now than there are PC owners. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG and Cast6
On 08/29/2013 06:01 PM, Csabi wrote: Hi all, Why does not support GNUPG the CAST6 (256 bit key) variant of the CAST algorithm? It supports the CAST5 (128 bit key) variant and it is the default cipher. Best regards, Csabi Because there is no RFC for it in OpenPGP. Unless there is an RFC for it being in OpenPGP they won't put it there. Here is RFC advice on CAST6 (CAST-256): https://www.rfc-editor.org/rfc/rfc2612.txt Before you flail away at getting it added read this and follow up by looking at the source links first: https://en.wikipedia.org/wiki/CAST-256 CAST6 was passed over and wasn't one of the five AES finalists. It is very unlikely that it will ever be included. CAST5 was included when very little else was available. In reality CAST5 is probably more than adequate for my needs despite the fact that I have TWOFISH as the preferred first choice. The main weakness of encryption is PEBKAC and I have more than my fair share of the illness. So I focus my attention for improvement there. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Serpent?
On 08/23/2013 11:00 PM, Faramir wrote: El 22-08-2013 9:56, Robert J. Hansen escribió: ... GnuPG extends this with support for Camellia-128, Camellia-192 and Camellia-256. I don't know the reasoning for introducing Camellia, but I'm sure there's a solid basis for it. IIRC, somebody said, a long long time ago, that Japan had some requirements for using Camellia, so I guess if GnuPG doesn't have it, japanese people can't use it without some you are using an unnapproved cipher or something like that. But I can't even remember who said Japan likes Camellia, so maybe that's not the reason. Nippon Telegraph and Telephone developed the Camellia ciphers: http://www.ietf.org/rfc/rfc4312.txt Advice is given that it is available for use in OpenPGP: http://www.ietf.org/rfc/rfc5581.txt The reason that it is there is because somebody (most likely the Japanese) wants it and even my semi-old Linux distros have it in older versions of gpg1 and gpg2 $ gpg --version gpg (GnuPG) 1.4.10 ... Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 $ gpg --version gpg (GnuPG) 2.0.16 libgcrypt 1.4.6 ... Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 I updated my handy-dandy cheat-sheet for settings I got from somebody else so you know their designations and can add them into mix of ciphers with preference: http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt I will probably add Camellia-128 after TwoFish some place in there among the AES ciphers and may even let it replace one of them but will keep AES (AES-128). So if you want to use one of the Camllia ciphers use them in good health. Let me know when Serpent is avaiable. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On 08/22/2013 06:22 PM, Jasper den Ouden wrote: The solution of course is as you urged takethe...@gmx.de , to get a free operating system such as Linux or BSD, complete with free build tools compile your own (even non programmers can do that, eg on an OS downloaded from http://www.freebsd.org Compiling your own fixes the issue of the sources not corresponding to binaries. (well possibly there is a hole you compile with a compromised binary) That is why the binaries that are built for you are done by at least three people and they have to match (diff -b or my hexcmp spit out nothing and return 0). That was supposed to handle the possibility of poison build tools. If you are that concerened, disassemble but only programmers that have worked with assembler code will know what to do with it. That includes me but I think we are getting rarer all the time. But the code is also getting larger all the time making study of the assembler code more difficult. If you ask me, gpg4win was ready for prime time a long time ago. I haven't finished it but here it is: http://www.securemecca.com/public/GnuPG/ http://www.securemecca.com/public/GnuPG/TrustOfGPG4Win-2.txt If you don't think it is a problem, three of my relatives Windows OS computers got infected with two of them being in the last two weeks. We like Chrome! I like Firefox not for the browser itself but because NoScript can be slapped onto Firefox. There went over 75% of the malware threats from web-sites. The main problem after that is PEBKAC - Let me scan your machine - okay. NOT! Since Phil Zimmerman refused to allow government back end hooks and almost went to jail for it and all kinds of efforts are made to give a product that can be trusted, then you have to look at the people. Well read the comments of the many people like Werner Koch, David Shaw, Robert Hansen and others reassures me. They are always concerned about the security of GPG, and GPG4Win. I don't even worry about that end because they have never said anything that raises red flags in me. Now if they said that NoScript is useles ... My trust in GPG4Win is entirely predicated on whether the OS (this is individual) is safe enough. The NSA didn't use back end hooks to take down a hacker selling stolen credit card data. They watched and got his machine infected with their malware. They stole his key-ring, monitored his key-strokes with a logger, and then uploaded all of his files. They deciphered the files and at the right moment snagged him and dragged him off to court. Why didn't they use the back end hooks in GPG4Win? Answer - the probability for back end hooks is very low. GPG4Win is ready if the Windows system it is used on is ready. I suspect well over 95% of the Windows OS that are being considered for slapping GPG4Win on them aren't ready for GPG4Win being installed on them. Worry about that first. GPG4Win is ready. Windows users, are you? HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: need help for GPG 1.2.1 binary for REHL 5.8
On 08/20/2013 09:43 PM, Snehendu Ghosh wrote: Hi Peter, Thanks for your reply. In brief, the background is that we are replacing an existing iHub system which acts as a router for files transfer to and from Oracle EBS. In current system, for inbound interfaces, encrypted files come from third parties to iHub and being decrypted before sending to EBS. Similarly for outbound interfaces, files come from EBS, being encrypted in iHub before sending it to third party system. Now the problem is the existing iHUb system is very old and it has 1.2.1 version for encryption/decryption. We are assuming all the third parties are using same old version for encryption/decryption in their side. And there is no issue with encryption/decryption in existing system. It is much stable. We are not expecting any of the third party will make any changes in their side. That is the reason we want to go with the 1.2.1 version to minimize the risk. Now assume a scenario, where we implement 1.4 version in our to-be system, encrypt a file with 1.4 version and send it to a third party. We are not sure if that third party will able to do decryption using a lower version. We are working from Sydney, Australia. I don't know which time zone you are working in. Can we set up a tele-conference with you today so that we can explain you our requirement ? I wish you more knowledgeable people would answer first. I can not speak for Peter Lebbing but I believe there is a way you can test this if you have two spare Linux machines and something (your iHub?) with an existing 1.2.1 GnuPG on it. You want something with the 1.2.1 that you can control it manually. This is sort of similar to what you do in creating a network on a test rack before you roll it out. 1. Machine 1 - your old system Backup the ~/.gnupg folder on the existing system with the older gpg 1.2.1. I have this desire to be able to put things right back the way they were. You will be adding a key you will not keep. Generate the public keys as usual for import on machine 2. $ cd $ tar -cvf gnugp.tar ./.gnupg $ mkdir save.gnupg $ cp -frp .gnupg/* save.gnupg $ gpg [-a] --export... 2. Machine 2 - Linux system with the latest 1.X GnuPG on it. Create dummy new keys on this system. Import the public keys exported from machine 1. lsign them or sign them as desired. Export the public side of your secret keys on this system and import them onto machine 1 and lsign them there. Note that you CAN have pre-existing key-ring on this system. If you don't want to use its keys in the test do: $ cd $ zip -r9 gnugp.zip ./.gnupg $ mv .gnupg save.gnupg $ gpg --gen-key ... Do some tests of PK enciphering on machine 1 and deciphering on machine 2 and then enciphering on machine 2 and then deciphering on machine 1. If these work your battle is almost over in seeing whether it works or not. 3. Machine 3 - new Linux system with the latest 1.x GnuPG on it. Again like machine 2 if you have a pre-existing ~/.gnupg you won't be using it so set aside for a while: $ cd $ zip -r9 gnugp.zip ./.gnupg $ mv .gnupg save.gnupg Somehow copy that gnupg.tar file from machine 1 onto this system and untar it into the user you are using's top level folder. Be sure to delete the ~/,gnupg/random_seed file to force it to create a new random_seed file. Import the public keys from machine 2 and lsign just the way you did before. Now do some tests of PK enciphering on machine 2 and deciphering on machine 3 and vice-versa. I don't know whether these scripts will make things faster or not. Put them in ~/bin and make sure you change the key number to yours: http://www.securemecca.com/public/GnuPG/ http://www.securemecca.com/public/GnuPG/pcrypt.txt http://www.securemecca.com/public/GnuPG/decrypt.txt Once the tests are all done you can put things back the way they were: Machine 1: $ cd $ rm -fr .gnupg ; tar -xvf gnupg.tar # remember you have a second ~/.gnupg backup: save.gnupg # I always like multiple ways back from a disaster Machine 2:: $ cd $ rm -fr .gnupg $ if [ -s gnugp.zip ] then unzip gnupg.zip fi Machine 3: Same as machine 2. If all the enciphering and deciphering tests work you almost invariably won't have any problems. But these tests will give you a fairly good feel for it before you dive in. Just don't take the machine with GnuPG 1.2.1 down just yet. The tests wtth machine 3 can give you a pretty good idea of whether or not you can just keep on using your current keys on the new system with a newer version of GnuPG. I do know I have continued using keys generated with an older 1.x version with subsequent newer versions with no problems. That rather than the PK enciphering and deciphering with different versions MAY be more of a problem than enciphering / deciphering
Fwd: Re: Issue with --sign option
I am supplying this so people know what I sent to Ashish personally. Will it help? I don't know but I hope so. If you know everything there is to know about how the optional arguments are handled on 'nix systems you may want to delete this message. I assume secmem and and any other things that are going wrong are already in the archives some place. Actually the secmem messages are just bothersome and won't cause any problems. Original Message Subject: Re: Issue with --sign option Date: Sun, 18 Aug 2013 16:18:54 + From: Henry Hertz Hobbit hhhob...@securemecca.net Reply-To: hhhob...@securemecca.net To: Tiwari, Ashish ashish.tiw...@williams.com CC: hhhob...@securemecca.net On 08/18/2013 03:04 AM, Tiwari, Ashish wrote: Still not working. Saying Inavlid OPtion -sign. Regards, Ashish Tiwari Of course it is invalid. You do NOT use -sign. You use single dashes only for single letter arguments. The way you have it with just a single dash the only valid interpretation is that it considers it a short hand for -s -i -g -n. IOW, here is what -sign could mean but it seems to be nonsense: -s (same as --sign) -i (same as --interactive to prevent overwriting files) -g NO SUCH OPTION - this is what it is complaining about? -n (same as --dry-run which means don't make any changes) From your previous output gpg/gpg2 seems to be attempting a correction of what you are doing with a best guess. gpg and gpg2 just use the standard way that all 'nix commands are done. If you want to do a sign, either use the short-hand -s or --sign (NOTE THE DOUBLE DASHES) which are equivalent. If you want a sequence of letters to be an atomic unit to a command on 'nix systems, then you always precede them with a double dash rather than a single dash. Example: these commands for ls do the same thing: $ ls -lF $ ls -l -F But even ls has double dash atomic multi-character options with these being just some of them: --ignore-backups (chops off files ending with ~) --color=never (I do not like color in ls) --time-style=STYLE (STYLE could be iso for example to chop off the year) gpg or gpg2 are doing the same thing as ls and all other GOOD 'nix commands do as the man pages show: http://www.securemecca.com/public/GnuPG/gpg.txt http://www.securemecca.com/public/GnuPG/gpg2.txt http://www.securemecca.com/public/GnuPG/ We expected you to know this before you used gpg on a 'nix system since it is the way ALL of the commands work on 'nix systems if they are doing it the standard way (there are some commands that are not standard which makes you think it must be an English thing - the exceptions to the rules). Get somebody else to translate this for you if English and 'nix commands are not your native languages. That is especially true for the 'nix commands since that seems to be what is wrong here. Also, just use the files where they are at. An example is me signing the file gnats.txt in /tmp. An actual sample usage should be highly instructive: $ cd /tmp # the next line has the same meaning as the line after it # gpg --default-key C83946F0 -s gnats.txt $ gpg --default-key C83946F0 --sign gnats.txt # I have to type my key passphrase here $ gpg --verify gnats.txt.sig gpg: Signature made Sun 18 Aug 2013 02:53:09 PM UTC using RSA key ID C83946F0 gpg: Good signature from Henry Hertz Hobbit hhhob...@securemecca.net gpg: aka Henry Hertz Hobbit hhhob...@securemecca.com The point is that both gnats.txt and gnats.txt.gpg are NOT in my ~/.gnupg key-ring folder but in /tmp. Unless you need the output files some place else you should just put them in the current folder as where the base file is. For --clearsign you may want the output file to be some place else since it modifies the base file. But I suggest some place like ~/tmp (be sure to create the folder first). Why did I use /tmp? That is where the file gnats.txt file is and it will remain there until the machine reboots and /tmp is completely cleared. Comprendez vous, n'est-pas? HHH PS And here I thought you may have been referring to the secmem warning. You have at least two methods for getting rid of of the secmem warnings. One thing at a time. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Issue with --sign option
On 08/18/2013 03:45 PM, ashish tiwari wrote: SNIP Is this a Turing test? I wrote a private reply to try to find if that is what is happening. I mean, is --sign as opposed to -sign that hard to understand? Here is what -sign chould probably mean: -s same as --sign -i same as --interactive -g NONSENSE -n same as --dry-run. That is because -sign is the equivalent of -s -i -g -n. My private reply was with the aim of convincing a human being the right way to do things and that gpg gpg2 do the standard of a single dash means all the letters after the single dash are combined options. If you want all of the characters being considered a single atomic identity then you precede them with a double dash. A lot more detail was added with an example to show how easy it is. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No secret key on 1 file
On 08/16/2013 04:20 PM, Steven Bonda wrote: I did a lot of research and digging and was finally able to get the file to decrypt: c:\tempgpg2 --batch --try-all-secrets --passphrase pass -o temp.txt -d temp.txt.pgp gpg: anonymous recipient; trying secret key A328FC0E ... gpg: WARNING: cipher algorithm IDEA not found in recipient preferences gpg: okay, we are the anonymous recipient. gpg: encrypted with RSA key, ID 727A253D gpg: old style (PGP 2.x) signature gpg: Signature made 08/15/13 03:31:01 Eastern Daylight Time using DSA key ID C0649AF6 gpg: Can't check signature: No public key gpg: WARNING: message was not integrity protected You are decrypting a public key enciphered file. The only way you can do that is you must have the secret key. That is why Werner told you to list all of the secret keys below. Without that secret key you are not going to be able to decipher the file. By telling it to try all of the secret keys it finally found the right secret key to decipher the file. gpg2 didn't see IDEA in your choice of ciphers. I should not want to see the IDEA cipher either, since it is not in my preferences. IDEA is an old archaic cipher along with 3DES. But note that I want 3DES only as a last resort. I will be much happier with the use of TWOFISH or AES. Paradoxically, at one time AES (also called AES128) was actually stronger than AES256. I don't know if this is still the case but have no desire to change my preferences. You probably also have a key setup problem in gpg/gpg2. I never was able to either use my GnuPG keys with PGP or vice versa without an export of the secret key and import and then a lot of twiddling with the trust levels and other things to make them work. Let me show you what happens with my secret key with a --edit-key (no --verbose or -v which are the same thing): http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt What you have that is different than what I have is something you want to look at as the possible cause of the problem. I suspect you have a trust problem but gpg / gpg2 can see that the 727A253D has a secret key available and deciphered the file although gpg2 didn't like the use of the IDEA cipher. Now that I have said all of this I am not so sure that what Werner said and how he said it isn't actually a lot better. What I am hoping is that contrasting what you have (which is not working) with what I have (which does work) might help you. Just do a ? at the Command to get a list of things that can be done. I think you may need to change the trust level for your keys. Start with Werner's commands below minus the verbose, contrast with mine and then do the commands exactly as Werner has given and go from there. If you give Werner the verbose output he can probably tell you exactly what needs to be changed but you also may see the debug information gives you all you need to know. c:\temp fwiw, I'd welcome any information on what happened just because I'd like to know what happened. Maybe this helps someone in the future. Thanks for all the help. -- STeve -Original Message- From: Werner Koch [mailto:w...@gnupg.org] Sent: Friday, August 16, 2013 10:36 AM To: Steven Bonda Cc: gnupg-users@gnupg.org Subject: Re: No secret key on 1 file On Fri, 16 Aug 2013 14:56, sbo...@advance-medical.com said: gpg: encrypted with RSA key, ID 727A253D gpg: decryption failed: No secret key Please check thenoutput of gpg2 -v -K 727A253D If you can't see the reason, you may want to gpg2 -v --edit-key 727A253D to see some more details. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: self signed keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/14/2013 07:47 AM, Axel Braun wrote: Hi, one (stupid?) question: Where is the requirement to sign your own key documented? I had a look into RFC 4880 but could not spot the requirement there. Thanks for clarifying Axel There is no such requirement. Your own keys are trusted automatically with ultimate trust when you create them. You can stop reading now. It is basically a requirement for any key to be signed to be able to use it in any meaningful way. If it isn't signed and given some sort of level of trust it cannot be used to verify either a clear-sign or detached-signature. I never thought about attempting to encipher using PK enciphering using somebody else's public key without signing it but look at RFC 4880 for what it says about that. It is just that signing and verifying is what I do most. No trust for a key means no way to have meaningful verification. You do not not need to sign your own key. The reason why is because when you generate your key, it has an entry for it that is automatically added to the trustdb with ULTIMATE trust. If it wasn't this way then you would have a chicken versus egg problem. You couldn't sign or lsign anybody else's key using your private / secret key because your own key wasn't trusted. But if you try to sign your own key with your own key ... you can't. You need a key with ultimate trust to be used to sign other keys with varying levels of trust in that key. So your own keys automatically have ultimate trust when they are created. If you cannot trust yourself to be yourself then maybe you have MPD and need an eminent brain specialist's help. Either that or you need to generate your revocation and revoke your keys. But that is more of a statement that you think somebody may have your keys + pass-phrase than something about yourself. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSC1QcAAoJEMhFIk/IOUbwnUUH/jYHlu6PC1CLWuZUWN7C83pu 37F7wF9fNRqoi1DVHpYN6reZ4WUI8PxpZdeTQL1UTZRT2m9eAnmYYZV4yASHBnm9 NfAebZJLuxWTs6McDcHZdN4Ruw/xiK+fdMMDpR3sTgoP5XNuHwzFWkKy16D7eAkD RicZ4gyib69WO/2kM+3vnJOMUY1uUe1T/sWh6YGBzXjBvqrNgoTsQxGj4C/B+aC5 MGFqaH4IN3wGziodm75kfSs7iWpUCHaaR3ZZLrLIXj3oB+QRI3ykhYtyKgZtWLP+ o9lS/enpF2O+f52V0pBdXzlJLtqOcRcwzQ1pwB1KUsW3lsZEWLhefMQGrB7ToQI= =P2lk -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can I create domain keys?
On 08/14/2013 08:33 AM, Johan Wevers wrote: On 14-08-2013 5:36, Foo Bar wrote: I would like to create a domain key, which can be used for all emails in a particular domain. For example, if the key is for *@example.com, then sending to both f...@example.com and b...@example.com would use this key. Is this possible with GPG? You can use each key for each mail, your sender address doesn't have to be the address in the key. I am not saying you are wrong because I don't know. But it does seem dangerous from a real world practical point of view. Should I really be able to send a message pretending to come from herrprofes...@monsters.edu when I am really just a visitor to the University being awarded an Honery degree? Part of that was being given a hhhob...@monsters.edu email account since all people granted a Ph.D. are also given an email account that they can use until they are dead unless they ask that it be closed down. BTW, it is really monsters.com, not monsters.edu. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can I create domain keys?
On 08/14/2013 10:56 PM, Foo Bar wrote: Hello! Thank you for your response. Some comments inline... - Original Message - From: MFPA expires2...@ymail.com You can create a key with whatever information you wish to put in the user-id(s), truthful or otherwise. I have tried to enter a wildcard email when gpg asked me for the email address during key generation. I tried example.com, @example.com and *@example.com, but all of them were rejected with 'Not a valid email address'. Is there a special syntax I should use? As I pointed out before with my example using monsters.edu, making a wildcard email for a domain is fraught with abuse peril to the maximum. How many users do you need to include at a given domain? If somebody asked me to sign such a key as part of the WOT I wouldn't sign it. OTOH, if you have a half dozen or so email addresses at that domain you can add a UID for each and every one of the email addresses to your key. There will be more on those email addresses in a moment. But I would ask questions why you need so many email addresses at the same domain for a given key. Any more than 2-3 email addresses would be very suspicious. A key identifying itself as connected to the email address *@example.com rather than f...@example.com may be missed when an email program passes f...@example.com to GnuPG as the search string for an encryption key (and when GnuPG passes the string to a keyserver). I think the point you just made is the relevant one: Even if I would be able to create a key with a wildcard email associated with it, would the email client plugins, such as Enigmail, be able to deal with it? I guess that's a question for the Enigmail developers, once I figure out how to generate a key with a wildcard email via gpg. I hope you cannot do it. If I was writing the code you would need something that had a valid TLD on the end and valid alpha-numeric and optional one - at time for the hostname. In front of the @HOSTNAME you should only be able to have user names that are alphanumeric with what ever other characters (thinking of other character sets for other languages) but SOMETHING has to be there for the user at that domain. I don't think you have thought this through carefully though. I realize some people stupidly put all of their email accounts into one folder in Thunderbird. NOT ME! Each email account gets its own separate set of folders and I have Local Folders which accept no email so I can move email messages from the account folders into the Local area if I need to save those messages. If you have a half dozen POP/IMAP email accounts, not giving each email account its own set of folders can complicate things terribly with no end of the confusion in sight. Even with just two email accounts things can get complicated in a hurry. What do you do if one of the email accounts is closed down? I just delete that set of folders. Now we come to Enigmail. If you use the separate email accounts the way I said you should, you can actually have multiple keys for all of the email addresses. The reason why is Enigmail in Thunderbird provides a way to specify it manually for each and every email account: http://www.securemecca.com/public/GnuPG/ http://www.securemecca.com/public/GnuPG/EnigMailSettings.jpg You cannot see it but I add a UID for every email account I am going to use with my key and then just let Enigmail find the appropriate key for the email address. I could also do it with a one key fits all with a default-key in the gpg.conf file. But how are you going to say use only this key with ALL of my email accounts in Enigmail if you don't have specific email folders but dump all of them in one common folder? You also could investigate a group names to resolve the problems you will have. But this is getting so scary with so many email addresses I am beginning to believe you will have a goulash mess in just Thunderbird alone without adding Enigmail to the mix. A wise man once said: Make every system as simple as possible but no simpler. I may contend his saying that gravity is not a force at all but just a warping of the time-space curve may be a little bit too simple. But saying gravity isn't a force (if gravity isn't a force why is almost every galaxy a spiral?) or me saying it may still be a force and the discussions thereof are simple compared to what you are attempting to do. In fact what you are attempting to do is giving me a class A migraine headache. Who was the man that made the statement about how systems should not be too complex? Albert Einstein. If you are smarter than him flail away. My low IQ is now going to be involved in watching the NOVS program on a member of the Cephalopod family called the Cuttlefish and after it a program on the new ALMA telescope system being created on the Atacama plateau. If I was really brilliant I would be one of the technicians on-site keeping these telescopes working proparly.
Re: How to create new keyring from an existing key in an existing keyring?
On 08/12/2013 09:18 AM, Peter Lebbing wrote: On 11/08/13 23:11, adrelanos wrote: I could think of a way to export the key, change --homedir, create a new keyring, and import a the key. But is there a more elegant way? gpg --export 0xDEADBEEF | gpg --no-default-keyring --keyring \ /etc/apt/trusted.gpg.d/meat.gpg --import (one long command line) Assumes /etc/apt/trusted.gpg.d exists and is a folder (good assumption for Debian based, not so good for RPM based) and that the ordinary user can write a file in the folder (bad assumption even if your flavor is Debian-esque) with no changes made. On Debian-esque you may need to do a: # chmod 1777 /etc/apt/trusted.gpg.d then the above command, then: # chmod 755 /etc/apt/trusted.gpg.d Does that get you what you want? Is the meat some sort of comment that adrelanos will be dead meat? The command is elegant though. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: understanding GnuPG --clearsign option
On 08/12/2013 08:40 AM, Martin T wrote: Hi, one can sign the message with --clearsign option which adds ASCII armored(Radix-64 encoding) PGP signature at the end of the text. This PGP signature contains the UID of the signer, timestamp and key ID. However, two questions: GnuPG does much more than just the Radix-64 encoding with the --clearsign: $ gpg --default-key MINE --output list.asc \ --clearsign list.txt By that I mean gpg/gpg2 doesn't just do a base64 conversion but also does other magic stuff. You can stop reading now. 1) Where is the UID of the signer, timestamp of the signature and signer key-ID stored? If I execute gpg2 --verify file.asc, then I'm able to see the UID of the signer, timestamp and signer key-ID, but if I decode the Radix-64/base64 data back to binary(base64 -d) and use hexdump -C to analyze this data, I do not see the UID, timestamp or signer key-ID. The UID and other things are stored in the string which is usually more than one line long between the BEGIN PGP SIGNATURE and END PGP SIGNATURE. But I am puzzled how you did this part. If I copy the now clear signed list.txt to a justsig.txt file and edit out all but the hash I get a warning. Actually I get a warning no matter what content is in the justsig.txt file from the base file: $ base64 -d justsig.asc list.bin base64: invalid input The list.bin file has zero length unless you use nothing but the hash which is the normal way base64 works for email attachments. In any event, list.bin created with just the hash has no known file type that magic understands. e.g.: $ file list.bin list.bin: data $ ls -l list.bin 287 list.bin Like I said, if you use anything BUT just the hash, list.bin will contain nothing (zero bytes). But I will ALWAYS get the invalid input meaning it is something base64 does NOT understand. Is this what you did to get a non-zero length file via base64 -d from a --clearsign file? 2) What exactly is this PGP signature? Is it a SHA1 hash of the message which is encrypted with my private key and then ASCII armored? It uses the hash in the preferred order of what is associated with the key used and what the the version of OpenPGP you are using is capable of handling. That for me is SHA-256 since that is my first choice and my version of gpg can handle it. SHA1 is usually the default unless you set your preferences to something else since it is still difficult to do a brute attack on SHA1 (but it can be done): http://securemecca.com/public/GnuPG/GnuPG_Prefs.txt The hash is created based on the text as input using the private side of the key and then ASCII armored in such a way that when you verify it finds the appropriate public key based on the hash and does the other hash calculation of the text and see if it matches. In any event, the markers of --clearsign make it clear that only an OpenPGP compliant program can handle it. The MIME markines are used by email to determine what handles it since a --clearsign is what you need to make the signature something you can send in email but it can be used for other purposes. It is just that you can NOT send a non-ASCII signature directly in email without it being converted to ASCII first. There are other uses of -clearsign like when you what the signature and the file contents together. base64, the older uuencode and uudecode and similar programs do nothing more than convert a binary file like a zip file into ASCII text so the zip file can be sent as an email attachment. Send a message to yourself in email with a test.zip attachment. Save the entire message to a file (for Thunderbird you will have an *.eml file). Assuming the file was named test.eml and the attachment was test.zip: $ cp test.eml test.base64 Edit the test.base64 file so it has only the hashed material and note the zip name (assuming test.zip was what you attached and sent). Also note that it uses base64 as the type in the Content-Transfer-Encoding: if that is what your email used (it usually is). $ base64 -i -d test.base64 test,zip $ file test.zip test.zip: Zip archive data, at least v1.0 to extract $ unzip test.zip $ cat test.txt Hello World GnuPG does much more than just the Radix-64 binary to ASCII conversion and only gpg or gpg2 can handle it. Use base64 only if it is specified in the MIME markings (the latest malware from PeskySpammer here): Content-Type: application/zip; name=Tax Notices Report.zip Content-Transfer-Encoding: base64 Content-Disposition: attachment; name=Tax Notices Report.zip Usually you won't need to use base64 and Thunderbird Evolution, or other mail programs will allow the saving of the file unless Microsoft Exchange munges it in a bounce to you. In that case, if base64 is specified as the Transfer Encoding type you can save the enter message to file. Then edit the file and strip off all the other stuff and get the file out of the hashed stuff even if your mail
Re: Question about notations and domains
On 08/08/2013 09:17 PM, Khelben Blackstaff wrote: SNIP (please read the original) Short answer: Your github URL converted into an email address is NOT a good solution. Read on if you want to know why. It is not necessary to own the domain. For example, I could perhaps have an email account at physics.arizona.edu (they make great telescope optics). There was a joke about a head coach here in the United States being able to come up to a potential recruit and say Coach Jared Grasso, Iona College. To which the potential recruit would reply as he was shaking the coach's hand; YOU DO!? Even though you don't own the educational institution you do own an email address there if one is given to you. It is yours as long as they let you have it. Similarly, if you have an email address at a company you work at, even though the company may say they own the email box contents, the address is yours at least to use until you move on to some place else. The first reason one of your UIDs needs an email address only you use is to make the keys (assuming a primary signing key and an enciphering sub key but there are many other options) yours. It is also helpful to have a comment for that UID with an email address to help persuade others to sign your keys for the WOT. It also makes it even harder for somebody to typo-squat on your key-set (key-pair for me). If you put your public keys on one of the keyservers about the only way others can get your key(s) is if at least one of your UIDs has an email address. The email address is used to find your key as well as providing partial authentication that you got the right key. This is especially true for web key search tools: http://pgp.mit.edu/ (real names and even the shortened key ID come up blank for me but email addresses never fail) In addition to your primary UID which has an email address you can add as many UIDs as you need. Make sure you really need the UIDs. There should not be a problem in making one of the other UIDs without an email address that has only your name in the name field and your github URL in the comment field. I have many keys on my key-ring that in addition to one or more UIDs with email addresses have some additional UIDs with just their name and the Comment field filled in. So making an extra UID with your name, no email address, and your github URL in the comment field is probably the best way to do what I THINK you are attempting to do. Are you saying that strange email address created from your github ID makes it possible for people to send you a message from POP or web-mail similar to sending an SMS message to a cell phone? If it works you may want to add it but you still should have a UID for your key-set that has a real email address. (I answer why in a separate paragraph). It is much easier and less expensive to own your own domain and a POP email account than you would expect. The domain and POP email account I am using here is less than $30 per year at 1and1.com. GoDaddy and others can also set you up. Your first and last name run together khelbenblackstaff is available in the BIZ, COM, INFO, NET, and ORG TLDs. If you are in the US, khelbenblackstaff.us is also available. So getting a POP email account is in reach. It is also something you can have that is consistent and stays with you from school to school and job to job as well as many changes in your physical address and even across multiple ISPs. If you get an email account with a mail provider that is using Microsoft Exchange make sure you write EVERYTHING down. Others send to you with the traditional NAME@DOMAIN but you usually access the POP email in Thunderbird or another MUA by using the internal Microsoft Exchange name your mail service provider will give you. E.g,. instead of using hhhobbit[GNAT]securemecca.net I use m-MYHASHID to access the email for this account. I also have to use the m-MYHASHID in the web-mail interface. I will let others answer your questions about converting your github URL to an email address. I don't think too much of it because another reason for a real email address is so they can email you an enciphered message and ask is this key yours? They enciphered with your public key. If you don't have the secret (private) side of the key then you cannot decipher the message. If you don't answer the sender gets paranoid and decides the key is bogus. Can you handle an enciphered message with that github id converted into an email address? I don't think so. NOW you know why I don't like that strange github derived email address. I have taken up WAY too much space in an attempt to give the greatest clarity. I will let somebody else answer your pgpmime question. All I know is that Enigmail in Thunderbird makes it explicit with an use PGP/MIME check box. It works. So does Claws Mail on Windows which is bundled with GPG4Win. I cannot advise using any MUA (Mail User Agent - Thunderbird, Office, Claws Mail, etc.) that renders
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/07/2013 12:49 PM, Jean-David Beyer wrote: SNIP Is the address ab...@teamspeakusa.com actually required? I know postmas...@teamspeakusa.com is required and it must go to a real person, but is any other? SKIP TO TEAMSPEAK OR SPECIFIC. Actually, even postmaster is no longer required. There are too many domains like the one I am using right now that doesn't even have anything but one email address (no http, ftp, or anything else) so the postmaster requirement was dropped. The postmaster requirement made sense in the days of bigger domains and a less fierce spam problem. Now most companies are behind firewalls. They may have info, hostmaster, webmaster or something like Domain.Administrator. Actually, due to the same thing you just had in this list, spam, many now have only a web-form input with a captcha for abuse and other purposes. The spam problem promises to get only worse exponentially. IMHO, SMTP needs be replaced by SSMTP where a secure cryptographic token is required. I don't know if most mail servers can do the lookup of MX, then the IP addresses for the MX servers, and then dropping the message if the sending IP address does not match one of the mail server IP addresses. IPv6 makes things WORSE, not better. Bernstein's qmail can handle IPv4 but only if the volume is low. I know people using sendmail (have had it hacked at least three times) because qmail even without the extra burden isn't fast enough. The US Senate and US House of Representatives have used nothing but a web-form for what seems like at least ten years with a captcha. Their captcha probably needs to be upgraded. PeskySpammer (my name for a specific organization that gave me yet another piece of malware this morning that only 1 out of 46 AV at VirusTotal.com detecting at the start) regularly shoves in about 100+ email messages per day into my other account. What sends the messages? Hacked Windows PC machines that have a half (send-only) SMTP server dropped onto them. They attach directly to the receiving mail servers, bypassing an outbound SMTP server. PeskySpammer can do as bad to me as 1000+ messages per day with dumb mail servers continuing the practice of bouncing rather than dropping bogus email. If their bouncing mail servers strip the URLs and malware attaqchments I am left with nothing since you don't have the originating IP from a bounce. My domain didn't send the message so why tell me? TEAMSPEAK: TeamSpeak didn't cause the problems. I reformatted the mail message they sent to me by changing one portion of the email addresses in an attempt to prevent bot harvesting of the email addresses and reformatting the FromTeamSpeakMsg.txt file to make it more readable: http://www.securemecca.com/tmp/FromTeamSpeakDirect.txt http://www.securemecca.com/tmp/FromTeamSpeakDirect.txt.sig http://www.securemecca.com/tmp/FromTeamSpeakMsg.txt http://www.securemecca.com/tmp/FromTeamSpeakMsg.txt.sig TeamSpeak had hundreds of list servers like gnupg-users that were pelting TeamSpeak with useless requests. Maybe it is time for somebody with 7mm Remington Magnum instead of what we are doing. Mine was sighted in to go up through the line of sight at a little over 100 meters and then come back down at about 350 meters. I could shoot five shot groups in the size of a dime at 100 meters and shooting one kilometer was not only possible but done regularly - target barrel on a pre 1964 Winchester Model 70 long bolt action. 8x - 16X scope but better scopes are now available (mostly on the .50 caliber sniper rifles that can almost go through an engine block). The hackers have create the equivalent of the old west (or old east in Russia) with no rules. Naybe it is time to retaliate. Anonymous, I don't expect you to apologize and any tears you have will be just crocodile tears. gnupg-users was probably abused in the same way that PeskySpammer is abusing things with SMTP servers that forges the header. Better real SMTP servers like postfix and qmail or hand-crafted SMTP servers preserve the IPv4 address. Microsoft Exchange does a LOUSY job of preserving the IPv4 address. The transition to IPv6 is going to make things worse. SPECIFIC Your old postmaster days are gone forever. Actually, I think they mostly disappeared before the 21st century started. But my thousand messages a day made a very good admin at a University raise his eyebrows in surprise. Special SMTP servers with a send only design that can be dropped into place on a Microsoft Windows machine have completely changed the spam equation. List servers need a first step web-form with captcha to curtail this abuse which is just going to get infinitely worse. So don't blame TeamSpeak for the problems. Blame the hackers who are anarchists who want to make things exponentially worse for everybody else and are selfish and care only about themselves. HHH signature.asc Description: OpenPGP digital signature ___
Re: Identifying your private key by the public KeyID
On 08/06/2013 10:38 AM, Kenneth Jones wrote: Good day, and hello to the autoresponder (%]##{}#%^!!!) (just my opinion, mind you). I've been toying with PGP GPG GnuPG and whatever on and off since mid 1995, but recently have become interested again as the political situation in the US seems to warrant it. (Warrant? We don't need no stinking warrants...) anyway... I have a question about procedure...nomenclature, actually. Is it normal to refer to the private key by its own keyID, or by the KeyID of the mating public key? The public fingerprint is the one known by others (natch) and it's the identification I associate with the key pair. Is there any time when it is appropriate to refer to my private key by its own KeyID? I understand that each of the two eight-character sequences is unique, and so the private key is in fact not accurately identified by using the public key's ID, but is it common to do so? Seems to me it would be less confusing (for me, any way) to be prompted with the Main KeyID than with that of the private key. Are you speaking of the sub key? From the perspective of gpg --list-keys and gpg --list-secret-keys the public and private side have the same key number. Usually the first of a two key pair is defined as sec/pub with the two matching. The first key is for sighing. The second key is for enciphering and is specified as ssb/sub but still has the same key number in both --list-keys and list--secret-keys. Beyond that I will let somebody else elaborate. You put just your main key in the ~/.gnupg/gpg.conf file on Linux and everything just works. Ditto for selecting it on Windows. E/g.: pub 2048R/E05A9F9F 2013-08-06 [expires: 2015-08-06] uid Henry Hertz Hobbit (test) hhhob...@gmail.com sub 2048R/051516A5 2013-08-06 [expires: 2015-08-06] You just use the E05A9F9F and now this temporary key is going away. Regarding the efforts of the autoresponder, TeamSpeak didn't do it. Here are their replies to me with the full message with headers and just the message itself: http://www.securemecca.com/tmp/FromTeamSpeakDirect.txt http://www.securemecca.com/tmp/FromTeamSpeakMsg.txt http://www.securemecca.com/tmp/ (it is best done this way rather than forwarding since you get the prime copy) If the monitoring was for a certain organixation it shouldn't have been done at all. All it did was pose a significantly larger burden for TeamSpeak getting rid of the garbage. How did they get there address added? Some little hackers used the technique PeskySpammer uses. PeskySpammer is NOT a generic term but refers to a group of spammers that fill one of my email queues with about 100 spam messages per day but it has gone as high as a thousand per day: http://securemecca.blogspot.com/2013/07/fake-health-ads.html (search for MX) http://securemecca.blogspot.com/2013/01/peskyspammer.html (see Mail Admin section) During this brief time of the gnupg-users problems I have had three malware shipped to me. They have to infect their SMTP servers which are just Microsoft Windows PCs. Next time, don't monitor. If it is for a certain organization I don't want to hear another one of their hacker workers complaining that I don't deserve the car when I walk past them. If you don't know what that means the day will come when you do understand and I foiled their effort to give me a car. If you can stop the bounces caused by the spammers, next time stop it IMMEDIATELY. Even madder than you are about the spam situation! HHH 0123456789012345678901234567890123456789012345678901234567890123 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#INN-651-31269]: Re: key management APG
On 08/04/2013 09:55 PM, MFPA wrote: Hi On Sunday 4 August 2013 at 9:24:51 PM, in mid:51feb893.20...@gmail.com, Larry Brower wrote: What is with the helpdesk being a list member? I suspect somebody has forwarded their mail to the helpdesk, forgetting to turn off message delivery from the list and thereby causing the list to be spammed with those irritating auto-replies. That doesn't seem likely given the first message was ostensibly to Philipp Klaus Krause, The second was to Simon Ward. The third was to Hauke Laging. Why would all three be using their service and leaving it in a bad setting (still possible)? http://www.securemecca.com/tmp/TeamSpeakUSA-01.txt http://www.securemecca.com/tmp/TeamSpeakUSA-02.txt http://www.securemecca.com/tmp/TeamSpeakUSA-03.txt http://www.securemecca.com/tmp/ I could go into more detail on the other possible causes but won't because they are just that - just POSSIBLE causes. All I have are Microsoft Exchange headers which are not very informative. I will point to one which is that it is the same thing as what took down PhishTank's mailing list for at least a whiile. I wouldn't know because my efforts to get most of the spam links and didn't have malware link in the URLs was successful. But Phishtank use (used) an exim list mailer as well. I won't go into any more details than that. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Team Speak USA Test
It looks like the initial guess (not my guess) is correct as my test shows (message from TeamSpeaK USA to me) http://www.securemecca.com/tmp/TeamSpeakUSA-Direct.txt http://www.securemecca.com/tmp/TeamSpeakUSA-Msg.txt Setting up a system like this which can spam a mailing list is an abuse. Whether it is accidental or intentional remains to be seen. It may be wise to not send until the spam issue can be resolved. HHH -- Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop. Thinking has been suspended indefinitely. Anybody caught thinking will be immediately shot! signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#INN-651-31269]: Re: key management APG
On 08/05/2013 08:18 AM, Brad Rogers wrote: On Mon, 05 Aug 2013 09:36:42 +0200 Werner Koch w...@gnupg.org wrote: Hello Werner, On Sun, 4 Aug 2013 22:24, ivangrun...@gmail.com said: What is with the helpdesk being a list member? They are. I have set the moderation flag. The XOrg list has suffered the same problem. Then it is malevolent by somebody. I am bcc'ing this message to teamspeak's technical contact. I suspect somebody is doing it deliberately now. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [#JYM-378-41570]: Re: Why trust any software?
On 08/06/2013 12:42 AM, Jean-David Beyer wrote: On 08/05/2013 09:23 AM, TeamSpeak Piracy wrote: Jean-David Beyer, Thank you for contacting us. This is an automated response confirming the receipt of your ticket. One of our agents will get back to you as soon as possible. For your records, the details of the ticket are listed below. When replying, please make sure that the ticket ID is kept in the subject line to ensure that your replies are tracked appropriately. *Ticket ID: *JYM-378-41570 *Subject: *Re: Why trust any software? *Department: *Piracy [English] *Type: *Issue *Status: *Open You can check the status of or reply to this ticket online at: https://support.teamspeakusa.com/index.php?/Tickets/Ticket/View/JYM-378-41570 Kind regards, TeamSpeak USA, Inc. TeamSpeak Piracy e-Mail: pir...@teamspeakusa.com mailto:pir...@teamspeakusa.com Visit: http://www.TeamSpeak.com Knowledgebase: http://support.TeamSpeakUSA.com Hours of operation for this department are Monday - Friday, 9AM to 5PM Pacific Time (UTC-8). We are committed to responding to your inquiry within 48 hours, and typically will reply within 24 hours, excluding weekends and holidays. I thought I posted to gnupg-users list. I was making a remark to a previous post. I was not filing a trouble report, and do not think I was even addressing the issue of piracy. Hence I am very confused that I seem to have been issued a trouble ticket and getting two e-mails about this. Is something wrong with a server? Or an autoresponder? I guess you deleted all of my other messages. ANYBODY WHO POSTS ANYTHING TO THIS MAILING LIST IS GOING TO GET THIS UNLESS IT IS FIXED. I have done some preliminary studies and the messages are posted here: http://www.securemecca.com/tmp/ Look at the ones that start with TeamSpeak. If the problem cannot be fixed or won't be fixed, the gnupg-usersGNATgnupg.org will have the very same problems the phishtank-dev list. What happened there is that the phishtank-dev list had to be closed. I assume the same thing is going to happen here. YOU DO NOT MONITOR THE SOURCE OF THE PROBLEM! If you can identify what the problem is and can remove it then you KILL THE PROBLEM. If you don't you have to shut down. I received no comment from TeamSpeak's technical person so I am going to be blocking ALL of their hosts in my blocking hosts file. I have no other choice. You don't listen to your attorney saying to not say anything if you are the victime. You cure the problem. They didn't reply so I have no choice. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: best practice for handing over the private key
On 08/02/2013 01:31 PM, Martin T wrote: Hi, Your description sounds, to me, as if you are only generating a key for the other persons use. Not quite. At the beginning I need to use those keys myself in order to create the needed database objects. Once those are done, I need to hand over the private key to other person. So basically I'm generating a key pair for other persons use which I need to use myself at the beginning. So you mean that my correspondent sends me his public key, encrypted to my public key which he finds from the key-server, in an e-mail. Then I generate the key pair needed for the project. Finally I encrypt the project private key with his public key and e-mail this encrypted private key to him. Once he confirms that he has received the project private key, I will delete the project private key from my machine as I do not need it any more. Is that what you meant? I don't know if that is what John meant but this makes me far happier. I was concerned about the secret (private) key which I assumed you were creating via either a --export-secret-subkeys or a --export-secret-keys was being sent en-transit unencrypted. But the way you just said it here sounds optimal in protecting the secret key en-transit. If he wants only the secret / public key pair (does not want a personal key pair), the encryption and zipping of the secret key for en-transit could be done with 7-zip's AES-128 cipher which avoids a chicken versus egg problem and still gives some measure of securing the secret key en-transit: http://www.7-zip.org/ Send the password for the zip separately and preferably after the secret key is sent. If you send the keys in snail mail on a USB stick use something a little sturdier than an envelope like a small box with foam peanut shipping padding. Wait a little longer than you think is necessary before deleting the secret (private) key just in case something goes wrong. But the way you just said it sounds best to me. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: change passphrase in batch mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/29/2013 11:02 PM, Hauke Laging wrote: Hello, is it possible to change a passphrase in batch mode? From what the man pages say, no. You can delete keys and there is experimental key creation with notes in the doc/DETAILS of of the source code on how to do that. Alterations to code? Look at the experimental key creation to get some ideas. You are of course free to investigate using expect, expectk, or tk on Linux / Unix. Things like sh / ksh / bash, PERL, BAT, or PowerShell won't work. I haven't looked at the GnuPG source code in a long time but if which ever of gpg or gp2 you are using does a dup() or dup2() of STDIN then after the gpg --edit-key KEY then an internal passwd command you will have to wait before giving it the old pass-phrase, new pass-phrase, and then save. For two way across distance the other side may need the new public key after the pass-phrase change (not tested). I would backup my ~/.gnupg ('nix) or gnupg (somewhere down inside your Windows %UserProfile% folder) before doing tests in case you do irreperable damage. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJR9yggAAoJEMhFIk/IOUbwyzIH/jHSIqoFC5eP6U5Qn2G9K5R+ fPu7INvu1YMK+yckFlOxCRmvNx4+zUMuSnj7Ull3QavIG8qOnr9WDCEn2X6lPXTw LRmF/Woc3eD7XRQmf1TaWBpSdqQL7W9PKXoS3HWMI62LtIAnTptH6E1B8NJzIQSK +P3AOS2mVZ/GfTlK6LQgiNvXlQ8zhGUYrj5z0QxviKUdezuh1VeSeU2QMSVxooJy +valEOYdt66GE81lGjV//rPUtJyZBxNYotx4TdqCeLZ7zAOnfMVfJLHYb17qtbAl VenVBWgevhChkoF6SCD+MzPeF+8qSWpDE5V5wqmA5J8bnKhMC1xbS2C8Ar135S8= =jc/h -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: License violation: GoldBug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 If the licensing issues can be resolved GoldBug may be the only chance we have of getting people to use encryption in any form. I think it is time for attorneys to have their say. Ergo, GoldBug should have done this a little more transparently rather than just springing it on us. But if they had done that maybe it would not have been done at all. GoldBug doesn't meet my needs. I need mail messages with bad host names given in forward rather than backward notation to get the mail message past the email scanner and to know if a given message or file really did come from the sender / file dropper. I don't have any problems giving the name backwards but I suspect the others do have problems reading the backwards names and know they have problems creating them because they complain about all the bounces they get. They blame it on my email account rather than themselves because they refuse to use enciphering (public key or symmetric). It took me the longest time to get somebody to believe he had to zip the EXE file he was sending me with some other format other than ZIP and to use enciphering if he wanted to get it to me. Sigh. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJR9GvZAAoJEMhFIk/IOUbw5igH/0WmepieOzqTDcYIJvhtSNpw J3XrmdZd74J2ZJ//GYGh8jMv8vEXYYIDj1NpLB/NzxbiIe+aPBKrP0w5gz0wEnwc A3CKl2ADIvXn0QwPok2PrpSCG5hFdJeNZcfB0bYjn05vOJ5BOpzqY3loH5yNzKu+ Xnr+uzs/8Sn/PHobvT65/aUNUo/NUJRzpHczj2WCySeSYoPhqVOIz+O9YVeeW1M8 ddkUGnL/WjJaD5SChn3vUC8Js+ZM8MrppfYcSWJUraZEVn9hRXapyojIJmjeSLhb 8zcO3cBJrEZXTHCCrIl5Fyv3nRBJKtmSeCr90wwTGAK1kavWbZZuxiUHYtoU8vE= =hvEA -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Trust of GPG4Win - Part 1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All Disclamimer: I have no connections with the GnuPG effort other than as a thankful end user. I have a much longer Part 2 of this. After my tongue in cheek statment about the article at Technology Review I came up with what they were citing, not realizing the damage that it would do. Here is the pointer to the ACM delivery. You need to understand that they were talking about GnuPG running on a VM (Virtual Machine) in the cloud: https://dl.acm.org/citation.cfm?id=2382230 That is nothing close to what GPG4Win is doing running natively on Windows. I believe they picked GnuPG for a specific reason. It is probably one of the most reliable programs written and they were using that for proof of just how unsafe cloud computing is. Ergo ... if GnuPG (GNU Privacy Guard) can't do it then nothing probably can. For a second corroborating source of the SHA1 hashes and file sizes look here for the current and potential new ones: http://securemecca.com/public/GnuPG/gpg4win-2_1_1.txt http://securemecca.com/public/GnuPG/ I don't want to deliver part 2 any sooner than 12:00 UTC 2013-07-29. Why such a long time? I have to get it right. I have already made at least 30 edits and am no where near satisfied with what I have written. HHH - -- Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop. Thinking has been suspended indefinitely. Anybody caught thinking will be immediately shot! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJR81j7AAoJEMhFIk/IOUbw29QH/RQBlO1PxKcI5BJBvVW5Wwrl bButjKZ4zhngzYuIpNcl8QycjdJwsD7CEFBRjQvHYxCRjsEjTnobXidfaSf85NV2 JT8j0ZvjS2y5amFLz1kMW49C400gQlzttfkjumGE6mouUlSbx6TZ3hhxxby529A5 J7geCyhlePuZ17GKyKTs4QKI5OrRssASsd1TE8yree2nzBKJLu8ezJugPyCVQ0NK ctdif2LWcX+y13Yc4nDiTVsB7MacnyxKKvFs6vCrSo44GFThMTY8YAERWissbw12 oJS8KxhmfR3bXpdfLPjlEoHGqFx+ntE0IioI3j7rTtHYWlHyqOuL1DOm/08btWA= =kqhr -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PEBKAC (was GPG weakness)
On 07/25/2013 12:59 PM, Manu García wrote: Hi. I'm not a member of this list, but have read an article that I'd like to share, and put into your knowledge (if you don't know it already) because I think is rather important. In said article, about security in the Cloud you can read this: «Michael Bailey, a computer security researcher at the University of Michigan, notes that the software attacked—an e-mail encryption program called GNUPrivacy guard—is known to leak information, and that the experiment wasn’t carried out inside a real commercial cloud environment.» Source: http://www.technologyreview.com/news/506976/how-to-steal-data-from-your-neighbor-in-the-cloud/ I always thought that GnuPG was rather secure, but it seems that among experts it's a well known weak and poor ciphering technology which no security experts consider seriously. At least that's the impression I get reading said article. Are devs taking some measures to make GPG really secure? PEBKAC. I went to Herr Professor's web-site and there was nothing to verify the statement. From now on do your own checking before asking these questions. http://web.eecs.umich.edu/~mibailey/ Here is what most people did with Windows: Used it out of the box as-is. Should we turn off auto-run, the infamous idea that made Stuxnet possible? No! Should we install Firefox plus Noscript? Noo! Should we stop reading POP email with email clients that render HTML and use something like Thunderbird or another email client that doesn't render HTML? Why do I want to use my dad's type of email? I use OutLook's web-mail most of the time anyway doggone it! I love those phish and make sure I click on the links that infect my Windows system! http://securemecca.com/public/NoPhishProblems.txt Let's do all of these other things wrong and when we install GnuPG, by all means we should NOT use an OpenPGP card instead of the files. After all, we want the hacker to not only get the pass-phrase with their key-logger, we want them to get the whole darn key-ring as well. We have to take pity on the poor hacker and help them. What's the fun in there not being any files except stubs on the file system saying the keys are really on the OpenPGP card? Oh no, we got hacked and instead of cleaning up the machine and making it safer ahd then just changing the pass-phrase (we used an OpenPGP card) out went our entire key-ring with our keys given a life-time of forever which now belongs to the hacker as well because we refused to use an OpenPGP card. BTW, most people now use iPhone instead. They love Apple tracking their every move and getting an ad to go to Joe's Bistro because they are listed as being near the bistro based on their iPhone giving out its geo-location information and Apple giving that information because Joe's Bistro pays them to do it and it is about lunch time anyway isn't it? Finally, I have no doubt that this will be quoted as authoritative by Wikipedia. I have news for you. In the olden days the statement made at Technology Review without corroboration is known as hear-say. Hear-say is deemed as inadmissable in a court of law. Therefore, as Judge Hobbit I deem it inadmissable in my court-room. Furthermore I could find no place where Associate Professor Michael Donald Bailey at the University of Michigan ever made such a statement. Case Closed Judge Henry Hertz Hobbit Re: Signed, sealed, and delivered signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On 07/25/2013 07:34 PM, takethe...@gmx.de wrote: Hi everybody, why should I trust gpg4win? I have doubts since it was ordered by the Bundesamt für Sicherheit in der Informationstechnik (BSI), which has close connections to secret services. Is gunPT any better? Finally, why should I trust gunpg? I'm a windows user. That is up to you, but since GPG4WIN has both GnuPG and many bundled GUI apps and is freely available from Gnu there is nothing to prevent BSI from using it. Many human rights activists also use either GPG4WIN or the pay version of OpenPGP, PGP from Symantec. Does that have any effect on your decision? Did you mean GnuPT? Under the hood it still is just WinPT plus GnuPG so you are back at the same feeding trough. It is just that WinPT is older than the GUI tools bundled with GnuPG in GPG4WIN. A better question might be, should I trust Windows? With the 10,000 malware I have studied with only a few POC DMG files for Macintosh and the rest being almost all Windows binaries maybe not. I think what you want is GPG4WIN from http://gpg4win.org which is newer than Windows PT and works much better. Both WinPT and Kleopatra and the other programs bundled into GPG4WIN are using GnuPG at the core. WinPT is just the older GUI technology that goes with GnuPG on Windows. GPG4WIN includes newer GUI tools that should work better. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG detection on Windows?
On 07/18/2013 05:15 PM, Anthony Papillion wrote: Hello Everyone, I'm designing an application that will run on Windows and utilize GNUPG. Right now, I'm detecting if GPG is installed by calling it then parsing the output of the command to see if it succeeded or failed. This is VERY messy and not my preferred way. Does GPG4Win install anything to the registry that I could check for to see if it's installed? Yes. Just fire up regedit and search for gnupg (or maybe just gnu). There are also the folder / files in: %ProgramFiles%\GNU\GnuPG You probably just want to test whether either of these files are there since them or one of the others is what you are using: %ProgramFiles%\GNU\GnuPG\pub\gpg.exe %ProgramFiles%\GNU\GnuPG\pub\gpg2.exe ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting multiple files into a single output file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/16/2013 03:24 PM, Daniel Kahn Gillmor wrote: Hi Ira-- On 07/16/2013 11:08 AM, ira.kirsch...@sungard.com wrote: With PGP you can do something like: pgp -e -r pgpkey filelist -o output file name --archive This will create a single output file name with the entire filelist each individually encrypted. I don't have PGP, so i still don't know what the resultant file format is. I did find this man page description (the X.509 certificate for the web site is expired): https://supportimg.pgp.com/guides/PGP_Command_Line_9.5.2_man_page.html#_Toc74983362 but it doesn't describe the structure of the archive. could you send me (privately) one such archive with two small, non-sensitive text files in it? You can encrypt the archive to me using my key by fingerprint, after first fetching it from the public keyservers: 0x0EE5BE979282D80B9F7540F1CCD2ED94D21739E9 Ira, how is this different from: - --multifile --encrypt - --multifile --decrypt - --multifile --verify (alternatively) - --encrypt-files - --decrypt-files - --verify-files where you list the files on the command line or read them on STDIN? It won't handle detached signatures. If you give Daniel a sample you will probably get your answer much qucker. Let us know what the end result is, especially if there is a happy solution. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJR5XP4AAoJEMhFIk/IOUbwEo8H/0Pf8UjdB6pUcyVaR17uGGvz EvWje0InQh+X3InupBVUJB058SwD361GZ8Qci8523zFQOXrS4hG2NAnkRD2Bu4m4 EqkOG19CdWOaMRsEwAbNqhW/7MUULdW9DMTvcSF5HppypM0mIserZlww6CruKbfU gFGsmO2v3LFPD6z8tCum+xCnTHpMDvXiMi2YS3xNDsfvZ3GNBaquQa4X7XrKo0us zqbUkhGsMq0IvjrvWs2CmvZN4LJDLQkWzDUP7EgipJzM91vT6+gyE5R49YlougGw Z/bC417IFRbfiI11tZiL9ZG5IGqCJ0irImTINggKc66XV/JE/6ySyiBuV/d++Tk= =lGHO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting multiple files into a single output file
On 07/16/2013 04:04 PM, Werner Koch wrote: On Tue, 16 Jul 2013 17:08, ira.kirsch...@sungard.com said: This will create a single output file name with the entire filelist each individually encrypted. That is the PGP Zip format, right? We support it for ages; our tool is called gpg-zip and creates a compatible archive. Technically this is not the common ZIP format but the widely used USTAR format. BTW, GnuPG-2 comes with gpgtar which is used on Windows to implement the PGP Zip functionality. Ira, forget my question. Just send a sample to Werner and Daniel and you will probably be in business real soon. Depending on the outcome of the experiments with one of your multiple file archives my question was probably just answered. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: searching for keys
On 07/13/2013 09:56 PM, kardan wrote: Hi, When I search for a key via browser on [1] I get an unencrypted answer from [2]. This happens for some keys that are only available on some servers. The problem is that the info, whose key I am searching is presented to sniffers in plaintext. I think the encrypted pool should not forward to unencrypted web interfaces. [1] https://hkps.pool.sks-keyservers.net/ [2] http://keyserver.stack.nl I am going to give this from the perspective of somebody who has handled way too much malware. I question the legitimacy of the first in the first place since it doesn't even have a WHOIS record for either sks-keyservers.net or hkps.pool.sks-keyservers.net and the browser warns that the certificate may not be legitimate. Since I worked with lots of malware, this would lead me to believe I was well into the red zone. The IP addresses are also a little unsetting as well: 005.009.142.114 (5.9.142.114) 005.135.166.171 (5.135.166.171) 080.241.060.003 (80.241.60.3) 084.215.015.221 (84.215.15.221) 094.142.241.093 (94.142.241.93) 131.155.141.070 (131.155.141.70) 176.009.051.079 (176.9.51.79) 192.146.137.011 (192.146.137.11) But since it is a pool service it is really their baby and you would probably best take it up with them. I think they would tell you that most people would prefer the redirect than going without the key that they are searching for. (OTHERS: Please speak up if you disagree with me.) On the other hand if you live in the FSA, er, the USA and are searching for the keys of the human rights advocates sitting next to Edward Snowden recently I can understand the concern. I am not trying to contact those human rights activists so I am not worrying about that. These other things are a little unsettling unless you know the people running the pool key service personally. But pool services probably should hand off queries to other servers if they don't have the keys themselves. HHH PS The search for my keys were all HTTPS but I drop my keys onto several servers and they propagate out nicely to most of the others in two weeks time. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: not recognizing my passphrase after moving from XP to Win7
On 07/08/2013 09:22 AM, Peter Lebbing wrote: On 07/07/13 21:53, Henry Hertz Hobbit wrote: I did the same there but I do modify the random_seed file with hexedit for each key-ring which some people object to. From my point of view that is far better than just having each key-ring having the same random_seed file. As one of the people to object, let me repeat that you simply shouldn't copy the random_seed file to another system, but let it create its own. I agree that having each keyring start out with the same random_seed file is a bad situation, which is trivially avoided. Even removing it after the copying is less work than monkey-bashing the hex part of your keyboard in a hexeditor :). I do NOT just copy it. I hexedit it and randomly, not pseudo-randomly replace some of the bytes (actually nibbles). The reason why again I when I omitted the random_seed file gnupg (1 or 2) would NOT just create the file. I imagine it would if I used the keys on Windows for either signing or enciphering it may have created the random_seed file but since I but I don't use them that way but only for verifying detached signature files for what ever reason they never got created. Whether you choose to believe my random chaging of nibbles in the random_seed file (there is NO plan of what to change or even how many and some of them may even get the same nibble with the change) is up to you. I am NOT telling this person to do the same thing. In this case, since he copied the entire key ring I would advise that he delete the random_seed file as a security measure. But in the case of Windows 7 I didn't know where they keys should be put so I created a dummy key after a GPG4WIN install. After that I copied over all of my files BUT the random_seed file in the AppData\roaming\gnupg folder. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: not recognizing my passphrase after moving from XP to Win7
On 07/08/2013 03:42 AM, eMyListsDDg wrote: Hello Henry, i copied the 32-bit XP gnupg dir contents to this dir on Win 7-64bit from:C:\Documents and Settings\user name\Application Data\gnupg to: C:\Users\user name\AppData\Roaming\gnupg\ That is the correct folder. I have no idea on what Windows 7 does with the Documents and Settings folder but I created dummy keys and then replaced everything in that folder except for the random_seed file (created when I createdd the dummy keys) on Windows 7 for the administrative user and me (yes, two accounts per each Windows 7 system). They work. I can create symmetric enciphered files, public key enciphered files, and detached signatures files and decipher, decipher, and verify respectively. there is a sub-dir C:\Documents and Settings\user name\Application Data\gnupg\private-keys-v1.d that is empty. did i miss getting my priv keys copied over? NO, but as Peter said you may have been better off NOT copying the random_seed file even though I do change mine with hexedit But for someone to say that I am simply not random they have never saw my sleeping hours, trips to the store, etc. I am as about as random as you can get. For somebody to say that human beings are simply not random assumes the idea that all human beings are alike which I can tell you is not true. I can attest to that as both a Psychologist and giving testimony in a court of law and can tell you that none of the witnesses experienced the exact same event in the same way. Humans simply do NOT see or experience the same event the same way. Yet we all assume that is the case. I can also back that statement up with my Psychology degree and years of experience with experiments in perception and learning theory. I can remember that episode of MASH where the Ferret experienced events one way and Hawkeye a completely different way. Believe it or not that is the norm, not the exception. I can assure you I have NO plan of what gets replaced in a random_seed file and I certainly don't make the mistake of making sure I don't replace a nibble with the very same thing. The replacements are all over the file with no plans of how to move. It is pure serendipity. The files may or may not get the same changes but so far a hexcmp always gives me the first byte that is different and it is never the same. It is just as random as any RNG. Normally I use hexedit with two or more malware that have the same size in a given time period. I have much more trust in hexcmp than even sha256sum to test whether two files are the same or not. There will be more on this in a separate post and it will delve into even Physics of the large (galaxies) and the small. But the big point was GNUPG DID NOT CREATE A random_seed FILE FOR ME ON WINDOWS SEVERAL YEARS BACK. What is it using when it isn't there. Since you are using the keys in only one place, e.g., you are moving from Windows XP to Windows 7 permanently then there may not be an issue with just copying random_seed. I wouldn't know. My work-around below may make that a moot point anyway. nope, do not use Outlook. i use TheBat! v5.1.6.2 on my windows machine, have for years. i thought too, as you did, maybe the mailer program was the issue. but i went to commandline, encrypted a small test text file with my email key. that succeeded. but couldn't decrypt it. returns invalid key. no matter i typed in key or pasted from my main password database app. Somebody else just had an issue this way. Resign all of YOUR keys with the highest level of trust and see if that helps. Yeah, I know. It sounds dumb but there is a slim chance it will work. But if you cannot edit your keys because it does not accept your pass-phrase I would say you are hosed and will need to export everything that is yours (public, private and trust) from Windows XP and then import them on Windows 7. Note that I said you will almost HAVE to do that anyway if your Windows XP is 32 bit and Windows 7 is 64 bit. In that case don't even dream of copying. It won't work. Be sure to wipe out your entire AppData\roaming\gnupg folder. Then create dummy keys on Windows 7. Then import your keys and trust on Windows 7 from the exports created on Windows XP. Then edit your transferred keys and make sure they have the highest level of trust. Just make sure you are doing a self sign (e.g., not signing them using the dummy key which you may want to remove at this point but should do the instant your keys start working again). When you publicly encipher a file it doesn't ask for a password So do one test using a symmetric cipher and then try to decipher that file (remember to put the original some place else before you decipher). Hopefully you can decipher a symmetrically enciphered file. Then create a detached signature file since you have to type your pass-phrase when you create a detached signature file. http://www.securemecca.com/public/GnuPG/
Re: not recognizing my passphrase after moving from XP to Win7
On 07/07/2013 03:10 AM, eMyListsDDg wrote: now i'm finding out after moving from XP to Win7 that i can't edit my keys or decrypt email test messages. the passphrases to decrypt i have aren't working from command line or my email app. during migration i copied all the files from user\apps\gnupg dir on XP to my new machine. Where do you put them on Windows 7? It is hard to see where they are at for me but I just did a dummy key create on Windows 7 and then copied all of my keys sans the random_seed file over the newly created files I cannot see it right now on Linux due to all of the shortcuts not showing up the same way with NTFS mounted RO on Linux. You didn't say what email program you are using so I assume Outlook which may or may not make a difference. is there command line opt for gpg2 to run to sync my key ring or am out of luck after moving to new machine and have to create new key pairs? I don't have extensive testing but I copied my keys from 32 bit Ubuntu to 32 bit OpenSuSE and Windows XP. I just changed the XP to Windows 7 but I am using 32 bit Windows 7. I did the same there but I do modify the random_seed file with hexedit for each key-ring which some people object to. From my point of view that is far better than just having each key-ring having the same random_seed file. But for Windows 7 I just left the newly created random_seed file in place but copied over all the other files. I have two systems with Windows 7 32 bit on both of them (should have gone with 64 bit - no such thing as PAE on Windows). I don't think you can just copy for Windows XP 32 bit to Windows 7 64 bit. Is that what you have? If it is what you have you may need to do a export / import. I can say I have had no problems with my Windows 7 32 bit but I only ran one test which was to verify a file with a detached signature file. I can do the following but I don't read email AT ALL on Windows (I get lots of malware in my email - the wannabee hackers think they can catch me off guard): 1. Encipher a file with my public key on Linux and decipher it on Windows. 2. Symmetrically encipher a file with the TWORISH cipher on Linux and decipher it on Windows. 3. Do the same as the previous two but do the ciphering on Windows and deciphering on Linux. Let me know if it would help to do that (a personal message would be fine). After that I could stand by for some tests using email by enciphering, signing and both. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Do we need / want (or already have) a mascot for OpenPGP?
On 07/08/2013 01:07 AM, Werewolf wrote: On Mon, Jul 08, 2013 at 10:24:27AM +1000, Fraser Tweedale wrote: How about an armadillo? Or a Masked armadillo? There is no such critter. There are naked-tailed, long-nosed, and hairy Armadillos but no Masked Armadillo. There is even a Pink Fairy Armadillo (one of the rarer species of Armadillo). What most people think of when you say Armadillo is the nine- banded Armadillo which is Texas' small state animal which has the widest range. GnuPG already has an icon / emblem which you can see on the GnuPG page which is a padlock with a wing on it. I was one of those privileged to be able to vote on the cempeting designs. I am sorry you missed out. But I think the standard GNU mascot applies not only to GnuPG but to all of the GNU projects such as gcc, g++, EMACS, et al: http://en.wikipedia.org/wiki/GNU Until Werner, Richard Stallman and the other GNU people announce a competition for a GnuPG mascot or say otherwise, the GNU is the official GnuPG mascot. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Debian crypto strength
On 06/27/2013 09:24 AM, Daniel Pocock wrote: Some of the discussion in this bug seems relevant to the GnuPG and GnuPG2 packages in Debian, but the bug is against the archive pseudo-package: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612657 I wouldn't classify it as a bug but I did read all comments and what I write here should be classified as just the OPINION of one person, moi. Like Thomas Jefferson's religious beliefs I think I will be in a congregation of one. Can anybody else make any comments: a) should there be more effort to phase out SHA1? Maybe not if the argument by one person here is to be believed and the statemnt by another that ALL of the SHA would have been vulnerable to the same attack. Did the discussion come to a satisfactory conclusion? Not for me since the arguments were mostly theoretical. I am one of those people who much prefers actual over theoretical. Where they can't phase out SHA1 they can't. Where they can they should replace it with SHA-256. The one comment saying you can have both SHA1 and SHA-256 is impractical. It is either SHA1 or something else. I suspect the inertia against shifting from SHA1 to something else is probably more the hassles they perceive it will cause than any technical considerations due to standards. b) how is it being approached upstream? Is backwards-compatibility still emphasized to the same extent? I don't know how much they are emphasizing backwards compatability. But in this case I don't see how it could be a problem if they are using only GnuPG. Support for SHA-256 has been in GnuPG for an awfully long time. SHA-512 may cause problems going forwards given its status in backwards compatibility and depending on whether Debian uses something other than GnuPG going forwards. SHA-512 also requires significantly more CPU cycles as well and can be too much for smaller devices. Is Debian planning on a smart phone or tablet? c) should this become a general system-wide goal to audit and increase crypto-strength in all parts of jessie / future Debian versions? The comments in the bug indicate that NIST has a directive to replace SHA1 with something else by 2010? I don't know what all that includes but Microsoft is still using SHA1 which means that if Microsoft is included the directive is hopeless. Here we are three years later and people are stubbornly refusing to shift away from SHA1. I can remember when kernel.org was hacked into and they stated that they had used super secure SHA1. That is kind of like the two radar technicians in Tora Tora Tora. The first notes a huge formation coming in from the north. The second whines about going to eat and the lieutenant they call the observation into into told them not to worry about it. The argument that SHA1 just isn't as robust seems to me to be the same type of argument as the one to ignore that radar warning. We all know what happened on that one don't we? Pearl Harbor and the US was sucked into World War II whether they wanted to be in it or not. In trying to understand the resistance to moving away from SHA1 you have to understand that it is much more dependent on the personal resistance to change than the technical hassles. But if they do it they should write down all the problems they had and how they solved them in case they have to do it again in the future. The second time around for anything is always much easier than the first. HHH --- Thinking has been suspended indefinitely Anybody caught thinking will be immediately shot! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Transfer subkey to other keyring
On 06/25/2013 06:12 PM, Jack Bates wrote: Hello, I want to transfer a subkey from one keyring to another, but I get the following error: gpg: key 7FABB65F: already in secret keyring gpg: Total number processed: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1 Here is the command I am running: $ gpg --homedir . --export-options export-reset-subkey-passwd \ --export-secret-subkeys 10D03493\! | gpg --import-options merge-only \ --import The destination keyring does not already contain the subkey 10D03493 (and unfortunately it still does not contain it after running the command) What am I doing wrong? Why are you setting --homedir to the current folder (.) and where are you at when you are running the command? I added some back-slashes for clarity since my mailer wrapped (sorry). You say one keyring to another which implies two directories (folders). IOW, the command implies you are trying to export from the folder you are in which is NOT ${HOME}/.gnupg into ${HOME}/.gnupg (you took the default for the second gpg which is ${HOME}/.gnupg unless you set environment variable GNUPGHOME to something else. But the error seems to indicate: 1. You are in ${HOME}/.gnupg, e.g., you did a: $cd ~/.gnupg 2. You are setting the the --homedir explicitly to . which is now ${HOME}/.gnupg for export and the import is also going to ${HOME}/.gnupg (same folder) implicitly unless you over-rode it with the environment variable GNUPGHOME to be something else. The error seems to indicate you are importing to the same folder you are exporting from. I would suggest using the --homedir with the actual ${HOME}/FROM-DIR-PATH for the first gpg and --homedir with the actual ${HOME}/TO-DIR-PATH for the second gpg. That makes it explicit where it is coming from and going to. I leave it to others to say whether the commands once that is handled are correct. It seems to be from the man pages but since I have never done it ... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GpgEX for 64 bit Windows test version
On 06/24/2013 06:18 PM, Bob Henson wrote: When I ran regsvr32 c:\Program Files (x86)\GNU\GnuPG2\bin\gpgex.dll it just caused an error, saying The module c:\program failed to load. Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependant .dll files. The specified module could not be found. Try putting double quotes at the start and end of the string, e.g.: regsvr32 c:\Program Files (x86)\GNU\GnuPG2\bin\gpgex.dll I can NOT assure you that this will work but it probably will. I wished Microsoft had used just C:/Programs/ instead of C:\Program Files\ for %ProgramFiles%. I don't know what to say about 64 bit other than don't mix / match. Microsoft could have used C:/Programs/64/ but that would have made too much sense. Microsoft wants back-slashes instead of slashes and a nice mix of punctuation marks in addition to dot . plus space characters in all folder and file names. It doesn't work very well, especially for something done from cmd.exe instead of the GUI. How bad is it? I COPY 7za.exe to use it in scripts because I don't want to make registry changes (%Path%) just to make it work from where it is at. Sigh ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting to a user, There is no assurance this key belongs to the named user
On 06/21/2013 07:50 AM, Michael Tokarev wrote: Hello. Recently I upgraded a Debian machine from squeeze to wheezy, which lead to upgrading gnupg from 1.4.10 to 1.4.12. And immediately noticed that many automated tools I used stopped working, refusing to encrypt with the error indicated in the subject. $ gpg --batch -q --encrypt --recipient rconf foo foo.enc gpg: 468E35BC: There is no assurance this key belongs to the named user gpg: [stdin]: sign+encrypt failed: unusable public key Who or what is gconf? If that is what is actually used then it is neither an email address or the keyid. I suggest as your first step replacing rconf with the actual key-id (number) you want to encrypt for to see if that works. It is just that GnuPG seems to be having problems with the supplied user name. If rconf was meant to be an email address either it doesn't match that field completely or maybe you had a define in your ~/.gnupg/gpg.conf that is now missing. We can go from there if this doesn't work. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: encrypting to a user, There is no assurance this key belongs to the named user
On 06/21/2013 10:22 AM, Peter Lebbing wrote: On 21/06/13 12:00, Henry Hertz Hobbit wrote: Who or what is gconf? If that is what is actually used then it is neither an email address or the keyid. I don't think that's the problem, gpg is picking the key the OP wants, since it complains about key 468E35BC having insufficient validity. Michael, what does --edit-key rconf tell you about key validity? I don't know what's happening here, it looks to me like you're doing it correctly and it ought to just work. I tried to reproduce on my Wheezy system and couldn't reproduce it. But maybe I'm missing some detail. Do you have any fancy stuff in your gpg.conf? Define fancy stuff broadly ;). Anything you feel comfortable sharing might be useful to mention. Okay, try the following as a test since I had similar problems with a version update and this got rid of my problems (but their is no assurance it will help you since my problems were slightly different but did not manifest themselves until I had a GnuPG version jump like what you just got): 1. Backup your key-folder in an xterm: $ cd ; rm -f gnupg.zip $ zip -r9 gnupg.zip ./.gnupg 2. Delete they key using gpg and make sure the trustdb entry for this key has also been removed. 3. Check to make sure you have an up-to-date version of the key and then --import it. lsign it again. Now test it. I am not saying it will work but it may. There may be a possibility your trustdb got fouled up somehow. This test is not catastrophic because you can always go back to what you had: $ if [ -s gnupg.zip ] then rm -fr z00.gnupg mv .gnupg z00.gnupg unzip gnupg.zip fi # number others z01, z02, etcetera, if you want to keep a trail. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do I make the private key on a OpenPGP smartcard non exportable ?
On 06/19/2013 03:21 PM, Heinz Diehl wrote: On 18.06.2013, NdK wrote: If the key is generated on-card, you have no way to backup it. No need for unexportable flag: simply there's no command to export it. And if the key is generated off-card and properly moved to the smartcard afterwards, there's no way to export it either. It's only the stub which points to the smartcard left on disk. Is the original poster still there? I was going to write and decided it was wiser to wait for these responses which I almost knew were coming. Try the backup from GPA's menu. I doubt you will get anything that can be exported. If you get a backupg.gpg (or similar), then try importing your secret keys onto a second system with GPGWIN installed. If all that flies (you were actually able to do a --export of your private keys despite these two people's responses to the contrary and then are able to do a --import on the second system) then try these tests: 1. Make a detached signature of a file on system one (with OpenPGP card). Copy the base file and the signature file to system two and see if it verifies. 2. Sign on second, copy to first, and see if it verifies on first. IOW, reverse of previous. 3. Enciper a file using public-key of said key you supposedly was able to import on either of the system. By that I mean a public-key enciphering, not just a symmetric cipher, e.g.: http://www.securemecca.com/public/GnuPG/pcrypt.txt Copy the public-key enciphered file to the other system. Flash drive, et al. Decipher it on the other system. I don't think your tests will work. In fact I don't believe you will even get to these three tests. What is the advantage of using the OpenPGP key and having a public-key enciphered file over a symmetric enciphered file? Symmetric Enciphered: = Let's say your machine gets infected. Let's also suppose that a key logger has been installed. I can assure you that most malware today either has a mini key-logger as part of the initial install or a key-logger can be downloaded and installed. Actually, most malware will almost do it automatically. I have over 10,000 malware to back that statement up. Either the key-logger got the password to encipher the enciphered file or they saw it when you temporarily deciphered the file. So now all the hackers need are either the plain-text file or the enciphered file and to know what created the enciphered file. But even if all the hackers have are the enciphered file and the pass-phrase they are now only one step away. PeskySpammer has even installed SMTP agents on tens of thousands of Microsoft Windows machines, one of which was at RIPE, one more at ICANN, and one at Yahoo. The hackers have your file and its name alone or what is in the file header reveals what was used to create the enciphered file. Within a few minutes they will have a deciphered file. The only thing that can protect you is to NEVER encipher or decipher the file while the key-logger is there and to never have the deciphered file available. But once they have the enciphered file and know the password to decipher the file the game is over and you have lost. OpenPGP Public-Key Enciphered: == All the same things hold. Assume they know the key's pass-phrase. They can also pull down the enciphered file. But you cannot just copy the keys since an OpenPGP card doesn't have a file system. If you cannot --export the secret-keys then the hackers will never get them. FOILED! The hackers have no choice but to move on or set some sort of trigger that knows when you decipher the public-key enciphered file. The longer you let the unenciphered file hang around the more likely it is to fly the coop. So even if the hackers know the pass-phrase (assume they do) and have the public-key enciphered file, they can NOT decipher the file. Now do you see the difference between a symmetric enciphered file and a public-key enciphered file where the OpenPGP keys are on an OpenPGP card? Just don't let the unenciphered file hang around any longer than normal. Do not just delete the unenciphered file - securely erase it when you don't need it. If you need higher security use an OS which has moderately more security (Linux) or even higher security (OpenBSD) with an OpenPGP card to hold the keys. Every layer of defense you add encourabes the hackers to move on in search of an easier target. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: File extension is .txt for gpg import. Is that ok?
On 06/13/2013 03:20 AM, Anilkumar Padmaraju wrote: Hi Gnupg Users, I have question that on of the user gave a file to import and the file is having .txt extension, for example test.txt. I usually import files having .asc or .gpg extensions. Can I do gpg --import test.txt with that .txt file extension? If it has -BEGIN PGP PUBLIC KEY BLOCK- on the first line you will probably be fine on 'nix since gpg and gpg2 look at what is in the file to determine if it is safe to do a --import or not. There is one caveat here. On OpenSuSE it refuses to do the following assuming the file Picture. is actually an image file: $ eog Picture. Will fail. They have made it so eog and many other utilities will fail unless you have have the proper extension. For this one, if Picture. is jpg file, even this rename $ mv Picture. Picture.gif $ eog Picture.gif will still fail. Ergo, you should probably make sure the file has the proper extension. It takes just a few seconds to do it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fail-safe backup
I just answered a question on whether you could import somebody else's keys from a file named other.txt rather than other.asc or other.gpg. While perhaps technically correct I also pointed out that Windows depends on the proper file-name extension and some Linux distros like OpenSuSE are very persnickety about the file having the proper extension. If you are going into the unknown make a backup of your key folder before experimenting. The following in a terminal would be a good idea on 'nix: $ cd ; rm -f gnugp.zip $ zip -r9 gnupg.zip ./.gnupg Now go ahead and experiment to your hearts content. Just be aware that something like OpenSuSE may block an --import unless the file-name is something like other.asc or other.gpg. That doesn't mean any damage will be done with something like other.txt, The shell will just refuse to let gpg / gpg2 do anything. But if you do damage or think you damaged your key-ring, the old fail-safe can always be put back: $ cd # # if you are unsure if you damanged keys $ rm -fr zzz.gnupg $ mv .gnupg zzz.gnupg # # or if you are POSITIVE you killed things: $ rm -fr .gnupg # then put the fail-safe back in place $ unzip gnupg.zip If nothing else you have a backup of your keys in case of files being damaged due to power failure, et al. But you never want to take steps into the unknown without a way to go back to something that works. If you don't believe me, watch the movie The Eiger Santion some time. Karl Freytag said: I consider it self defeating to plan in terms of retreat. Hemlock replied I consider it stupid not to. The ending of the movie drives the point home in a very dramatic manner despite one of the climbers saying they would continue in style. Sooner or later you think can get away with something and you can't no matter how good you are. When that happens you need some way to recover from the disaster. Now go ahead and gpg --import other.txt. HHH -- Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop Thinking has been suspended indefinitely Anybody caught thinking will be immediately shot! signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Clarifying the GnuPG License
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/12/2013 09:49 AM, Nils Faerber wrote: Am 12.06.2013 07:24, schrieb Navin: Hi, Hi! Since GnuPG comes under the GPL, I would like to clarify if a person's proprietary software makes use of GnuPG purely by invocation of the command line commands, and the GnuPG exe's and DLL's are bundled unmodified with the person's proprietary software, can the person use GnuPG commercially in this manner without having to publish his/her source code? IANAL but from my understanding: 1. by invocation of the commandline commands: Yes 2. invocation of GnuPG exe: Yes 3. Linking, dynamically or statically, against a GnuPG DLL, presumed that it is licensed under GPL: No The DLL usage would require the DLL to be licensed under LGPL, which is the very reason why LGPL was invented. Im am not sure which parts of the GnuPG suit are licensed under which license though, e.g. if the GnuPG DLL (if such exists at all) is licensed GPL or LGPL. I am in agreement on the constraints Nils Faerber gives. You were not specific as to the OS but since most distros of Linux have GhuPG bundled I am assuming a Windows OS target. Merging any of the GnuPG / PGP4WIN files into your install folder may get you into trouble. It is because it makes it seem like you own the binaries. You don't so they should not be in your app folder. There are 76 DLL files in the main folder for 2.0.17 (GPG4WIN). Licensing for things like GPGOL DLL is LGPL. Most other DLLs do not give me the licensing information (looking at actual strings in the binary files). All the 46 EXE files I looked at were GPLv3 but I didn't look at all of them so some may be GPLv2. Bascially, consider the GPG4WIN bundle to be a GPLv3 product. The last time I looked at it, I had to install GPG4Win or one of the GPG 1.x installs before I put Enigmail in THunderbird on Windows. EnigMail is licensed under MPLv2/GPLv2 to avoid licensing issues. If Enigmail doesn't bundle when they have compatible licensing then neither should you bundle. I would have people download and install GPG4WIN themselves. Under no circumstances link in any of the DLL files to avoid licensing issues. gpg.exe and some other EXE files and iconv.dll are in the %ProgramFiles%\GNU\GnuPG\pub folder which is added to the %PATH% in the install for command line use. Ergo, there is no need to bundle if you use gpg.exe on the command line. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJRuMOuAAoJEMhFIk/IOUbwbtEH/Rn/JAJHN0+FFE7JT/id2dYO qoSSdQov8CX5exaNHXnBHr4SSzmalrcCkkbfSHbyl0bSoR85FRqX2N5AZOurZt7I koi4cEVzoRatNxAsLn+drSjbVwg88P+BGDEVK/22BuO/wdLB8yPeXshPGbNOaJAh 3fJWpjI3IBBGIzg54Wm8CiQ3WsVBF2BbOxzJMaaChx29p3JrfFCoZP5FiVhNiPV0 ZiHFay3DUhHjfCfpSv6eRsqXV+TP+bAzKe0V2XkDh/OK39QK7d9ZnW3EnfuxsV7m gnUCH1cxyISDE/DmdnVFFOxap3bOmcOfqkvh58qBGtIqzF5qqkknT5mS7FTN6lo= =69/h -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why OpenPGP is not wanted - stupid is in vogue right now
On 06/10/2013 08:46 AM, Henry Hertz Hobbit wrote: snip is because for what ever reason they want to complain like mad about Prism but then go to Facebook and broadcast their personal lives to the entire world. Why? I would like to say I don't know why and that it could be used for a doctoral dissertation The reason why is that they are narcissistic. A good book to understand younger people today is The Narcissism Epidemic - Living in the age of Entitlement. But Jean M. Twenge at San Diego State (Ph.D. from the University of Michigan) and her cohort W. Keith Campbell at the University of Georgia (Ph.D. from the University of North Carolina - Chapel Hill) are not graduate students. I have bad news for them. The narcissism has spread far beyond the United States borders now. Yes, I have a degree in Psychology as well as degrees in Mathematics and Computer Science and was just considered for a teaching position at a University. I turned it down. I am holding out for that junior level Unix / Linux administration position that is commensurate with my experience. That is not a joke. It is what I am best at and that is now the level I should work at. So you if you want to see the social-psychnological reasons for why encryption is eschewed, read the book. The puzzle part for me is why many older people are also falling prey to stupid ideas just like they are teen-agers that have to be with the in-crowd. It does NOT bode well for getting encryption used by a lot of people though. I just wished I could walk into a Radio Shack store and purchase my Torx screw-drivers without some stupid grinning sales person trying to ram an iS**t device down my throat. I apologize to the Road Warriors that must use such a device but I don't want one. I am NOT on Facebook or Twitter either. And I unapologetically use encryption when it is appropriate. Thanks Zimmerman, Werner, and crew. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Recommendations for handling (multiple) user IDs - personal and company ones
On 06/10/2013 03:14 AM, Hauke Laging wrote: SNIP What a mouthful. I shortened it to those things most relevant to me. My keys are NOT part of the WoT due mostly to nobody around my home having OpenPGP keys. I would say that I have a higher option that you do of the Wot when contrasted with one SSL licensing authority after another being compromised very badly. The end result? decades of cleartext e-mail, long after we had the tools to do better :( I don't know quite what you mean by the tools. But I would love the requirement of some sort of secure token from an SMTP server trying to attach to another SMTP server. That would slow PeskySpammer from filling my email box with messages where the sending SMTP server is running on a hacked Windows PC. Actually it would stop it altogether until PeskySpammer figured out a work-around. Yes, I know, we have tons of hacked SSL certs on web-sites. But it would at least slow things down a little bit. But the big problem isn't technical. It is as expressed by one Unix / Linux Admin that I trust not worth the effort. There is a massive sense of futility that we cannot solve the problem and thus no new RFC on email. Trust me on this one. My other POP email account can no longer send except through the web-mail account (maybe that has gone down too) because it is being blocked by something that has gone wrong. That something that has gone wrong may be the NSA or the FBI after my comment in the Washington Post on Prism. Can it be fixed? Yes if it is my current POP / IWSP that is causing the problem. But it can be done only by moving from my current IWSP to a new smaller IWSP that will accept input and be able to hack a temporary fix. But what is needed is a complete revamping on how email works including a new RFC and some way to reduce spam to a trickle and nobody but me wants it. You did see the spam in our mail chutes yesterday morning didn't you? They also sent it to the wireshark group and several others. I will be blocking not the host in the message but the host that it led to that had whois information that was bogus. The reason hardly anybody uses crypto is not that its usage was complicated (I know, I a minute Rob will post his usability study link and ask for my sources...). It isn't. Not the basic operations if you have a working configuration. And for the rest the users can ask for help. The reason that most people do not use crypto is the most trivial one: They don't think they need it. That isn't it at all. One of the people commenting on the Prism article at the Washignton Post said OpenPGP IS too complicated. It certainly isn't very easy for most people and I have even observed engineers struggling to use OpenPGP. I had a person that stupidly thought they could email me bad host names through their Yahoo web-mail account. Yahoo blocked their send. I have even run tests where I am the only person that had a particular hostname in their block-list and Yahoo even blocked those messages. That would be admirable if I got my names from email. I didn't. I got them from stabbed in links on vulnerable web servers. Even after I tried to get him to zip them with 7-Zip using the AES-128 encryption cipher he just wouldn't do it. A current person is using WinRAR exe installers and dumbly thought he could just send the EXE file as an attachment in email. He finally encrypted it with rar's simple cipher. Sure, you and others could decipher it easily but that was enough to get an email's virus-scanner to leave it alone. At least he listened to me and didn't use zip which was banned because of the ever-expanding zips. Now he has the problem of false detects due to using the WinRAR installer. I told him to shift to using Inno Setup. You do that and the problems go away, especially with a Legal Copyright string. The problem is more serious than whether they think they need any encryption or not. THEY HATE THE IDEA OF USING ENCRYPTION! My sig says it all and is attached manually because it really does show what the real problem is now. People including even the Computer Scientists are totally unable to think any more. Even the knowledge that PRISM is snooping into everything won't cause them to change. Why not? They are using Facebook, Twitter and other social services to broadcast everything they do now anyway. That is a sure sign that enciphering is not wanted. But encryption isn't just enciphering. It also includes signing. I would love for them to send me messages that are signed, especially if we exchanged the keys by hand. So why do they hate using encryption? It takes too much work. Unless they are forced to use encryption by somebody else, than dammit all to hell they are NOT GOING TO USE IT. They also trust the privacy of their email messages implicitly despite the fact that they use web-mail. Me? I am rather suspicious but I had a half-sister (blessed) that worked at Arlington Hall. The latest for me was an
Why OpenPGP is not wanted - stupid is in vogue right now
My personal observations agrees with Rob Hansen's studies 100%. Even when required to use encryption people hate doing it and their concept is entirely focused on the ciphering with them thinking that people who use encryption are trying to hide something. They don't even begin to understand that signing is also a part of encryption. IOW, there is also an ignorance factor. Nobody but me uses my signatures on the stuff I deliver. It isn't because my keys aren't part of the WOT. It is because for what ever reason they want to complain like mad about Prism but then go to Facebook and broadcast their personal lives to the entire world. Why? I would like to say I don't know why and that it could be used for a doctoral dissertation but I am beginning to suspect the doctoral candidates in Sociology and Psychology will be similarly nuts any more. For those few who use my stuff they don't even use the signatures to verify that things are okay.. Dumb? Certainly. But stupid is in vogue right now and I don't know why. The Mayan Haab (365 days per cycle) and Tz'olkin (260 days per cycle) calendars both go backwards and forwards forever but nobody wants to know that these calendars really didn't come to an end on 21 Decembre 2012 and that was just one of the times that the first days align. It also happens every 52 Haab cycles (years) and 73 Tz'olkin periods. Don't try to sit down and explain it to them either. They go glassy eyed and make sure they don't understand that (365 * 52) = (260 * 73) and make sure they don't understand why even when you show the reduction that is lowest number you can get in the multiplication where they are equal. They want to say that it is completely impossible to understand and they want to believe what ever lies are told on the History II channel and elsewhere. They get away with it because everybody else is doing the same thing. Why? BEING STUPID IS IN FASHION RIGHT NOW! If they had complained that my keys were not part of the WOT, my keys would have been part of the WOT in a hurry. That was why I added my legal name as a comment. I anticipated somebody would ask me to become part of the WOT. Nobody has asked because less than 1/10 of 1% of people are using encryption except when they don't know that they are using it (443). What is wrong with the GUI provided with GPG4WIN? I really don't want a GUI on Linux since I do most things in a terminal and BASH anyway. My only complaint with GPG4WIN is that checking the signature should come first but that is because that is what I use it for. I verify that my own downloads have not been tampered with. Hey, the web-server isn't under my control. I can no longer send email on the POP email account that goes with that web server any more either. Yahoo's SMTP server stopped accepting my email from Thunderbird just two days ago. Unfortunately, POP still pulls down 100 or so messages from PeskySpammer every day. That does not instill confidence. But I can still mail fine here using OpenPGP on 1and1 with no problems. So it is not my setup which has not changed that is causing the problems. Business mail at Yahoo is either broken or the NSA / FBI retaliated for my comment at WaPo. I pick broken. Why retaliate when even some of them will agree with my comments at WaPo? My snail mail delivered letter to Yahoo will be my last chance at getting it working again. My hope is extremely low. Until stupid falls out of vogue, encryption just isn't going to be used. If the History II channel and my downstairs neighbor with Planet X (Nibiru) are any indication we will need a completely new generation for that to happen. This generation is so stupid with their iPhones and iPads and Galaxy Samsungs that I am beginning to wonder how we got here. It isn't just the young doing it either. Many older people have been similarly afflicted. I think I will watch the programs on the D-Day veterans so I can get out of this time warp factor we are in right now for a while. Those people back then weren't stupid. They cracked the Enigma, the Lorenz, and most of the Japanese codes as well. I should have lived my life back then with my half-sister Susie and helped in the cracking. Now? The emperor has no clothes and almost nobody wants to use encryption - ANY KIND OF ENCRYPTION! Me? My financial data and passwords are enciphered. I don't make any apologies either. There are too many hackers that want to steal that stuff. I strongly avoid using software that isn't signed unless I created it either. The people that aren't doing it? THEY ARE PROUD ABOUT BEING STUPID! The reason Microsoft bundled Windows Defender and have it on by default is because well over 50% of the people weren't using an AV product on Windows. Unfortunately, Windows Defender is removing all blocked entries including even Facebook and bad hosts from the hosts file now. Again, stupid is in fasion even at Microsoft when they attempt to remedy a problem. Windows
Re: certificat for a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/29/2013 07:27 PM, Doug Barton wrote: On 05/29/2013 12:09 PM, Henry Hertz Hobbit wrote: | On 05/29/2013 06:12 AM, edgard devaux wrote: | hello using Gnupg with linux debian 7.0 and gnome; i created a | key pair. my e-mail client asks me a certificat for personal to | sign , and an other certificat for the key. How can i get this | certificat for keyring , i don't find where . excuse my english | (i'm franchman). thanks edgard | | Thunderbird: http://wiki.debian.org/EmailClients | | If you are using Thunderbird, do NOT install enigmail with an | apt-get with a sudo! Also do not set up one common folder but have | separate email sections for each POP or IMAP email account. Another | way to add enigmail to Thunderbird: | | https://addons.mozilla.org/fr/thunderbird/addon/enigmail/ | | Add it as yourself, not as root. The apt-get way of doing things | here may not work. You end up installing it in the system | thunderbird (/usr/lib/thunderbird) folder. You want enigmail | installed in your ~/.thunderbird folder. | | Once enigmail is installed, you can specify specifically what key | you want used with each email account by clicking on the email | account and then view settings then OpenPGP. That advice is contrary to the conventional wisdom, which is to use the same method to install Enigmail that you use to install Thunderbird (i.e., apt-get + apt-get, or manually + manually). Can you please explain your reasoning here? First, whose advice? I was advised to blacklist nouveau with a certain file on OpenSuSE 11.4 that didn't exist because Linux cannot upgrade the video drivers when you install a new video card so I had to do the upgrade manually as it always has been done. Hint: look for a file with the pattern blacklist in the /etc/modprobe.d/ folder and put the blacklist nouveau in that file to get it to accept the new Nvidia driver - similarly for Ubuntu which is Debian based for 10.04: http://securemecca.com/public/DemingLinux/OpenSuseNvidia.txt http://securemecca.com/public/DemingLinux/UbuntuNvidia.txt OpenSuSE also installed the clamav program without creating the requisite clamav group and clamav user (it really IS necessary). Ergo, much advice while being given with good intentions is wrong. Sometimes that wrong hurts and some times it doesn't hurt. In the case of adobe flash Player, just like downloading my video drivers files from either the chip creator or the video card creator it hurts. For Windows it doesn't hurt too bad unless you are a gamer. The drivers from Micorosoft are at least 3 months and most likely 6 months to a year older than what you get from the chip vendor. For adobe flash player you get a convoluted list of symlink files and no way to backroll to the previous flash player because of lib or other problems, with the Ubuntu update not supplying the update anyway. So I do it myself: http://www.adobe.com/ (click on flash player under downloads) http://securemecca.com/public/UbuntuFlashInstall-11.txt Now I can backroll if needed. Sysadmins for even small Linux shops will set up a symlink on each machine in the plugins to point to yet another symlink on a UFS mount. They then just remove and re-establish the symlink on the NFS mount to point to the new flash player. If they run into problems they just point the symlink on the UFS mount back to the old binary. That beats the convoluted mess I saw employed by Ubuntu where they even had links going through /etc for flash player. Ubuntu doesn't want to handle the flash player anyway since it is licensed by Adobe. In the case of enigmail, it is an add-on and like Firefox the enigmail is just an XPI install file. Just like the XPI installs got Adblock Plus (ABP), Cookie-Safe, and other Firefox add-ons which are installed into ~/.mozilla/firefox, by Firefox, the enigmail XPI install add-on gets installed into ~/.thunderbird by Thunderbird. That is the proper way to do it. That is how I did it with OpenSuSE 11.4 which is an RPM based Linux. This time around I just closed Thunderbird on OpenSuSE, removed all the files in ~/.thunderbird/${HASH}.default/Cache, then made a backup: $ cd ; umask 077 ; rm /home/backups/${USERNAME}/thunderbird.7z $ 7za a -p /home/backups/${USERNAME}/thunderbird.7z ./.thunderbird (this zips it with an AES-128 encryption - supply password) I installed Thunderbird on Ubuntu 10.04 (the end of the line) via Synaptic Package Manager. I then copied the thunderbird.7z file onto a flash drive and from it onto the Ubuntu machine which had an older version of Thunderbird. I then unzipped it into the ${HOME} folder. When Thunderbird started it automatically checks and in that case backrolled to the previous version of enigmail because of an older version of thunderbird. Two days later Ubuntu upgraded Thunderbird with me closing the Thunderbird program first via the File - Quit method. If you click on the X
Re: certificat for a key pair
On 05/29/2013 06:12 AM, edgard devaux wrote: hello using Gnupg with linux debian 7.0 and gnome; i created a key pair. my e-mail client asks me a certificat for personal to sign , and an other certificat for the key. How can i get this certificat for keyring , i don't find where . excuse my english (i'm franchman). thanks edgard Thunderbird: http://wiki.debian.org/EmailClients If you are using Thunderbird, do NOT install enigmail with an apt-get with a sudo! Also do not set up one common folder but have separate email sections for each POP or IMAP email account. Another way to add enigmail to Thunderbird: https://addons.mozilla.org/fr/thunderbird/addon/enigmail/ Add it as yourself, not as root. The apt-get way of doing things here may not work. You end up installing it in the system thunderbird (/usr/lib/thunderbird) folder. You want enigmail installed in your ~/.thunderbird folder. Once enigmail is installed, you can specify specifically what key you want used with each email account by clicking on the email account and then view settings then OpenPGP. Evolution: == If you are using Evolution, GnuPG support is built in. Just make sure it is set to use your GPG key and the GPG key has your edgard-dev...@gmx.fr or other POP email accounts set up. You cannot use GnuPG with web-mail easily any more. I have no experience with Icedove but it should be similar to Thunderbird. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/28/2013 04:17 PM, Forlasanto wrote: The fact remains that email is the house that Jack built. The wall plugs are upside down, the wiring is sketchy at best, the plumbing is crazy and doesn't function correctly, the house is half wood and half brick, and/Jack forgot to put locks on the doors./ The fact that younger generations don't see email as a viable system is telling. It's an opportunity for something /better /to take email's place. Hopefully something with built-in encryption, rather than encryption tacked on as an afterthought. Just my two cents. It is a pretty good two cents but you don't understand where the encryption is needed most. What needs to happen is that the aging SMTP protocol needs to be replaced by a SSMTP (Secure Simple Mail Transfer Protocol): http://securemecca.blogspot.com/2012/09/vote-against-spam.html See Mail Delivery Fix. I have had a sysadmin for a Mathematics department that I respect both professionally and personally that didn't think too much of it because of all the shady SSL certs for web-sites. Yes, the shady SSL certs are there but I expect people to use some common sense. It would help if something like a browser would allow you temporarily to over-ride the warning. But what does Firefox and other browsers want to do? They want to PERMANENTLY store the exception. The over-ride should have that box unchecked. You should only check it when you are sure the warning is in error. We could end up with a list of shady email certificates that the spam houses could block as well. But that is better than nothing at all. Here is an email header for you to look at: http://securemecca.com/public/PeskySpammer/WackoBot.txt (the Originating IP is where the email message really came from, not 000123gw[GNAT]att.net - and it is a machine that is in A-YAHOO-US9 that sent the message showing how deep the problem is - yes, an infected windows machine at Yahoo sent the message) PeskySpammer saw me using the term hash-user in my blog so they sold that email address to other spammers. PeskySpammer is either completely in the Newark, NJ area or at least have a presence there. Not all of these spammers are in Russia or China. PeskySpammer does more than just spam too. They need a constant crop of infected Windows machines to mail from. They email out dastardly links pretending to be somebody else (but Thunderbird which is no longer available in Gnome 3 on OpenSuSE 12.3 that I could see) does make the hidden links visible: http://securemecca.com/public/PeskySpammer/Pictures/ But not only young people today, but a lot of people that used to use email no longer use it. Unless a way to get rid of the spam can be devised only a few stalwarts that MUST use email will use it. But I dumped Gnome 3 entirely after looking at OpenSuSE 12.3 with Gnome as the last straw because I could only use Firefox and LibreOffice. This smart-phone GUI on a desktop shows that thinking is in short supply. But they just approved the iPhone and iPad for military use now. The world is changing but most of the changes aren't good. The spammers and spear-phishers (mostly Chinese) have killed email. It is not so much that people have moved on but we need opt-in policies and a thorough overhaul to make email work again and nobody wants to do it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Relevance of e-mail (was [OT] Why are you using the GPG / PGP keys?)
On 05/28/2013 04:32 PM, Peter Lebbing wrote: Personally, I /am/ interested in why people use their keys (the original question), and not in the relevance of e-mail. I use OpenPGP to sign my downloads for others. Everybody using my stuff are either French, Belgian, or Canadian French. The Linux people DO use the detached signature files to verify that some hacker didn't sneak in and whack things. Don't laugh. The hackers HAVE hit my web-site and despite the fact I don't use SQL it doesn't mean that SQL isn't on the multi-homed web-server. The hackers did do damage to some of my pages and will probably continue to do so. The hackers are interested in replacing the downloads with some copycat that would say, block legitimate web-sites and allow infecting web-sites through. The web-site damage I am referring to is NOT done by just some infected PC sending SQL attack packets to web-sites at random. These attacks are done on purpose by a person / people. So OpenPGP detached signatures DO help. Why replace my downloads with false downloads if the verification fails. I will know immediately if my .profile or .bashrc files or other relevant files have been tampered with. It would be nice for other blockers to use OpenPGP enciphered email messages where we discuss bad web-sites since an email scanner WILL block the message. Encrypting attachments with 7-Zip's AES-128 is messy and time consuming. IOW, I have a need for both OpenPGP enciphered email AND OpenPGP signed email messages because hackers have attacked me and will continue to attack. Hackers have sent messages purportedly from these other people. But I know their sending IP addresses and do check these suspicious messages. But that is time consuminmg so an OpenPGP signed message would go a long way to ease my mind. I got the very same malicious link in an email message that took down Google several years ago. The only differnce is that I use Thunderbird with no HTML rendering for my main email despite having four web-mail accounts. The spear attack looked amateurish to me. But if Google and others would have used OpenPGP signed messages regularly, until the keys are stolen and the pass-phrase sniffed, OpenPGP signed mails CAN enhance security. Whether people recognize it or not, many of the Linux distros use OpenPGP signatures in *.deb, *.rpm and other update files to verify that they really did come from where they are purportedly from. More than once on a Linux distro update I get a message that says This update cannot be verified. Do you want it? NO! I will wait for the update package that can be verified. What is doing the verification? OpenPGP for every Linux distro I have used for years. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --textmode not retaining the originating EOR
On 05/24/2013 04:49 PM, irak wrote: I don't understand your answer. The original encrypted (.pgp) is provided by a client that transmits the file to me using a binary transmission. On my Linux server when I previously deciphered the file, it resulted in a file with CRLF as the EOR. When I use gpg, the result is LF as EOR. Is there any control over the gpg decipher process that says don't default to the local EOR but use what was stored in the file? NO. At least I could not find it in the man pages. My memory is hazy on this (going back over six years) but it seems like PGP had an over-ride. If it did, then it violated the RFC. Werner is correct. Do not use --textmode if you want the original mode for text files preserved. The default is --no-textmode implying that is what should be used if you want to preserve the EOR of the original files. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] Why are you using the GPG / PGP keys?
On 05/24/2013 09:09 PM, Zece Anonimescu wrote: Robert J. Hansen wrote: SNIP This is something I wrote for PGP-Basics a few weeks ago. It's bleak and depressing, but I believe it's an accurate picture of where things currently stand: snip It looks spot on to me. I cannot get anybody to use OpenPGP because most don't use email any more and the few that will still communicate with me via email say they don't need OpenPGP. I have only one person that will communicate with me regularly via email any more and he won't use OpenPGP. He won't purchase PGP and he stubbornly resists shifting away from Outlook as his POP email program that he uses. Besides, email is not dying. It's plain stupid to support such idea. Sorry for the bluntness. Back in 1992 a handful of people were using emails. For serious business they went on Usenet. Today every two bit service needs an email to authenticate, to change passwords, to send newsletters, to confirm shipments, invoices, you name it. The trafic is higher. The users are 1.000 fold. I don't know the size difference. I'm pulling numbers from a bag. In 1992 it was a way of scamming the postal service out of their cents for a stamp. Today all the internal papers in companies of all sizes are sent by mail. Blackberry? That's email too! Have you got my fax? That's email too! First, I have been using email and real Unix since the 1970s. I didn't use email to avoid paying postage. Mostly I was mailing Prolog or other programs to others or them to me before 1995. Second, a fax is not email either from either a transmission or a legal standpoint. Instead of being conducted down the digital Internet TCP/IP highway, faxes are tunneled through telephony equipment, digital or analog. It is not legal to use even an OpenPGP signature on an email as legal tender in a court of law. But your hand writeen signature on a document that faxedis legal tender in the United States and many other countries. Third, do a search for PeskySpammer in either DuckDuckGo.com or Google. Initially I was getting as much as a thousand messages per day before the bounces subsided as more and more mail admins finally keyed in on my advice on my blog. Now I get almost no bounces at all from mail servers. Most mail systems drop the spam messages sent directly from a hacked Windows PC machine that pretend to come from some place else like a hot potato now. But PeskySpammer's bots got the fake FROM email addresses accidentally added to their TO lists. I am still getting as many as 100 messages per day because I get all of the messages for users at the securemecca[gnot]com domain. Others that have their emsil set up the same way (they are mail admin for the domain but have no control over the mail server) will be getting the same thing. There is so much spam that almost nobody will answer me any more. One of the reasons is that they start a new email address to fight the spam and don't bother to close down their old email address. But most people have made a permanent shift to Facebook or other social web sites so that if I really need to contact them, I send them a snail-mail message. Many times even that is ignored since they monitor their Facebook or other social service account messages and that is all.. This doesn't bode well because I neither want nor need a Facebook account or an account with the myriad of other social services. I suspect most people just select and delete all email messages in their active email account every few weeks or months. This does not bode well for the usage of GnuPG. I cannot get anybody I know to use OpenPGP. Even most of the people at SANS and other people don't use OpenPGP encryption any more. Maybe we need a legal threat that says OpenPGP encryption is going to be taken away from us to get people to use it. They will use TLS, SSL or other encryption that is built-in but don't even seem to take that seriously any more. I don't know what is happening but I imagine a sociological or psycnhological dissertation is in the offing because of people's behavior. It really is that bizarre now. Nibiru - I don't know how many people believe it but it numbers in the millions. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating/Exporting under another user-account(Log on as a batch job rights)
On 05/21/2013 05:06 PM, Werner Koch wrote: On Tue, 21 May 2013 18:28, hhhob...@securemecca.net said: 5. At the of the PATH you add: ;C:\Program Files\GNU\GnuPG\ (if it already has a ; at the end you only need one semi-colon) You should not add this but ;C:\Program Files\GNU\GnuPG\pub I stand corrected. This means NOTHING needs to be added to the PATH if pub is in the PATH AND if you just use gpg.exe. You have both gpg.exe and gpg2.exe in the pub folder. One of the commands given to gpg2.exe attempted to open Kleopatra. If you want Kleopatra, use the GUI tools. You are bound to have a collision with some of those DLL files in the GnuPG folder sooner or later. Yes, I looked at ALL of the DLL file names. But you don't run the gpg.exe command from the Start - Run of Windows XP. You run it from a command window (cmd.exe) that is ever present until you close the command window. You can put a pause in a BAT file and that WILL stop a temporary cmd.exe that was messaged from a double click on a BAT file from closing. In my UnixUtil scripts an echo of a message and then a read does the same thing. It hangs until you press the Enter key. But once you tap Enter, the temporary command window closes and disappears. But you can NOT run a command from the Start - Run of Windows XP / 2003 Server without the windows immediately closing once the program or BAT file is finished. I thought this was common knowledge for Windows users. I must be wrong because they took that run feature out of Windows 7. On Windows 7 you have no option but to start a stationary cmd.exe and once that is done this problem goes away. Just remember to use gpg.exe in the command window instead of gpg2.exe if you run into problems. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Total Newbie Can't Unpack Tar Ball on AIX
On 05/20/2013 08:57 PM, Bettina Huber wrote: Been told I now have to use this to develop keys and sign a file that gets ftp'd to the bank. We do not need to encrypt the file. Have read some of the documentation, but understand very little of it - I can do basic commands, but nothing fancy, and have simply not heard of most of the terminology thrown around there. I figured I'd do it one step at a time and eventually get it. I downloaded 2.0 and it is now in my /usr/local/bin directory. The directory location was a total guess - can't find any documentation saying where it should go. We run AIX 6.1. This is probably just the source code and if it is then it should be put into the /usr/local/src folder. File name is: gnupg-2.0.20.tar.bz2 Command used to unpack: tar xvjf gnupg-2.0.20.tar.bz2 YOU HAVE YOUR WORK CUT OUT FOR YOU! I think you are also going to need a RNG (Random Number Generator) on AIX. You may want to sign it on some other system other than AIX? I am suggesting this is the EASY way to do it. It is the way I would do it and I am a very good sysadmin. Usually, I use a - in front of the options but unless AIX has provided support for bzip2 you don't have it. The x stands for extract, the v means verbose, the j' means bzip2, and the 'f' means the file is specified next. If you have man pages set up a man tar will give you all of the options. To find if you have bzip2, in a terminal type: which bzip2 which bunzip2 If you get nothing back then bzip2 isn't on your system. perzl.org has provided lots of things, but no updates to gnupg since 2.0.13. But that does handle your needs and is available in binary form. Just remember you may still have to set up a RNG (Random Number Generator). http://www.perzl.org/aix/index.php?n=Updates.Updates-2009 http://www.perzl.org/aix/index.php?n=Main.Gnupg2 http://www.perzl.org/aix/index.php?n=Main.Gcc http://www.perzl.org/aix/index.php?n=Main.Bzip2 I would advise installing bzip2 but even after it is installed your tar may not support an integrated bzip2 (the 'j' flag). In that case the above file could still be extracted with: bzip2 -dc gnupg-2.0.20.tar.bz2 | tar -xvf - # or if you don't need a list: bzip2 -dc gnupg-2.0.20.tar.bz2 | tar -xf - bullfreewahre has some things for AIX 5.1: http://www.bullfreeware.com/index2.php?page=lppaix51 I would go with the bzip2 binary or just zip the folder with the files using zip or what they can handle. Then I would transfer the zipped file to a Linux or protected Windows system and sign the files there. Believe me, it would be far easier to set up your OpenPGP keys with GnuPG on either Linux or Windows and do it that way. Even if you do it from AIX later, you can still export your keys from Windows or Linux and import them on AIX. But setting up GnuPG even from binaries is NOT trivial on AIX. Once you have it set up though, it is just as easy to use GnuPG on AIX as it is on Windows or Linux. If you still want to create it from source Here are the tools you will need at a minimum for making gnupg from source for AIX: gcc automake autoconf m4 gettext If you are a real good sysadmin and still want to go this way, contact me and I will help as much as I can but remember that I don't have an AIX system in front of me. Also, many production AIX systems are not supposed to have gcc on them because that may violate either company or country regulations like Sarbanes-Oxley or HIPAA, I will also take it out of group since it is non-gnupg. Since AIX probably does not have a RNG you will need to set that up too. I think it would actually be easier to generate your keys on Windows or Linux and tranfer them to AIX if you MUST sign the file(s) on AIX. You are biting off a lot of work to put GnuPG on AIX anyway and doing it from source is difficult. But if you still want to create it from source, contact me personally since most of this is AIX specific and only incidentally related to GnuPG. Are you sure the files must be signed on AIX? Putting GnuPG on AIX is not trivial, especially if the binary package doesn't provide some way to set up a RNG. OTOH, if the binary install also sets up the RNG ... go right ahead. hhhobbit ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating/Exporting under another user-account(Log on as a batch job rights)
On 05/21/2013 08:48 AM, Lema KB wrote: thanks for your replies i do have gnupg4win-2.1.0.exe. i wanted just to pen this Kleopatra.exe under another user (on cmd using runas command) to see the list of keys. but it says it's missing libkleo.dll file. but it opens from start-menu. where i find this file, or what does it mean? thanks in advance They are in: %ProgramFiles%\GNU\GnuPG\ That is usually (if %SystemDrive% is C:): C:\Program Files\GNU\GnuPG\ If you need them in the cmd.exe then just add the REAL folder (don't use %ProgramFiles%) to your PATH. To do that on Windows 7: 1. Right click on My Computer on desktop and click Properties 2. In the System Properties Windows click on the Advanced tab 3. In the Advanced section click the Environmmnt Variables button 4. Select the PATH (may be Path) variable then click Edit 5. At the of the PATH you add: ;C:\Program Files\GNU\GnuPG\ (if it already has a ; at the end you only need one semi-colon) 6. Save the change and then OK your way back out. You will probably have to logout and then log back in. libkleo.dll, kleopatra.exe, gpg2.exe and all the other files associated with 2.0 are in this folder. There may be others but if they are they will be in C;\Windows\system32 which ia already in the PATH. I don't have gpg 1.x on Windows. If I remmber correctly gpg 1.x is also in the same folder. If so then just typing gpg on the command line will also work if you have the GnupG version one. IOW: C:\ gpg.exe --list-keys should list your keys. If you have gpg2.exe in your PATH, it should now pop-up Kleopatra to show the keys once this folder is added to your PATH environment variable: C:\ gpg2.exe --list-keys You can always use Windows Explorer or My Computer and ask it to find gpg.exe or gpg2.exe. If it finds only one then that is what you have. Since you specified gnupg4win-2.1.0.exe there will be no gpg.exe, just a gpg2.exe. I leave it as an exercies to you in how to turn off that dumb hide files misfeature. While your at it, you may as well set it to show the entire file name. hhhobbit ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Windows 101 GPG4WIN
All: I assume anybody who has used Windows for a modicum of time knows the following: 0. I take an extremely dim view of not setting your Windows system up to show the ENTIRE file name, including the extension. I have thousands of malware ending in .pdf.exe. But it is appropriate for another reason which you will see shortly. 1. Using runas on Windows XP is only usefule for starting programs that will stay around. Example, use this to start the cmd.exe window to type gpg2 in (GPG does NOT usually need elevated UAC privileges): cmd.exe OTOH, if you mean runas in terms of the UAC, Windows 7 doesn't even have a run command input box. runas in that context means you are right clicking on the executable and perhaps giving the command higher privileges via the UAC. Actually that is more of a problem with Vista than Windows 7. Windows 7 usually just prompts you if you want to say, install Firefox in the %ProgramFiles% area. 2. Alternatively, cmd.exe can be started via Start, (All) Programs, Accessories, cmd (I think that is the name). This brings up a cmd.exe window which will hang around until you close it. THIS IS WHAT YOU SHOULD BE TYPING gpg2.exe and other commands in. 3. When you say batch and Windows to me, I filter out the --batch meaning of GnuPG. I assume you are talking about a BAT file. (make this point explicit). Here is an example: http://securemecca.com/public/GnuPG/testsig.txt I leave at as an exercise to download this file (and hopefully you have set your browser to download it to the desktop). Change the name of the file to testsig.bat. Now you know why I advised that you show the entire file name. The added security when you notice the .pdf.exe on the end of a file is just a bonus. But there are times you need to see the entire file name not to get all fouled up. This is one of those times. Right click on the testsig.bat file and from the GPG4Win menu make a detached signature file of the testsig.bat file. The detached signature file will be named testsig.bat.sig. Add this to your PATH (and then logout and back in): ;C:\Program Files\GNU\GnuPG Double click on the testsig.bat file on XP (you may need to do a runas on Windows Vista (horrors) or Windows 7 (better). The pause in a BAT file prevents the cmd window that has just popped up from disappearing until you tap the enter key. But you could also have typed the gpg2.exe command in a cmd.exe window. 4, With GPG4Win 2.x I have never needed anything but the GUI tools. Given how brain damaged cmd.exe is compared to something like bash or ksh I much prefer doing it the Windows GUI way but it is your choice. 5. If you are talking about this with a second user and automating the verify with a batch (*.BAT) file they need their own separate key-pair. Then they need to import your key onto their key-ring to verify. Example using my public key: http://securemecca.com/public/GnuPG/testsig.txt http://securemecca.com/public/GnuPG/testsig.txt.sig You would need my C83946F0 key on the key-servers added to yor key-ring and given some sort of trust (suggest only local trust), preferably in Kleopatra. hhhobbit -- Gnome 3, Ubuntu Unity, Windows 8 - poor iPhone GUI on Desktop Thinking has been suspended indefinitely Anybody caught thinking will be immediately shot! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating/Exporting under another user-account(Log on as a batch job rights)
On 05/17/2013 12:57 PM, Lema KB wrote: hi all I have to generate a key-pair using another user-account (which is given right in local security settings to log on as a batch job) and export its public key. i did generate on windows cmd, but after i taped the passphrase, cmd window just dissappeared. and if i type to list keys, a window appears and closes immediately, so fast that i can't read what it writes. What would you suggest, ho can i see what it did and which keys it has under this another user? Any of your help is appreciated, thanks in advance. kiblema Which version of GnuPG are you using? If you are using 2.0.x just firing up Kleopatra shows all the keys on your key ring. If you are saying you are using a BAT file with GnuPG 1.4.x, the cmd window only stays open while the BAT file is being interpreted. If you put this on the next to last code line (I use setlocal at the start and endlocal): REM I usually put a remark before it but pause prints own message pause That will help you see the output of your various commands. But it will NOT help you if you want to see the keys or work with them from the command line. To do that, first make sure you add the folder where gpg.exe or gpg2.exe is at to your %PATH%. You may need to logout and then log back in to get the GnuPG folder added to the %PATH%. Then go to Start, (All) Programs, Accessories, and select cmd (or what ever it is named for you). In the command window which now stays up (this is now assuming you are using 1.4.x): C:\ gpg --list-keys That will let you know if the keys are there. BTW, you are STRONGLY encouraged to add the GnuPG home to your path. It is usually %ProgramFiles%\GNU\GnuPG (but you MUST fill out where %ProgramFiles% really is in the %PATH%) for GnuPG 2.x. GnuPG 1.4.x may be in a different folder than GnuPG. My machine that has both installed is turned off right now (heat wave). Did that help? HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 1.4.13
On 05/14/2013 04:39 PM, Laurent Jumet wrote: Hello Henry ! Henry Hertz Hobbit hhhob...@securemecca.net wrote: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe Thanks very much - duly installed. I'm using this for my own, you may find it useful too: http://www.pointdechat.net/MyMan_GnuPG-1413.pdf Downloaded but will the second one stay there? I'm not sure I understand what you mean. Second one is my own help I'm using, no more, based on the help in the package. Things are having a way of disappearing faster than they come now. At least they are for me. I am just asking if you will remove it from that location in the future. I guess it is okay if we have another GnuPG version and you replace it with another file. But many times people won't upgrade for what ever reason (here, language issues for Chinese prevents going to GnuPG 2.x on Windows). Let me illustrate the concern a little more clearly. Things have a way disappearing right out from underneath people, expecially if you picked Gnome 1 2 (and KDE has language problems for Arabic and Perso-Arabic) on Linux: http://www.securemecca.com/public/DemingLinux/ OS: OpenSuse 11.4 (the last of Gnome 2 there) Video: ASUS GeForce GTX-650 (replaced GeForce 220) Reason: Can no longer use GoogleEarth Problem: Instructions from OpenSuSE point to their special OS folder. But every time they update the kernel KMS comes back with a Vengence and my resolution drops back down to 640x480 with NO way to increase it unless you change the kernel to get rid of KMS. Ergo, I have to alter the kernel to get my video resolution back up to 1920x1080 @ 60 Hz, I run 1680x1050 for both Ubuntu and Windows 7. I also had to install the approprtiate nVidia driver myself. In fact I had to do the entire thing myself and one of the instructions provided was WRONG. I first tried to do this the OpenSuSE way. But when I pointed to the proper folder for YUM unpdates, as usual, they were GONE! I imagine it disappeared the day OpenSuSE 12.1 came out. They are up to 12.3 now. Why fix what isn't broken? But in this case they broke what was fixed. I will finally have to update to OpenSuse 12.4 IF they have KDE. Gnome 3 is nothing more than an iPhone GUI dropped onto the desktop. You don't even have an xterm which was finally provided with Unity for Ubuntu 12.04. In addition to having to remove nouveau, this is just one example that somebody thinks I have time to do 4+ OS updates per year with every Linux distro and that I use nothing but Firefox and Libre Office. That is way too much change but in this case Gnome may as well close the door. Only LibreOffice and Firefox are provided with Gnome 3 with every distro I installed or tried to install this spring, I have finally given up completely on Fedora. I haven't been able to install Fedora for years because it doesn't have my current ASUS monitor or the previous ViewSonic monitor in its X-Windows DB. But with Gnome 3 you can't even use GnuPG any more. Where is Thundebird and the xterm to use it in? I couldn't find them. Like my friend who wrestled with Windows 8 for two days I finally gave up and went back to the very same OS I had, but swapped the machines they were on. Here comes another Ubuntu 10.04 update of the kernel and I may have to reinstall the Nvidia drivers there again (you must do it with OpenSuSE but I am counting on NO OS upgrades for the 11.4 version any more). On that machine I went from on motherboard Nvidia to a GEForce GT-640, again because GoogleEarth would no longer run. At least I can still use GnuPG because I can have an xterm which most of these modern GUIs with every Linux distro no longer provide. I can also run Thunderbird. Windows 8 also has the iPhone GUI mentality as well and even worse, forces you to use their email type setup which has extremely bad security problems. By that I mean your private becomes public and they expect ALL of your banking and financial stuff to go through them. I guess Microsoft fired all of their top-notch security people. I still consider Drop My Rights for XP in many ways better than the UAC for Windows 7. So stick to Windows 7 or Windows XP if you want to use GnuPG encryption on Microsoft Windows. You cannot use GnuPG or hardly anything else other than Internet Explorer and Microsoft Office on Windows 8. My friend couldn't find a way to do it. The reason everybody is getting this is because it DOES have repercussions on GnuPG. You won't be able to use GnuPG encryption any more until all these people provide a desktop or laptop OS where you can use GnuPG again! I don't want an OS where I cannot use GnuPG! HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 1.4.13
On 05/14/2013 09:24 AM, Laurent Jumet wrote: Hello Bob ! Bob Henson old...@oldbob.co.uk wrote: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.13.exe Thanks very much - duly installed. I'm using this for my own, you may find it useful too: http://www.pointdechat.net/MyMan_GnuPG-1413.pdf Downloaded but will the second one stay there? Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I extract the --embedded-filename for scripting?
On 05/09/2013 08:30 AM, Peter Lebbing wrote: On 08/05/13 21:01, Werner Koch wrote: That is not crude but a standard Unix pattern. I considered putting the status-fd stuff into a file, then reading the file and finally deleting it a much cruder method than connecting the parsing logic to fd 3 directly. Peter. Peter[gnat]digitalbrains[dot]com's way of doing it: gpg --status-fd 3 --use-embedded-filename foo.gpg 3foo.status That is probably incompatible with Windows doing it. The original poster already has the cmd.exe (BAT) script for doing it finished already. The way I handle it on Windows is to output the results of either stdout () or stderr (2) to a file and then open that file with VBScript. Trapping the result in any Windows scripting language other than Power Shell (I am NOT very familiar with it) is problematical. That is why my advice is that the original file name should be preserved with an added .gpg for the encrypted file to make these things clear, e.g.: Design-Files is a folder. It is zipped into either a 7-Zip or zip file with all the contents in the folder zipped with it (recursive - the default for 7-Zip): Design-Files 7zips to Design-Files.7z Design-Files zips to Design-Files.zip When encrypting: Design-Files.zip is encrypted to Design-Files.zip.gpg Design-Files.7z is encrypted to Design-Files.7z.gpg MasterFile.txt is encrypted to MasterFile.txt.gpg That way the file name alone gives a clue as to whether further processing is necessary. I KNOW that VBScript can handle it this way. The only problem is to put an unzipper program some place in your %PATH% where there is no spaces or punctuation to that folder for the zip.exe or 7z.exe that you are using. One more thing. Windows Explorer should be set to show the entire file name. That also prevents *.pdf.exe files appearing to be *.pdf files as well. Ditto for *.doc.exe and similar files. But it makes some of this explicit for OpenPGP enciphered files and I KNOW that VBScript can handle it when it is done this way. 'Nix way: I am pretty sure that a grep for '\.tar\.gz', '\.tgz', /\.tbz' and '\.7z' after deciphering and redirected to files and than opening and processing those files on 'nix can also be done to perform the addiitional processing automatically (use file with a grep for certain patters as one last check), You are better off for the temporary files being put in either the current folder or ${HOME}/tmp if the perms on those folders is 700. Use of /tmp or even /var/tmp is unsafe. unless you are the only person on the system. Even if you are the only person have the script remove the tmp files and unset the relevant VARS. I turn history off in most of my scripts at the start and then turn history back on at the end of the script if security is a consideration: http://www.securemecca.com/public/GnuPG/ HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Suggest please
On 05/03/2013 08:45 AM, Lema KB wrote: SNIP Werner is of course correct but since you need to do a send to userid_1, userid_2, and userid_3 you will need the public key for all three of the recipients. You need the public key for each person you want to send a public key enciphered (encrypted) file or message to. Public / Private Key Enciphering - encrypted with the other person's (or people's) public key(s). No pass-phrase is required. - can only be decrypted by the person (or people) that has the private key(s) that is associtated with public key(s) that the file or message was encrypted with. They also need to know the pass-phrase unless the pinentry program decides to supply their pass-phrase forever. Don't laugh too loud. It happened to me. I must provide my pass-phrase again now. Thank goodness! Private / Public Key signatures (used for verification) - the file or message is signed with your private key. You must use your pass-phrase when signing. This was most critical for the pinetry supplying the pass-phrase for me. You should be required to supply the pass-phrase for all signings with the only laxity being a one-time supply of pass-phrase for a batch of files. - verified with your public key with them importing it and then giving it the proper (hopefully) level of trust when they edit and lsign / sign your public key. They have known you all your life? Then your key deserves the highest level of trust no matter what you do in life. The verification is that the person is really who they claim to be. My primer reference book is PGP GPG, Email For The PRACTICAL Paranoid by Michael W. Lucas. I hope he gives another edition some time since GPG4Win has improved and simpliied a lot of things for Windows users. Disclaimer: I do NOT get a cut of the profits from the sale of the book. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Suggest please
First, a restriction on who can access folder restricted to just a group on 'nix should probably be: drwxrwx--- (chmod 770 dir - all group members can write) drwxr-x--- (chmod 750 dir - only owner can write) http://www.securemecca.com/public/ChmodTable.txt On OpenVMS you can and the military does just turn off the world permiesions leaving only SOG (System, Owner, Groupm originally it was SOGW). But OpenVMS has theirs done via a DACL. Windows has DACLs but really not for files / folders in the same way that OpenVMS / Unix / Linux do it. Unix / Linux file permission flags for the files is hard-wired (done deep within the bowels of the OS). Symmetric ciphers via GnuPG: You can use either a symmetric or public key cipher with GnuPG, but you really sort of need keys to even do symmetric ciphers via GnuPG or PGP from Symantec. This script is what I use if I want to make a file encrypted with a ymmetric cipher via GnuPG: http://www.securemecca.com/public/GnuPG (folder - I used decrypt for decrypting encrypted files) http://www.securemecca.com/public/GnuPG/ Pros: Can't think of any other than it saves all that typing. It MAY help you understand it. Maybe it will confuse you. Cons: Anybody who knows the password can decrypt it. Some times that is a positive. For top security it is a negative if the public key used to encipher a file is not yours (belongs to somebody else and you don't have the private keys). Symmetric cipher with AES-128 using 7-Zip: == You don't need keys. Just supply the password and let the other people know what the password is. on Unix / Linux you just use: this for a file: $ 7za a -p filename.7z filename and this for a directory (folder) $ 7za a -[ dirname.7z ./dirname Pros: provides symmetric encryption without keys! Blissfully dumps the UID:GID so it comes out right when root unzips it (owned by root in group root) no matter who it belonged to on the other system.. for 'nix. That is why I like it. Would love to have ClamAV source code in 7z format. It is great for sending lists of bad URLs / hosts to others since email scanner doesn't know what to do with it. Cons: Same as for GPG symmetric but no choice of CIPHER (uses AES-128) which may be unsatisfactory for some uses. Must build it yourself for 'nix. Do NOT use 7-zip for backups of system stuff or you wull have a chicken versus egg problem, encrypted or not. (APOLOGIES TO GNUPG ADVOCATES) Public / Private key implementation: In reality there is a symmetric cipher hidden down in there. GnuPG pseudo-randomly (hopefully closer to randomly than to pseudo) creates a password for the symmetrically enciphered file and encrypts the password for the symmetric cipher using the other person's (people's) public key(s) with the ElGamal or similar public-key cipher. Each recipient gets their own copy (in the past the whole thing with Thunderbird plus Enitmail). But you do NOT encrypt the whole file with the public key. You use the public key to encipher only the password used to create the symmetric cipher. The way public / private key is normally used: == On Windows, GPG4WIN supplies an Outlook look-alike called Claws Mail that just looks at the recipients when you select encrypt and magically encrypts a message that the entire list of users can decrypt as long as you have the public key for each of the recipients on your key-ring. The enigmail plugin for the mail client program called Thunderbird does much the same thing. SEE! Public key encryption doesn't have to be all that complicated! Pros: When encrypted for JoeGoodGuy in Denver with the encryption being done in Syria (war-torn) nobody but JoeGoodGuy can decipher it. Be sure to wipe the original unenciphered file(s). Wikileaks Julian Assange knew this and encrypted all of those files with a symmetriic cipher anyway so everybody could decrypt the zip of all those files some time in the future no matter how long the password was. But if the journalist had their own public / private key pair it could have been encrypted with the journalist's public key and then only the journalist could have decrypted it. Pubic key encryption is used successfully for this purpose by civil rights activists world-wide. Cons: Initial confusion on how it works. Don't feel bad because even PhD engineers may need some time to finally understand how it works (which is why I recommended that book). Don't be afraid of using OpenPGP public key encryption. It really is superior when you have two people that semi-trust each other. Spies take time to warm up to each other said one of
Re: Suggest please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/03/2013 08:43 PM, Henry Hertz Hobbit wrote: SNIP First, I think public key encryption is apropos for what you are doing if privacy is a concern. The way you approached it without telling us you are on Windows until later on indicates privacy IS a consideration for you. Now that I know you are on Windows I am curious what you are using to automate - Visual Basic, BAT, Power Shell, or something else. I run into too many problems with their darn spaces no matter which of these three I use. It is best to just add where gpg2 and everything else lives to your PATH. Here is where it is for the latest version of GPG4Win (at least on Windows 7) %ProgramFiles%\GNU\GnuPG From my point of view object oriented scripting is strange. Scripts should be more verbal than noun oriented. If you need help in getting it going I will help but do NOT use what you would be sending to your cohorts. My public key is on the key-servers. For the long way Just go here: http://pgp.mit.edu/ Then enter my email address hhhobbit[gnat]securemecca.net Click on the top key, copy and paste it into a file and then import. Fast way is to just use PGP4Win's GUI to import the key directly from the key-servers. The first test is to send a publicly encrypted file. Then you do it for two users per Werner's statement and as you go along you will see what is appropriate for you. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJRhGHcAAoJEMhFIk/IOUbwq/UIAKA/lpBKKbaCJVTIAq3ttgPi +dzgkGRFl3TOwlUyQutZ6AZiuIxw1uCUrCuWy+UacTRBe/qCcsJRLwlFNk6htiVt bB0YKXqUSt9lGfrLys4mMSP4EV1n5AF1aYodDPIsae7znQyKyjanx0oTP718Bniw QHPphFNuGs9XtQ9lo4wx5G7rKiOQzpWXjq6M8NBbmbMmUp+5hXRNjK/LHlHBX7Rk hTnq6vmKWLSUZDImCylEZAV7XG14XnqMDQ9URGt8uKbO+d3PH17rGgcDdltF53Hu lAMdOJQmjrMIg4TmJYZgM2KzDxcb/kcRH8tQjWUTRrVt4tY6cl+AT0BMJohJLQQ= =54Gp -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgee operation failed
On 04/29/2013 03:39 AM, 儒風管理部-潘右文 wrote: Hi there , Can someone help me with this error? I reinstalled the program , and encrypt the file again, still don’t work. I used to encrypt file without any issue. My program version is 1.1.4. Thanks. Has the key expired? I notice you have three files selected and am wondering why you haven't zipped them and then encrypted the zip but that is (or should not be) an issue. I will try it to see what happens. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgee operation failed
On 04/29/2013 03:39 AM, 儒風管理部-潘右文 wrote: Hi there , Can someone help me with this error? I reinstalled the program , and encrypt the file again, still don’t work. I used to encrypt file without any issue. My program version is 1.1.4. Thanks. Are you saing it used to encrypt but stopped encrypting before you installed the GPG4Win 1.14 again? Oops. I should not have spoke up so fast. I didn't have time to load GPG4Win, 7-Zip, Firefox, and a lot of other stuff for Windows. Even worse I haven't had time to tame Windows Explorer to show some folders. extensions, use lists, etc. I have that partially done now. 1.1.4 is pretty old and the new GPG4Win 2.10 has worked just fine for me on both Windows XP Home / Pro and now on Windows 7 Pro (remember, I just installed it, Firefox, and 7-Zip). Your pictures shows that the validity of the key is unknown. Have you signed it? But the way you said things sounded like it was working that way (it should). I just loaded GPG4Win 2.10 on Windows 7 Pro. I could not see where it put things so I generated dummy keys to find the location. I found them here: C:\Users\YOUR_USER_NAME\AppData\Roaming\gnupg I deleted the files (keeping random_seed) and then copied my files from Linux (w/o random_seed) into the folder. I have 32 bit LE throughout, although Linux is set up with PAE so I can exceed the 3 GB memory barrier. GPG4Win 2.10 uses the newer gpgex and Kleopatra. Encrypting the file was easy though. All I had to do was: 1. Right click on a Firefox.txt file in Windows Explorer 2. Select encrypt from GPG4Win menu 3. Select a proper recipient (I picked me) 4. Let it encrypt it. I moved the encrypted file onto a flash drive and decrypted it on another Linux system. It decrypted fine with me supplying my pass-phrase. I tried an additional test of another recipient and it could NOT be decrypted which is to be expected. I don't have their private keys or know their pass-phrase. I am trying to think of what could be going wrong. When you installed the program again did you still have your exisiting keys? You should. I have upgraded through several versions of GPG4Win with no problems. In fact I haven't had any problems at all on Windows. Encrypting on OpenSuse 11.4 via GPG (symmetric or public key) may be impossible. I now use 7-Zip with it's bundled AES-128 for symmetric encryption on OpenSuse and to transfer files back and forth with another Linux system. Unless it is a damaged key-ring (in which case, why could you see anything?) I see no reason why you can not just upgrade to GPG4WIN 2.10 and go from there: http://www.gpg4win.org/ You have ALL the information including where you may need to move your keys if you have moved from Windows XP to Windows 7. Hopefully you don't have Vista. If you do I don't know where the files go if you have to move / copy them. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenSuse 11.4 - OOPS!
Correction. My signfile script makes detached signatures with no problems, the pcrypt script makes public encrypted files with no problems, and the decrypt script decrypts the publicly encrypted files with no problems on OpenSuse 11.4. Here is what gets printed in the xterm when I try to do a a symmetric cipher: gpg: problem with the agent: Bad CA certificate But despite the message it DOES do a symmetrice encrypion. Here is where the scripts are: http://www.securemecca.com/public/GnuPG/ And here all this time I thought the symmetric encryption was failing. I don't get an error on decryption. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: random_seed - no locks available
On 04/29/2013 02:43 PM, M Russell wrote: Hello, I hope someone might be able to lend me a hand. I am running into an error message that I resolve. I get a lock error when trying to encrypt or decrypt a file. I found other forums that suggest deleting the random_seed file and killing the rpm process, but I don't have a rpm process running. Renaming the file allowed the system to recreate the random_seed file, but the error persists. I have noticed the file size is 0 which would be appropriate since the file cannot be locked. An strace shows the error message, but it doesn't appear to point anything else out. A lsof doesn't show the file is open. I'm not sure where else to look. Has anyone seen this and have any suggestions? I'm running centos 6.2, gnupg 2.0.14, libgcrypt 1.4.5 can't lock `/home/mruss/.gnupg/random_seed': No locks available note: random_seed file not updated open(/home/mruss/.gnupg/random_seed, O_RDONLY) = 10 fcntl(10, F_SETLK, {type=F_RDLCK, whence=SEEK_SET, start=0, len=0}) = -1 ENOLCK (No locks available) open(/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en_US/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en/LC_MESSAGES/libc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) write(2, can't lock `/home/mruss/.gnupg/random_seed': No locks available\n, 68) = 68 close(10) = 0 Note that random_seed is opened RDONLY. The lock is just for reading and it is non-blocking. Why it should be there at all when you are really locking nothing (len=0) is a bit of a mystery. The length was probably set from a file stat. There are basically three reasons for errno to be set to ENOLCK: 1. You are out of lock table space (most likely). Closing down everything and then rebooting is perhaps the best way to return sanity to the world. 2. You have too many segment lockdowns. What segements? Notice that the length is zero. 3. Something like an NFS system problem. That probably is not applicable. If you want to test for the first this may or may not work since I am almost asleep and am REALLY rusty on my use of fcntl for file locking: http://www.securemecca.com/public/GnuPG/TestLock/ Pick your own zip poisoning. If you get lucky and the program tells you that you have a locking problem then you are probably out of available file locks. In any case I don't know what work-around gnugpg 2.0.14 has for this particular case or if it has one. It probably does have a work-around. Do you still have the old random_seed file? If so, after rebooting I would put it back in place and make sure it has the proper permissions. The Read flags and eXecute flag on the directory are probably okay since you can open the file for reading. Just make the sure the Write flags are also set. If one of the write permisions is turned off that could explain a zero length file. $ cd $ umask 0077 $ ls -al | grep gnupg drwx-- 3 USER_NAME GROUP_NAME4096 Apr 29 19:32 .gnupg $ cd .gnupg $ ls -l random_seed -rw--- 1 USER_NAME GROUP_NAME 600 Apr 29 16:59 random_seed My bet is your lock table space is filled up so closing down and rebooting with your old random_seed file set to the proper permissions will cure the problem. NAP TIME! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
No passphrase required
Both of my Linux systems were recently involved in a test of about a dozen plus replacments for OpenSuse 11.4 and Ubuntu 10.04. After all the experimenting was over I ended up with the same operating systems but swapped with each having the OS that was on the other machine before the experimentation started. This means the last great gasp of using Gnome 2. I will have to switch to KDE or something else but not for at least another year. Gnome 3 is OUT as is Unity on Ubuntu! Everything went fine and the ~/.gnupg folders are the same except for the random_seed file. That worked before so why shouldn't it work now? Ubuntu 10.04 of course still uses gpg. and OpenSuse 11.4 uses gpg2. Then I signed the updated cookie block list for the Firefox add-on named CookieSafe which I create on the OpenSuse system. Nothing was checked on the options so I assumed I was using the default of a pass-phrase requested each time I sign a file like it did before. Less than a week went past until I signed my PAC filter files. Lo and behold instead of being requested for the pass-phrase for each of the twelve files they got signed with no questions asked. IMHO, this is an inherently dangerous situation. But searches were yielding nothing that made sense. But I tried every one of them (with a backup to scramble back to) in the hopes that one of them would give me my pass-phrase request back. The one that made the least sense was adding a certain line to the ~/xinitrc file. With OpenSuse using KMS since 11.3 I I can tell you that you should NOT create a ~/.xinitrc file. Because I have another user for damage control and for the ClamAV's AV. I tried it anyway because at that point I was getting frantic about a way to have the pinentry ask for my pass-phrase again. Predictably, when I tried to login I just got logged back out and was given the login screen. I repeated the test two more times with the exact same results of me not being able to login. So I logged in as clamaV and did: 1. started an xterm 2. su -l root 3 rm -f /home/ME/.xinitrc 4. In the xterm - control-D, control-D 5. Logged out as clamav. 6. logged in as me and put everything back the way it originally was. But I still had the problem of not being asked for my pass-phrase. At the very same URL as where they said to put the line in the ~/xinitrc file they had this line to do a test: echo test | gpg -ase -r 0xMYKEYID | gpg (replace MYKEYID with what ever your key is) I will ignore for the moment that you really have gpg2 on OpenSuse because gpg is just a symlink to gpg2. But the real line should be: $ echo test | gpg2 -ase -r 0xMYKEYID | gpg2 It doesn't matter because both work. The first may NOT work if you don't have a symlink of gpg pointing to gpg2. You get a pinentry window! So I hastily set it to require a pass-phrase again. Like I said, contents of the ~/.gnupg folder on both systems are identical except for different random_seed files. Will this work-around work for other versions of Linux that use gpg2 and a pinentry? I don't know. Is it a good idea to have it set for no pass-phrase required to sign a file with OpenPGP? I don't think so. It is NOT a good idea to do it without at least three warnings before it accepts the change and it being mandatory that you have to click / alter it to do it that way in the pinentry. Why did it do a no-phrase this time around and the first time it didn't do it that way? Again I don't know but the last time I upgreaded from 11.2 to 11.4. This time I installed 11.4 fresh. That may have made the difference. I am giving this in the hopes that if anybody else has a similar no pass-phrase required problem that it will help them. I really don't like the pinentry way becase I still haven't figured out a work-around for encrypting files from an xterm with my scripts. Yes, I set both BASH ways of keeping the history to no history in the scripts: http://www.securemecca.com/public/GnuPG/ The pass-phrase is now required for signing. Au Revoir ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 04/17/2013 09:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error Daniel Kahn Gillmor is correct on this being a file permissions problem or maybe an OS problem for a file of that large size. Like Daniel, I assume the first. I assume from what you said that it is encrypted with a symmetric cipher rather than a public key. You need to rule out something encrypted with public key in which case only you rather than you and the sender can decrypt which can be done with a symmetric cipher. The best thing would be to make sure you have the same thing: $ sha1sum -b rwu.dbdump_Nov2012.sql.gz.gpg sha1sum may not be good enough for security but it is good enough for file permission and corruption problems and should give you the same sum on both your system and their system. But the message looks more like like a file permissions problem and in that case even something as simple as sha1sum will also fail with a message like Permission denied. If you get that do a: $ ls -l rwu.dbdump_Nov2012.sql.gz.gpg That gives the permissions on the file. Make sure you have read permissions (you are in the group specified for the file or read acccess is also given to Other). HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: question on decryption with missing passcode
On 04/18/2013 12:28 AM, Daniel Kahn Gillmor wrote: On 04/17/2013 06:25 PM, Daniel Kahn Gillmor wrote: On 04/17/2013 05:05 PM, Beith, Linda wrote: Gpg: can't open 'rwu.dbdump_Nov2012.sql.gz.gpg' Gpg: decrypt_message filed: file open error This message suggests that there is a problem in the filesystem, on further reflection, this might also indicate that the file does not exist in the location (or with the name) that the operator is indicating. For example: 0 dkg@alice:~$ gpg --decrypt does.not.exist.gpg gpg: can't open `does.not.exist.gpg' gpg: decrypt_message failed: file open error 2 dkg@alice:~$ I think this is no longer a decryption issue. If all you want is something about encryption, TAP DELETE NOW! Encryption is not even discussed here! In that case, either sha1sum or file (why not do two things at once?) gives a more meaningful message: $ sha1sum nonexistentfile sha1sum: nonexistentfile: No such file or directory $ sha1sum foo sha1sum: foo: Permission denied $ ls -l foo -rw-r- 1 root root 32 2013-04-18 00:08 foo I just wrote Linda privately since it was no longer an encryption issue IMO. I hope the leading rwu. does not mean they are storing everything in one folder. No IBM main-frame person would do that and IBM main-frames have ISAM (Indexed Sequential Access Method). Almost a million files in one folder (yes I have saw it stupidly done not once but twice) is not a pretty sight, and if you have ext4, something like Reiser isn't going to save you. You still have O(N/2) on average to do anything with files in that folder (the dir file, not the inodes the various dir entries point to). I would give each client their own folder at minimum and maybe sub-folders. Things run much quicker that way all the way around. What was the clue that they are using a one folder method? They are removing the older files. it could be they are running out of storage space but we have terrabyte disks now so it is more likely they are having a one folder for all slow down. Disks are cheap. Make /client an NFS mount and squirrel away the old drives into storage to be replaced by new disks on the NFS mount. You could recycle the old disks after a while. Make the backups resilient to wait for 30 minutes on fail before trying again while the old disk is umounted and replaced with the new disk. And I would much rather have the mount device be a hard /dev/sd# rather than all the other id stuff too. Have client folder pre-made and ready to go before the new disk is mounted. I have done some of this stuff in my sleep - literally! A kot of DB people do it too. As I read it, they are somehow able to cd into the folder - perm 711 / 751, (please not 755!), but once they get there the file has the proper permissions (640) and is hopefully owned by owner rwu and is in group rwu. I would set each user like rwu with a umask 027 in their shell start up and then assuming files were stored in something like (it works for me but maybe not for SQL DBs): /client/RogerWilliamsUniversity/ - alternatively /client/rwu/ me$ su -l rwu rwu$ cd /client/RogerWilliamsUniversity/${RESTOFPATH} rwu$ sha1sum -b rwu.dbdump_Nov2012.sql.gz.gpg rwu$ ls -l rwu.dbdump_Nov2012.sql.gz.gpg # if succes with sha1sum and ls: rwu$ gpg -d rwu.dbdump_Nov2012.sql.gz.gpg | tar -xvf - rwu$ file rwu.dbdump_Nov2012.sql rwu$ ls -l rwu.dbdump_Nov2012.sql Use of the v in tar optional. File not there? rwu$ find /client/RogerWilliamsUniversity -type f -name \ rwu.dbdump_Nov2012.sql.gz.gpg -print There again by having their own folder I reduce the work find has to do by several orders of magnitude. I also reduce the work load in normal operations. I would prefer 2012_11 which means you could have folders and if necessary inside the year folder a MM folder (month in numerics). That is just one method to reduce the directory overloaded with too many files. But all of the methods have the trait of using subfolders (as many directories as necessary) according to something that is naturally there in the data / file names. Like I said, use /client/rwu/ if that makes more sense and make the real world name (GECOS field) for user rwu to be Roger Williams University. I did ask her to respond on the solution. It may still be an encryption issue but I doubt it Oops, I said something about encryption. Excusez mow. HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backing up Private Keys
On 04/15/2013 09:07 PM, Robert J. Hansen wrote: On 4/15/2013 1:24 AM, Ashley Holman wrote: I also have a followup question. Is it acceptable practice to make a paper backup of your private key by exporting it in ascii armored mode and printing it onto some paper? (with a passphrase applied of course). Let me apologize in advance for being pedantic. I understand the question that I think you meant to ask, but that's not quite the same as the question you asked. :) Whether it is acceptable practice depends largely on your local security policy. I can imagine some installations would disallow this, on the grounds that backups are the sole responsibility of system administration staff. I have been a SysAdmin for years and if there is any way I could make it so that I could exclude .gnupg folders in the home area I may do that. OTOH, if hackers knew that and used somebody's .gnupg folder to stash bad stuff then I want a backup but the OpenPGP keys are really not my concern. Whether or not the system is hacked IS my concern. I have learned to hate sendmail, wonder why finger was invented, ... I could care less about your OpenPGP keys except for maybe restoring them in case you get them fouled up and have no backup of your own. I would advise against ANYTHING on paper except noted below. But since they are YOUR OpenPGP keys even if you use them for company business backing them up is YOUR responsibility, not mine past a simple file backup. Restoring all of those Engineering drawings and source code IS my concern as a SysAdmin even if you were stupid enough to type rm -fr without a second and third check before you did it. But as a sysadmin, I would frown on a paper copy of anything as being problematical and almost useless for a massive backup of entire systems. Paper is also an issue from a security standpoint as well. Well I guess Judge Hardcastle found the paper backups of his court cases handy when his side-kick sat there ready to destroy all the records on the computer. I think you people are making this too complicated. Here is what I do for the same keys everywhere on four different 32 bit LE operating systems. If you have mixed 32 / 64 and / or LE / BE, this will NOT work. You will be doing exporting and importing for mixed hardware architectures. Sorry. 1. I make a backup of the ~./gnupg folder as given below in step 4 and put them in MY ~/tmp folder. Alternatively you can copy them to another folder. your choice, But having a backup of what you have makes blowing away the mess you have and going back to what worked possible. 2. Do something about ~/.gnupg/random_seed if desired. There IS a security issue here. Maybe you want to back up. create dummy keys and export / import. Since I use only two systems for using the keys to create something ... now is the time to backup and go the export / import route. 3. Copy the files recursively from ~/.gnupg to /win/e/gnupg for the windows side of that machine. I always have a FAT32 E: partition for copying files. Those files and folders are copied in AS IS. I have never had proglems. Mixed 32 / 64 or BE / LE? Start exporting and importing. It is the ONLY way you will get it done. Remember you need the trustdb unless you want to import and give trust levels again. 4. zip up a copy using 7zip's AES128 with a sufficent password for a modicum of protection. Just remember that they keys are sitting on your machine with NO extra level of protection so either physical or network access to them poses a security risk that actually has one LESS hurdle in the way. $ cd $ umask 077 # my other stuff is at 022 - my login umask 077 $ 7za a -p gnupg.7z ./.gnupg The only part that may be on paper are the passwords used to make the zips. If it is a backup I would store the Flash Drive it is on in a safe some place. Your drawer with a gnupg written on the flash drive with a Sharpie pen is NOT a safety deposit box. You think I am kidding. The FBI stole the encryption code at one place I worked at. My encryption source code for my platform was encrypted and stored on media that had something like stuff written on them. I would also prefer servers that are named with Disney characters over names that tell what the machine is used for or where it is at as well. Good luck on that one as a SysAdmin. We MUST name it sdp2 because it is in the Silicon Deposit Process group and it is their second machine. Sigh. There is nothing like spelling it all out for a hacker. Make as many copies necessary for the machines / operating systems you have. There after you need only the relevant files that have been changed. I do the updates of importing keys, et al on only one machine that has gpg rather than gpg2. Some day in the future that will no longer be possible. At least my signfile script still works with gpg2 but none of the other scripts work with gpg2. Now you know why I use 7-Zip. I can make a backup with encryption.
Re: Using smartcard as RNG
On 04/14/2013 12:18 AM, Henry Hertz Hobbit wrote: On 04/13/2013 11:04 AM, Pete Stephenson wrote: SNIP [1] http://www.entropykey.co.uk/ [3] SNIP I take it back. Farther down Aaron's page it DOES say it fills up /dev/random. So it IS compatible. I am doing way too many things at once and it is way past the time I should have started my long nap. http://pthree.org/2012/10/05/the-entropy-key/ I can not find where it says whether it is USB 2.0 or USB 3.0 compatible. If it is USB 3.0 capable and he is using USB 2.0 that could explain Aaron's slower speeds than what they claim. The reason for the slow down on filling orders may be the same as for why it took so long for the first silicon transistors to be delivered from Fairchild Semiconductor to IBM in a Brillo box. There, some of the time they had nothing when the form was opened other than dirty sand. I am sure this is better than that. But the demand is probably far greater than the supply is, at least for now. What I need is something else and it isn't hardware. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using smartcard as RNG
On 04/13/2013 11:04 AM, Pete Stephenson wrote: SNIP [1] http://www.entropykey.co.uk/ [3] SNIP Are you sure you aren't advertising it? Using the URL you supplied, this one has been written about and the link you are looking for (well, at least one of them) is from its links: http://www.entropykey.co.uk/comments/ http://lists.gnupg.org/pipermail/gnupg-users/2009-September/037301.html David Shaw wrote: The developers of the entropy key were clever and instead of making programs write new code to use the key, they made a program that reads the key and feeds the Linux entropy pool. Thus, anything that uses /dev/random (like gpg) benefits without code changes. Or were you after the argument that despite their best efforts it isn't as random as hoped? David Shaw intimates along those lines with evil. I would say the self-similarity of Mandelbrot meaning order is coming out of chaos despite our best efforts to prevent it. I don't think the card is some sort of malevolent creature with a mind of its own. You should be able to just plug it in and use it with Debian and Ubuntu after you install the packages for handling it. For other Linux distros they have the source code. So from a mechanical level (meaning no consideration of just how random it is) it works with very little effort. Can somebody point to code that can be used for testing how well it works? I as going to give my code for making alpha-numeric hashes for athletic drug samples but it is totally unsuitable. The labs have been broken into many times so encountering an alpha-numeric hash rather than a name would foil sample tampering for physical break-ins in many cases. I was more concerned with hash collisions and just used srand() / rand(). WADA would probably just store the person -- hash pairings in a DB on their Windows machines unencrypted anyway. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using smartcard as RNG
On 04/14/2013 12:55 AM, Hauke Laging wrote: Am So 14.04.2013, 00:18:09 schrieb Henry Hertz Hobbit: On 04/13/2013 11:04 AM, Pete Stephenson wrote: SNIP [1] http://www.entropykey.co.uk/ [3] SNIP Are you sure you aren't advertising it? Would that make sense? I tried to buy one moths ago. Ordered it via their web page (and Google) and never heard of them. Not even when asking what's up. I am sorry you are having problems getting it but I do NOT represent the company in any way. I knew nothing until the original question was posed. Aaron Toponce, Werner and others know MUCH more than I do. It is also time for them to speak up and for me to butt out. The original question doesn't make sense either given how easy it was for me to find the answer. Well it is easy for somebody like me who can find almost anything on the Internet and even see some of the problems with hashed JS scripts without even unsalting them. I also have one of the RealTek SHA1 certs that was used in Stuxnet. It passed muster until the keys were revoked. What I had was NOT Stuxnet. I got it from a middle school in Southern California. Think about that long and hard before specifying SHA1 as your first hash choice. Maybe you are using the wrong search engine or typing something wrong or accepting their changes. I just gave entropykey as the search term to DuckDuckGo.com and came up with much better results than those purportedly bad hosts somebody had. Here is one of the links: http://pthree.org/2012/10/05/the-entropy-key/ I have Aaron's key on my key-ring. Look up aaron(GNAT)rootcertified.com at MIT's key server and import his key to see his email addresses. http://pgp.mit.edu/ I suggest using his gmail address. Anyway, Aaron said he has purchased five of them. They do say on the order form page that it is in high demand right now. Aaron will more likely represent Ubuntu rather than entropykey.co.uk. He posted it on 2012-10-05 if that helps you make sense on why you are having problems getting yours. But Aaron says they are NOT mixing them into /dev/random but have their own /dev/entropykey/ folder and you use the ekeyd daemon which sets up a tty for each connection there. That means code changes WOULD nned to be made for gpg and other applications (and that means it is time for me to shut up and let Werner and the others write). What I was referring to in the Benoit Mandelbrot self similarity was that IBM was using the telephone lines for SNA networking. Benoit was assigned to find why there was a problem with what they thought were random glitches in the transmission. What he found was it wasn't random at all. The disturbance periods were periodical (but not symmetric) and repeating in nature. Even worse than that, when you made the time durations either longer or shorter the very same patterns showed up. When they say they are using PN semiconductor junctions referse biased driven to high enough voltages to be near to but not beyond breakdown in order to generate noise I begin to get worried. But without hard tests by MANY people you have no way of knowing just how random they are HHH PS Don't be surprised if they show up packaged in a Brillo box. #^) - Fairchild Semiconductor signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg2 does not ask for pass phrase
On 04/10/2013 03:18 PM, Werner Koch wrote: Hi, please write to gnupg-users@gnupg.org and not to the webmaster address. Thanks, Werner Sorry. Right now I am not subscribed and haven't been for years. It is just that this is a serious issue where I had no way that I could easily find to turn off the nasty behavior of my pass-phrase being supplied with no questions asked even after a reboot for using my secret key on OpenSuse 11.4. I am also battling spam that gives me about 100 to a maximum of a thousand spam messages in my other email account per day. Sorry about the failed request so I can post. I am busy! Why OpenSuse 11.4 and Ubuntu 10.04? I have gone through no less than twelve installs of various Linux distros and gave up on the iPad like interfaces and went back to something that gives me four work spaces with two xterms in each. That is no longer nice. It is MANDATORY! It is just that all of the advice out there is wrong. I don't know whether you are allowing bots to traverse the old mailings or not, but DuckDuckGo was NOT finding an answer.. It really needs to be something that is available some place and the web-site is authoritative. Since Ubuntu 10.04 doesn't have a PIN entry panel it is not an issue there. This URL while safe won't harm you: http://preview.tinyurl.com/c42bfqh It won't help you either. It seems that gpg2 on OpenSuse 11.4 does NOT use the ~/.gnupg/gpg-agent.conf file even after you uncomment this line in the ~/.gnupg/gpg.conf file: # use-agent Since I do not have an ~/.xinitrc file some of this advice will kill more than just your GnuPG encryption: http://tr.opensuse.org/SDB:Using_gpg-agent You will never be able to login again! Well, since I also have a clamav user and clamav group I could login as clamav, su to to root (sudo su -l root for debianesque) and do a # rm /home/ME/.xinitrc Then ^D ^D, logout. Now I can login. But I still had a problem. My GnuPG pass-phrase was still being supplied with no questions asked. I didn't notice or change anything in the pinentry panel which I was able to use only the first time. Ever since then the pass-phrase was magically supplied and there was no way for me to set it to ask for it in the man pages or elsewhere because the pinentry panel never appeared again. Here is how you get it to ask for your GnuPG pass-phrase again (and it is at that second URL): echo test | gpg -ase -r 0xMYKEYID | gpg But you do NOT have to do anything other than that. Make sure you set it to something reasonable like ask for it every time or a time-out before asking for it again. Never ask for the GnuPG pass-phrase ever again? Sheesh! I may understand that on a smart-phone but not a desk-top system. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Compression routines - please include 7-Zip
Werner: Für die Unterzeichnung danke. This is amazing for somebody whose father was run out of nothern Mexico (Me-hico) by Pancho Villa's raiders. I have been using the 7-Zip compression long enough to give Igor Pavlov the nod he has longed for. Bzip2 is good. 7-Zip is better. If you want to know how much better I will I give you the install for our PAC filter in 7-Zip. Reply out of group and I will give you the goods. It works in both Anglais (Etas-Unis) and Français. It is so blisteringly fast that it is time to give credit where credit is due. I had it updating our (my?) PAC filter. Even with copying the executable for 7zip.exe on Windows it is so blisteringly fast I can't believe it. I am used to the forty years that Microsoft takes. When it is done almost instantaneously (the word comes from Latin to Français to Anglais) it shocked me! What I need is more security for the sig downloads to guarantee that things are okay (email me for the script that will be available in a few hours). Tell Richard Stallman to stop toking up long enough so that we can discuss this and head it in the right direction. Other than the fact that 7-Zip does not store the UID/GID it is the best compression algorithm out there. It is only marginally better than BZIP2 but it is infinitely better than ZIP or RAR. If we can adopt it as a standard in OpenPGP it may be all that is needed to go to the next level. Why go half-way when you can go all the way? The UID/GID problem has no meaning in email anyway. What I am begging for is people to make the install of 7-Zip not optional but mandatory. In the past month I told somebody to stuff it because they refused to use it on Windows. It was the best thing that happened in my life. I have a French speaking friend who is infinitely better than all of my English speaking friends. Thanks for listening. I am too tired right now. I have to take a nap. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Windows / Linux encoding issues
Sacha [EMAIL PROTECTED] wrote: I've created my key pair using WinPT under Windows 2000. I used special characters (like ?, ?, ?, ?, etcetera) in my passphrase. Since a hard drive crash, I've installed Gentoo Linux on the computer and I can not found my Windows 2000 installation CD. I've successfully imported my private key in GnuPG from a backup, but when I type my passphrase, GnuPG says that it's a bad passphrase. My idea is that there is a charset encoding issue, because under Linux I have UTF-8 in my X server and ISO-859-1 in the console. And what under Windows 2000 used is, I really don't know (Windows-1252 ? perhaps...). Can you suggest me something to find the right passphrase ? Thank you - very much. Find somebody who has Windows system similar to what you had that will let you use it, install GnuPG on it and import your keys on to it. If your keys work there (do a simple test with a file or something), then change the password on your keys on that platform to something much simpler with just ASCII characters (subset of ISO-859-1). I haven't used WinPT for a long while so if you can't change the passwd in WinPT you will have to do a gpg --edit-key and then passwd in a cmd.exe. BTW, I just COPY the pubring.gpg, secring.gpg, and trustdb.gpg files as long as the chip is the same, e.g., 32 bit Wintel - 32 bit Wintel. It doesn't matter what the OS is. I don't know how you backed up your keys though. Did Windows-1252 precede ISO-859-1 like MacRoman? I have a feeling it did which of course doesn't help you. http://en.wikipedia.org/wiki/ISO_8859-1#The_ISO-8859-1.2FWindows-1252_mixup Do you want to throw in EBCDIC to make matters worse? Hope that helps, but ... HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg2 for windows?
On Wed, 2007-07-18 at 00:08 +0200, Werner Koch wrote: On Wed, 18 Jul 2007 00:08, [EMAIL PROTECTED] said: Are there any plans to provide a gpg2 installer for windows? as i am not interested in using the gpg4win package. Nevertheless, use it. It is what they are standardizing on and you can pick and choose what you want. I have no problems with them doing it this way either. Now that they have done it you can go to GnuPG2 on Windows. That makes me a happy camper! Or you can stay with 1.4.X. It is your choice. I think you are demanding too much of the GnuPG team (no, I don't have anything to do with the effort). But until you really look at the gpg4win package you don't know what you are missing. Actually gpg4win 1.1.1 already features gnupg2. However it is at this point not very usabable some command line actions do work but there are quite some bugs. We are working on this, yesterday I achieved to sent the first S/MIME mail using Claws and gnupg2. Stay tuned. All ears 8^). In particular, does anyone know why the gpg4win gpg builds does not come with bzip2 support? Because it is an optional part of OpenPGP and iirc even PGP does not support bzip2. I'll see whether we can include it into the gpg4win build. I would say it a little differently than that Werner. bzip2 is NOT part of Windows. It sounds to me like you are asking for the world. Which ZIP add on program do you want the GnuPG team to standardize on? On the 'nix systems they just call bzip2 natively via pipes. On Windows that becomes a problem with anything other than ZIP, because everything else is an add-on. In other words, yes they could demand that you use 7-Zip http://www.7-zip.org In that case, they may be able to handle it, but ONLY if Windows were as polite as the 'nix machines are in piping (you sometimes run into problems). But people will use WinZip or a dozen other utilities instead, or nothing at all. That means that the GnuPG team are responsible for bzipping on their own. Does that help you to understand some of the problems? That is why for a long time I listed bzip2 as the last resort, and ZIP first. But the way Windows implemented the ZIP was to transparently allow users to see into a ZIP file, thus infecting people's computers. In short, to Werner and the others - THANKS FOR GPG2 on MS WINDOWS! HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg2 for windows?
On Wed, 2007-07-18 at 12:41 -0600, Henry Hertz Hobbit wrote: On Wed, 2007-07-18 at 00:08 +0200, Werner Koch wrote: I would say it a little differently than that Werner. bzip2 is NOT part of Windows. It sounds to me like you are asking for the world. Which ZIP add on program do you want the GnuPG team to standardize on? On the 'nix systems they just call bzip2 natively via pipes. On Windows that becomes a problem with anything other than ZIP, because everything else is an add-on. In other words, yes they could demand that you use 7-Zip Or they use the libraries. Either way, it is there natively on 'nix systems. What I am trying to tell you is that bzip2 is NOT there natively on Windows. Oh yes, the 7-Zip produces a substantial more amount of compression than bzip2. $ 7z a OutBox.7z ./OutBox $ tar -cjf OutBox.tbz ./OutBox $ chmod 644 OutBox.7z $ ls -l OutBox.* -rw-r--r-- 1 hhhobbit hhhobbit 6916234 Jul 18 13:10 OutBox.7z -rw-r--r-- 1 hhhobbit hhhobbit 9947335 Jul 18 13:11 OutBox.tbz Need I say more? I have shifted to 7-zip when I can. It is too bad they didn't add enough information for UID:GID in 7-zip. The way around it is to tar first and pipe that to 7z. That isn't bad for an algorithm that was created on Windows. Keep that in mind people. But be sympathetic to the GnuPG team (all of them). They are working their little hearts for us and I for one MUST say ... THANK YOU! HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: decrypting many files to stdout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Crest wrote: Ken Takusagawa wrote: I have many files that are all encrypted with the same public key, and the private key is protected with a passphrase. Is there a way that I can decrypt all of them at once, concatenate the results and print it all to standard output but only have to type my passphrase once? I'd like to avoid having the decrypted files be written to disk, i.e., I'd like -d behavior but with multiple files. man gpg # and search for --command-fd DETAILS PLEASE! I did, and tried to use the --multifile before that. When I looked for command-fd in the doc/DETAILS as promised by the man page it wasn't there. A search for how to use it on Google wasn't all that useful either. Now the following code will get you part way towards where you want to go (maybe). It is also available here (with srm code): http://www.securemecca.com/Crypto.tbz http://www.securemecca.com/Crypto.tbz.sig http://www.securemecca.com/Crypto.7z http://www.securemecca.com/Crypto.7z.sig For now they are signed with public key 5BA96FAC. Here is the script: - #!/bin/bash # What this script does is decrypt multiple publicly # encrypted files and concatenate all the files together # into one file. Optionally, you can print the file. The # order in which the files are in the output file is set # by where you put them in the cryptfiles file list. # # WARNING # There are so many things wrong with this shell script from a # security standpoint that I will not claim it. That holds for # who ever I am. Will somebody provide a better shell script # please? # # The /bin/sh designator does not always mean you are using the # Bourne shell. Most Linux systems do not have the Bourne shell # becuase all they have is BASH. Just make sure you don't have # any history going out of here. if test $# -eq 0 then echo echo usage: decryptNcat.sh OUTPUT_FILE_NAME echo exit fi OUTPUTFILE=$1 SAVEHISTSIZE=${HISTSIZE} HISTSIZE=0 export HISTSIZE if [ ! -s cryptfiles ] then echo put crypted files in a list in files cryptfiles echo with one file per line and make sure they are in echo the order you want them in. exit 1 fi rm -f ${OUTPUTFILE} touch ${OUTPUTFILE} echo -n what is the passphrase:\ \ read PASSPHRASE clear echo cat cryptfiles | while read FILE do if [ -s ${FILE} ] then gpg --list-packets --list-only ${FILE} testforkey if grep -iq pubkey testforkey then echo adding file ${FILE} to the ${OUTPUTFILE} file echo gpg -q -d --passphrase ${PASSPHRASE} ${FILE} \ ${OUTPUT_FILE} 2 /dev/null else echo file ${FILE} may not bea valid OpenPGP file echo skipping it echo fi else echo file ${FILE} either does not exist or is empty echo skipping it echo fi rm -f testforkey done PASSPHRASE=BOGUS export PASSPHRASE PASSPHRASE=BOGUS # Uncomment the following and substitute your commands to print # the file and then securely remove the file # if lp -q 100 ${OUTPUTFILE} # then #sleep 60 #srm ${OUTPUTFILE} # fi HISTSIZE=${SAVEHISTSIZE} export HISTSIZE exit - So what is wrong with it? 1. It is dangerous. - your secret pass-phrase is in a SHELL variable!? - worries about history - where has the Bourne shell gone? - pass-phrase is visible; use LCD; if you must use CRT do it so nobody can read it with RF sensors; make sure nobody is looking over your shoulder. - etcetera, etcetera, etcetera - you fill em in 2. It is inefficient. - cat cryptfiles | while read FILE ... - gpg -q -d --passphrase ${PASSPHRASE} ${FILE} \ output 2 /dev/null - etcetera 3. It only gets you part way there. Ken wanted it to go to the printer, not a file. Yes, he can print the file and use srm on it to securely remove it but what if somebody hacks in or is in from the internet and steals the file in the process? So what is right with it? 1. You only type the pass-phrase once. Repetition of key things kills you - look at history. At least we aren't repeating the typing of our secret pass-phrase. 2. Modify the script to decrypt multiple files into separate files as they come in from remote sites. At least the sending is sort of automated by automatic encryption on the sending end. 4. IT WORKS! Well, sorta ... Now if you can flesh in the details on how to use command-fd or command-file options we are all ears. This script is NOT what Ken is looking for. But maybe, just maybe, it will give him some ideas. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGhL+Zr3QZv1upb6wRCoOMAKCex2sg9LEenWNeRtqVcpYPwvO7cQCgj0oG LiciRmk9vuWvJvum10DkxG8= =FeNJ -END PGP
FireGPG Report
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 FireGPG: Here is the information on FireGPG which primarily does INLINE rather than OpenPGP/MIME encryption and signing: http://firegpg.tuxfamily.org/ FireGPG works well for INLINE encrypting and decrypting. You can use FireGPG to send / receive GnuPG encrypted messages. Further, despite them focusing on using GMail it, FireGPG will also work in sending and receiving encrypted messages with AOL / Netscape, HotMail, and Yahoo WebMail services. Read on ONLY if you want to help with the Signing (also INLINE) which has problems. I have done some extensive testing of FireGPG. Here are the results of the tests (the files will be there until the end of the present month): http://www.securemecca.com/ FireGPG.zip http://www.securemecca.com/AOL_FireGPG_SignTest.zip SHA1 sums of files: - --- a293f08fb3821f79ed42c2ae6dea50cfe90e98ce AOL_FireGPG_SignTest.zip 47898a296c797ac1f014ac8442265c0746f348a1 FireGPG.zip Basically, I had no ends of grief in signing. That was both in sending and verifying. I was using FireGPG 0.3.3 to do the tests. The commands used to do the signing in 0.4.2.1 are the same as they were in 0.3.3. The main changes from 0.3.3. to 0.4.2.1 are localization. I can't see anything that they are doing wrong. Here is the main portion of the signing code: putIntoFile(tmpPASS, password); // DON'T MOVE THIS LINE ! try { runCommand(tmpRun, '' + this.getGPGCommand() + '' ++ tmpStdOut + --quiet --no-tty --no-verbose --status-fd 1 --armor --batch + --default-key + keyID + --output + tmpOutput + --passphrase-file + tmpPASS + + getGPGCommentArgument() + getGPGAgentArgument() + --clearsign + tmpInput); } catch (e) { } removeFile(tmpPASS); // DON'T MOVE THIS LINE ! You can find the plugin on 'nix with: $ find ~/.mozilla/firefox -type f -name firegpg.jar -print After you copy the file some place else and unzip it using unzip or your choice of zip program, the files containing the commands are: content/cgpglin.js Linux / Unix (all tests done w. Linux) content/cgpgwin.js Windows I don't like closed sections so, I changed the VIM directives at the end of the file using MicroEMACS to: // vim:ai:sw=4:ts=4: Your mileage will vary, and if you don't use VIM, it won't matter. After that change in all the files I used vim to look at the files. The baseline was Thunderbird where all messages signed in Thunderbird verified in Thunderbird, and all messages encrypted in Thunderbird decrypted in Thunderbird. In all WebMail services signing, verifying, encrypting and decrypting, were always done by selecting the text and then doing a ^C despite X copying automatically. But it seemed to make no difference whether I did that or not. FINAL RESULTS: == SIGNING /VERIFYING can only be INLINE. But the results are all over the wall and you can't trust them! The snatching of the text is fine, but I suspect that after the message is signed, the webmail mucks around with the spacing characters or plays around with some hidden characters. But if it was hidden characters I could never see them in the file after saving from Evolution which makes no attempt to interpret INLINE signed or encrypted messages or other strange extended characters. All of my tests were done with line lengths of approximately 64 characters to make sure I didn't have forced wraps, but I think I got a few of them anyway, primarily with HotMail. I don't think there is anything that they can do about the signing failure but if the rest of you can look at the code maybe you can deduce what is going wrong. I couldn't deduce a pattern of when it worked and when it failed for me to try to zero in on what was going wrong. It was extremely exasperating to get one result on the command line and a different one in the WebMail or Thunderbird I saved the message from. I shifted to SHA1 for some additional tests with signing and it made NO DIFFERENCE. Results were still all over the wall. I didn't save those tests. ENCRYPTION is INLINE but it ALWAYS worked for me! If you are using Mac's Mail App, Evolution, or some other mail client that only understands OpenPGP/MIME encryption, then you will have to save the message to a file and decrypt it manually. I was able to get FireGPG to decrypt on OpenPGP/MIME encrypted message from Thunderbird but it only did it once so I would stick with INLINE. WARNINGS: Always be sure to clean your buffer cache after using FireGPG. Do a Tools - Clear Private Data in both closing the browser and the next time you open the browser. The authors are native French speakers (one lives in Morocco) so if you want to converse with them individually by all means shift to Francais and they will appreciate it and you will get much faster results communication. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla -
Re: RSA 4096 ridiculous?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Werner Koch [EMAIL PROTECTED] wrote: snip The sign operation is of course far slower: A single sign operation takes 0.28 seconds on my 1500Mhz Pentium M. Given that this is the same time as for a decrypt operation, this will be noticable if you receive a mail encrypted to several hidden keys (--throw-keyid) and you need to do trial decryptions. SNIP First, thanks for the stats. What may be suitable for me may be totally impractical for somebody sending backup files that are signed and encrypted on the sending machine, then sent across a network where they are automatically verified by the receiving machine. At least now people have some hard numbers to make reasonable decisions for keys that meet their own needs. THANK YOU! PLEASE DEFINE NOTICEABLE! If it is still only 0.xx ... 2 seconds for your stated conditions which is multiple users with the sender using - --throw-keyid (which I don't use) that is acceptable to me. I wait much longer than that for the POP server to start giving me the files anyway. Also, even though I type extremely fast my pass-phrases are inordinately long and rather complex which requires a fair amount of time for me to type them. In other words, it may take me far longer to type the pass-phrase than it does to decrypt or decrypt + verify all of the encrypted messages. The primary purpose for these keys I am going to create is to sign just a few files only a few times per week or month anyway. It appears 4096R isn't as awful as some people thought it was. And computers are just going to keep getting faster. That includes PDAs. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGe6eAr3QZv1upb6wRCuxXAKCCrdjM47iwQammWnNx5f60iwYKSwCePDJb +0XHfZG1S+Swgh3tCVxE6eI= =cyNY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: RSA 4096 ridiculous?
Ryan Malayter [EMAIL PROTECTED] wrote: On 6/19/07, Henry Hertz Hobbit [EMAIL PROTECTED] wrote: than it took me to tar it. It also takes me much less time to encrypt the tarred file than it takes to do the final bzip2 of the encrypted file. Huh? Why would you try to use bzip2 AFTER encrypting? Strongly-encrypted data is not compressible. And GnuPG uses gzip compression by default *before* encryption anyway. I gave you the false impression I am doing it. gpg is the one that is calling bzip2. If you say it calling bzip2 first and then encrypting, I will take your word for it, but I assumed the compression would be done last. Generally speaking for small stuff I do use -a, but for this stuff I don't: 76007185 Jun 12 13:35 Quarantine.tar.gpg And in this case the encryption isn't so much for protecting the data from the prying eyes of others as it is for protecting other people from the data contained therein. It is all BAD; mostly Trojans. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Compression before encryption is best
Ryan: That was a bad example to give you, and I DID use public encryption given what was in the file to give it a little greater protection. But because it contains all binary files, you don't get much from compression anyway. I must hasten to add for the files that are in the Quarantine folder that I always add a .ck extension for files I THINK are bad (after analysis), and a .BAD extension if my decision has been confirmed by at least one AntiVirus company. By extension changes I mean: PotentiallyBad.cab - PotentiallyBad.cab.ck ReallyBad.exe - ReallyBad.exe.BAD But since I had to change the order of compression on my key to put bzip2 first, to me it was manual. Frequently I use just symmetric encryption with the -a flag in a script. I had some problems doing it without the flag (can't remember what it was) so I left the script that way. I should probably modify the script to give a choice. Depending on how big the file is, I may or may not use the script. Usually I am in such a hurry I end up using the script. I did a short test using symmetric encryption (AES), and my key set to do NO compression (my default, and it should have nothing to do with symmetric encryption). Here are the results of the test (you should be able to deduce what the other files are from the comments): 1154945 Hosts.tar.bz2.gpg bzipped, then encrypted 1157556 Hosts.tar.bz2 1390758 Hosts.tar.gz.gpg 1390807 Hosts.tar.gz 1390856 Hosts.tar.zip.gpg 1390929 Hosts.tar.zip 1407485 Hosts.tar.gpg encrypted ONLY 1407732 Hosts.tar.gpg.gz 1407858 Hosts.tar.gpg.zip 1414045 Hosts.tar.gpg.bz2 encrypted, then bzipped 640 Hosts.tar -- (using -a option) 1906066 Hosts.tar.asc 1446067 Hosts.tar.asc.bz2 If you aren't using the -a option, you should NOT attempt to compress it after you have encrypted it because it just makes the file size LARGER! This is altered if you do an --armor as you noted, and my scripts are set to do -a encryption right now. Since the size difference was only marginally larger for the *.asc file I figured I would just bzip2 the file after it was encrypted. When I am in a hurry it is easier to use script and then bzip2, but it is NOT the smallest file. That file is the one that bzipped, and then encrypted without the -a option. Encryption does some compression. It reduced the size of all the compressed files, and the size of the TAR file considerably whether you use -a option or not. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA 4096 ridiculous? (was RSA 1024 ridiculous)
Snoken wrote: Hi, Interoperability with PGP 8 matters too. Signatures made with RSA 4096-keys (or shorter) and SHA256 can be verified by users of PGP 8. N.B. Not any other new hashes! Please note the option: --pgp8 Snoken What I was trying to do was bring a real world perspective to this question. Are you using PGP 8? Do you know anybody who is using PGP 8? http://www.pgpi.org http://www.pgpi.org/news/#20021203 (personally, I think they should close the web pages down, I get all the history I need on the History channel on TV) Since PGP 8 was released in December 2002 and nothing has been done with it for 4-1/2 years now, it is getting pretty long in tooth. PGP Corporation is up to at least PGP 10.x the last time I checked (last year). I would advise people using software that is that old (PGP 8) to update to newer stuff. Whether they drag the keys they created with PGP 8 along with them is up to them. I haven't had any problems with building GnuPG 1.4.x for either FreeBSD or OpenBSD. It of course works with all versions of Linux, Mac OS X, and Windows. I won't discuss the GnuPG 2.0.X line since it hasn't been built for Windows yet. Most of the people using my SIGS to verify that what I have provided is kosher will be using Microsoft Windows. They will outnumber Linux users by a factor of at least 4:1. They will also take the GnuPG defaults (with a key that lasts forever - how optimistic). There will be a smattering of Mac and other OS users. But they will *ALL* be working from a desktop system. They may have a PDA, but that is a secondary platform for them. Werner cautioned that a key size this large (4096R) causes severe problems with PDAs with limited CPU power and a large number of signatures on each key. I have absolutely no reason to doubt his statements and accept them as true. I don't see my keys being used with either of those constraints. What I am providing is for end user desktop systems and I cannot foresee these keys which will be part of the WOT as having more than just a few sigs. Most of the people using what I am providing have even more powerful machines than I have. You see, I gave you the actual stuff that is going to be signed - a blocking hosts file and PAC filter that blocks broad swaths of the Internet. I am still working on the Ad filtering stuff. Most web sites that can detect AdBlock Plus in Firefox still can't detect the presence of a PAC filter. These keys are NOT the keys that are used with this email account (still 1024 bit DSA for at least a year and I see no valid reason to change it - it works well). Caution and experience teaches me that you never know for sure how something will end up being used. Just because it is technically feasible to use a 4096 bit RSA key doesn't mean it is the optimal choice. Each person's choice has to be tailored to how they and *OTHERS* will use that key. Keep the *OTHERS* in mind when you make your choices. We have already established that 1024 bit RSA keys still have a few years of TECHNICAL life left in them (which should also hold true for DSA keys as well). But CPUs just keep getting faster (even on PDAs - where did the Hobbit chip go?), and I don't foresee anybody using my keys on a PDA. If they do, at least they won't have a lot of sigs on that particular key. I worked on the nascent PDAs with the PenPoint OS. The hand writing recognition I worked on was infinitely superior to what exists now if you ask me. But for the life of me I can't understand somebody using these keys on that limited of a platform. If they do, it will only be for one or two questions to me and answers from me and after that they will just delete my key on their PDA. That has been my experience up to now and I see no reason for it to change. In other words, I don't foresee anybody other than desktop platform users who will be using this key (it does NOT replace my present key). But that sig will be infinitely better than a check sum that anybody can change. At this point I am still leaning toward the maximum which may be seen as a minimum eight years from now. I am always looking toward the future. I also want something that people can't even question from a technical perspective. Keep that last statement in mind. If I have to, I will remove keys entirely (secure remove written by myself) for tricky operations with bad hosts on the Internet And don't think for one minute that Linux systems are secure from all Internet attacks - THEY ARE NOT SECURE FROM ALL OF THEM! That holds for Mac OS-X and *BSD as well. HHH -- Why hack in when you can drive in on Hwys. 80, 110, 194, 220, 443, 993, 994 995? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RSA 4096 ridiculous? (was RSA 1024 ridiculous)
Janusz A. Urbanowicz [EMAIL PROTECTED] wrote: On Sun, Jun 17, 2007 at 01:02:58PM -0500, Andrew Berg wrote: Atom Smasher wrote: gpg does support RSA-2048/SHA-256 (or even RSA-4096/SHA-512) which is what i've been using for a while now. i'll sign this email with RSA-2048/SHA-256 (my default on this key) just to show what it looks like. it's a big signature block, but not ridiculous and on a reasonably powerful computer it's hardly a noticeable delay to work with such keys. Try signing/encrypting files that are tens, hundreds, or thousands of megabytes in size. Sure, your average machine can sign/encrypt messages that don't even fill a cluster without breaking a sweat, but if the sensitive data is large, RSA-4096 isn't a good choice unless a gov't agency wants that data. Erm... when you use OpenPGP, or really any other modern crypto protocol, you don't put actual plaintext through RSA, RSA operates only on a hash or random session key for symmetric cipher.y Let's put some actual sizes and times on this in a real world situation. BTW, I am in total agreement that 1024 bit keys will be useful for at least a few more years whether they are DSA or RSA. It is more likely a crack will come from bad pass-phrases or key loggers stealing good pass-phrases and stolen secret keys than from shorter key sizes. Responding most specifically to Andrew's objections, what is wrong with 4096 bit RSA keys? If they are so awful, then why does GnuPG allow us to generate them? The default for RSA keys in both GnuPG and PGP is 2048 bits anyway. I created a temporary 4096 bit RSA key and compared it to my present 1024 bit DSA key for detached signing of moderately sized files which in addition to signed email messages is all I need it for anyway. I have no need to sign huge files. On other hand, I occasionally need to encrypt huge files, and even though I use something like TWOFISH or AES-256 for the symmetric cipher, it takes me less time to encrypt the file than it took me to tar it. It also takes me much less time to encrypt the tarred file than it takes to do the final bzip2 of the encrypted file. But the real killer is the uploading of my file to an Internet file storage server. That seems to take forever! Download speed is significantly faster. But other than the slightly longer time it took to create the RSA key, I didn't notice it took any longer to sign the files and here are the actual sizes. I copied the *.sig files to the extension names indicating which key was used to sign it, but cp'd that to $FILENAME.sig for the verifications: 109238 hosts.min 65 hosts.min.1024D 536 hosts.min.4096R 535610 hosts 65 hosts.1024D 536 hosts.4096R 35435 proxy.txt 65 proxy.txt.1024D 536 proxy.txt.4096R Here are the preferences on that RSA key: Command showpref [ultimate] (1). Bogus User [EMAIL PROTECTED] Cipher: TWOFISH, AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify It took me infinitely longer to type the pass-phrase for the signing than it took to actually create the sigs which seemed to be almost instantaneous. Timing the signing is sort of ridiculous unless I used keys without pass-phrases. Here is the difference in the times of verifying the file with both sigs (and I don't have a super fast machine - the CPU is over three years old): # 1024 BIT DSA KEY $ time gpg --verify hosts.sig gpg: Good signature from Henry Hertz Hobbit [EMAIL PROTECTED] real0m0.041s user0m0.037s sys 0m0.003s $ time gpg --verify proxy.txt.sig gpg: Good signature from Henry Hertz Hobbit [EMAIL PROTECTED] real0m0.012s user0m0.008s sys 0m0.004s # 4096 BIT RSA KEY $ time gpg --verify hosts.sig gpg: Good signature from Bogus User [EMAIL PROTECTED] real0m0.042s user0m0.036s sys 0m0.003s $ time gpg --verify proxy.txt.sig gpg: Good signature from Bogus User [EMAIL PROTECTED] real0m0.014s user0m0.007s sys 0m0.006s From a user perspective, the time difference for verifying is the same for both keys and in this case it is almost instantaneous. The shortest file used in these test is longer than most email messages unless you have lots of attachments. Although the signature file is bigger for the 4096 bit RSA key (~ 8.25 times the size of the 1024 bit DSA key) it is constant in size and 536 bytes isn't unreasonable even if the message is only a few lines. After all, it verified the message, didn't it? 536 bytes to do that is a small price to pay. It is nice to do it with less, but that size becomes more reasonable the bigger the message or file becomes. So the only relevant question as I see it is, can the Crypto Card and other users handle my 4096 bit RSA sigs? If they can't then I will have some problems, won't I? Correct me if I am wrong, but I don't think I will have any problems with Crypto Card users
Re: Revoke and expire
[EMAIL PROTECTED] wrote: David Shaw [EMAIL PROTECTED] wrote: On Mon, Jun 11, 2007 at 10:24:23PM +0530, Hardeep Singh wrote: Hi When a key is revoked using the revocation certificate, does it have the same effect as reaching the expiry date of the key? In other words if I set a key to no expire but generate a revocation certificate, it is equally safe? They're similar, but different. A key that has reached its expiration date is not usable, but a new expiration date can be put on it that makes the key usable again. A key that has been revoked cannot be easily un-revoked. Note that I'm talking about whole keys here. It is possible to un-revoke a revoked user ID on a key. How do you unrevoke a key, especially if it is on the keyservers? I can think of making a backup of the key, revoking it and then sending the revocation to the keyservers, then unpacking the non- revoked folder, extending the date, and squirreling that away in some safe deposit box just in case I need it some time in the future. Once you are pretty sure you will never need it again you can destroy the backup. But that means it is only unrevoked for myself. Was that what you meant? But more to the point, what would most people prefer for somebody else to do when they no longer intend to use a key, especially if it is on the keyservers - allow it to expire or revoke it with some message like key deprecated? This is more along the line of human usability and preferences, not technical. I am assuming from what has been said that most people want the key revoked, rather than just allowing it to elapse and expire like Johannes Ullrich does. Any opinions? HHH -- Why hack in when you can drive in on Hwys. 80, 110, 194, 220, 443, 993, 994 995? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setting expiration dates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Joseph Oreste Bruni wrote: This is interesting: After changing my encryption subkey's expiration by a few days (from 2008-02-07 to 2008-01-01), I tried to upload the updated key to the PGP Global Directory (http://keyserver.pgp.com). It complained that my key had expired, but it hasn't. Submitting the key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't have a problem. My key ID is CD5518C7 if you want to look at it. I think PGP Global Directory is complaining that the pub key your sub key is attached to is expired. If it is working by allowing people to encrypt to you, maybe these are those new changes WK said have been made. Here is the key I got from PGP Global Directory for your KEYID after I imported it: pub 2048R/CD5518C7 2005-02-17 uid Joseph Oreste Bruni jbruni_FRAT_mac_com uid Joseph Oreste Bruni brunij_GNAT_earthlink_net uid Joseph Oreste Bruni joe.bruni_ATBAT_bestwestern_com uid Joseph Oreste Bruni brunij_NOSPACE_bestwestern_com uid [jpeg image of size 1173] sub 2048R/EEA4EC97 2007-01-31 [expires: 2008-01-31] Well, the email addresses were changed by moe, but you get the idea. Your pub key IS expired! Assuming you still have the same email address you used when you gave them (PGP) the key, you can just have them remove your key with the following page: http://keyserver.pgp.com/vkd/GetRemoveKeyScreen.event PGP Global Directory doesn't work like the other key servers by giving you the ability to delete your keys (breaks WOT, but ...). Having just said the foregoing, here is how your key came down from pgp.mit.edu (HKP): pub 2048R/CD5518C7 2005-02-17 uid Joseph Oreste Bruni jbruni_FRAT_mac_com uid Joseph Oreste Bruni brunij_GNAT_earthlink_net uid Joseph Oreste Bruni joe.bruni_ATBAT_bestwestern_com uid Joseph Oreste Bruni brunij_NOSPACE_bestwestern_com uid [jpeg image of size 1173] Hmm, where is the sub key? And here is how it comes down from the Penguin (X-HKP) in Germany: pub 2048R/CD5518C7 2005-02-17 uid Joseph Oreste Bruni jbruni_FRAT_mac_com uid Joseph Oreste Bruni brunij_GNAT_earthlink_net uid Joseph Oreste Bruni joe.bruni_ATBAT_bestwestern_com uid Joseph Oreste Bruni brunij_NOSPACE_bestwestern_com uid [jpeg image of size 1173] sub 2048R/EEA4EC97 2007-01-31 [expires: 2008-01-01] Please do the following as a test for me with the key you have now (a # indicates a comment): $ gpg --edit-key CD5518C7 Command expire # change the expire date of your pub key to match your # sub key or at least so it is NOT expired $ gpg --keyserver hkp://pgp.mit.edu --send-keys CD5518C7 $ gpg --keyserver x-hkp://random.sks.keyserver.penguin.de \ --send-keys CD5518C7 If desired, after you have deleted your key from the PGP Global Directory, you can also submit it to them again. Let me know if you do any of this and I will do the tests again. Next time I will be FAR shorter in my reply (will just show any changes from what I have here depending on what you have done). You will have to ask the others if having a pub key that is expired on the key servers is a good idea or even if it is possible - I don't think it is possible but don't know for sure. I was able to sign your key but have NO idea what that means. What good does it do to sign an expired key? My OPINION is to either say goodbye to the pub key and all the sub-keys, or keep them ALL freshened up on their expire date so people know that the key is still good. I normally interpret a pub key that is expired as having an implicit meaning that it is no longer used and the person has replaced that key with a newer key. So if I intend to keep using a key, I change the expire dates for the pub key and all sub-keys at least one month before any of them expire for the desired period I want to keep them - lots of options to consider, like revoking your present sub-key and adding a new sub-key, when the expire date for each key is, etc. Then I upload my pub key to at least two keyservers again if if was on the keyservers. No reply from you means you don't want me to do the tests and didn't make any changes. If you do the changes, let me know when you have done it with a Bcc: to me. I only read the Digest. Sometimes it goes days before I get a new bundle of messages. Sometimes I don't seem to get them at all, but maybe they fell through the cracks. HHH -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZ2YYr3QZv1upb6wRCjMSAJ9A/qWNgeQofviDpKpEAat0pMZWLwCgst9+ 0U8xKtWRX2r/1Ch+FhAjFho= =9OYY -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg and cron
Peter S. May wrote: Arsha Bertie wrote: i have been trying to run a script which encrypts and transfers files between 2 branches, i am using gpg for encryption, i have written a bash script and the script is working perfectly fine, but when i run it off a cron it doesnt want to work. Are you also testing the command manually as root? If not, you'll probably want to run the task from your own user instead (you can edit your own user's cron tasks by doing crontab -e). 30 * * * * root /backup/encrypt.sh /tmp/ab.log ~ Thr log file /tmp/ab.log is created after the cron executes but it is an If you're trying to get the errors, you need to redirect stderr (i.e. 2), not stdout (i.e., ). Try: /backup/encrypt.sh 2 /tmp/ab.log Good fortune PSM I am sorry I didn't see this earlier. I would have answered it individually. cron frequently gives your shell script a very abbreviated PATH since almost nothing is sourced. In fact it is so abbreviated that on some systems it is only /bin and /usr/bin. It varies depending on the system you are on and which shell you are using. First try a testgpgpath.sh script via cron: #!/bin/bash SAVEHISTSIZE=${HISTSIZE} HISTSIZE=0 export HISTSIZE rm -f /tmp/cron.log touch /tmp/cron.kog echo default cron PATH is /tmp/cron.log 21 echo $PATH /tmp/cron.log 21 echo /tmp/cron.log 21 # just make sure the gpg version you are using is in the PATH first PATH=/usr/local/bin:${PATH}:/usr/local/sbin ; export PATH echo enhanced cron PATH is /tmp/cron.log 21 echo $PATH /tmp/cron.log 21 echo /tmp/cron.log 21 echo GPG version /tmp/cron.log 21 gpg --version /tmp/cron.log 21 HISTSIZE=${SAVEHISTSIZE} export HISTSIZE exit The BASH you have may or may not do the history in the way I mentioned but you probably don't want a history of the encryption taking place even if you are encrypting to secret key and thus don't need a password (the history MAY not be advisable, but the password NOT being in the script IS advisable). You can get a good idea of what to put where with a: $ echo $PATH Rather than adding as I did above, I SET the path in the script so I know exactly what I have. I also frequently specify the path of the shell (in case you forget to give the file the proper perms): 30 * * * * /bin/sh /backup/encrypt.sh /tmp/ab.log 21 I don't know what the root is doing there. If you want it to be run by root, then login as root and do a crontab -e to enter the information (be sure to set EDITOR to the editor of your choice). Are you sure you want this done every 30 minutes? It seems like something you would want done every 24 hours, and if that was done at 3:30 every morning the line would be: 30 3 * * * /bin/sh /backup/encrypt.sh /tmp/ab.log 21 0,15,30,45 * * * * /bin/sh /backup/testgpgpath.sh \ /tmp/testgpgpath.log 21 Don't forget to remove the testgpgpath. The other thing is that root usually doesn't have keys, but just copying the ones you want to /root/.gnupg makes that possible. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't run GPG --recv-keys under Windows Vista.
All: This seems to be going out of the realm of GnuPG. What I was attempting to point out was the problems may be far deeper than just the internal code changes you have already made in GnuPG. I hope the new install program of both GnuPG and GPG4Win have that patch in place - most Windows users don't have development systems. I assumed the patches were in place, which makes the initial question that started all this even more baffling. If they were using the patched version of GnuPG, then why are they still having problems? Firefox and many other programs had to be recompiled for Vista and in addition to the reasons you have found (code changes), here are the reasons why the other programs had to be remade. The major reason is that the new Vista programs needed that expensive certification from Microsoft. You will also have to replace almost all of the programs you use when you move to Vista for these same reasons. In other words, the problem is not just peculiar to GnuPG. Here are some of the reasons for the why software that used to run on Windows won't run on Vista: 1. Vista considers the %ProgramFiles% area as semi-protected. Since GnuPG is installing into this area, it is a reason for concern. Even such programs as Firefox couldn't be installed on Vista for a while. The reason why it is only semi-protected is because if it is fully protected, it causes problems for anti-virus, anti-spyware, firewalls, and other security programs that need to be updated. 2. Vista considers the %Windir% as a protected area. 3. Vista considers certain areas of the registry (HKLM primarily) as protected areas. 5. There are some other areas that Vista considers protected areas, but I gave you the three major areas. 4. Any program or script that begins to access (not just modify) the protected areas frequently needs to be licensed by Microsoft. The only way I have observed of getting around it is to run that elevated Command Prompt and run the program from there. That is the only way my ckdupe.exe program I provided on the back end for other people that make blocking hosts files will run. When they saw my ckdupe program checks their files for duplicates and does it in less than 1/4 of a second (the heapsort is the key to the speed) they all started using it. Vista broke the running of that program. The only way it runs any more is in that elevated privileges Command Prompt. There was no tricky code in it that would have caused a problem either. And checking a hosts file some place else other than in the protected file system areas doesn't help either. So the code changes you are making to GnuPG are in addition to this new way of running programs on Vista. You need to understand our blocking hosts file is smack dab in the middle of one of their protected areas. It is also why I installed both Homer and our PAC filter at the top of the drive (they are in unprotected file space). It doesn't help because Vista still blocks the scripts unless run from an elevated privilege Command Prompt. There were things being blocked on Vista that still leave me baffled. They weren't going into any of the protected areas and they were still having problems. Now any changes to GnuPG code in either installer or the run programs is on top of this new way of doing things which is different from previous versions of Windows. As a test, you could TRY to install my blocked cookie list into Firefox (a binary is included). You SHOULD have no problems on any version of Windows including Vista: - Microsoft Windows Version http://securemecca.com/Firefox.msw.zip - Unix version (you must compile it yourself) http://securemecca.com/Firefox.unx.tar.gz But I will wager that you will have problems running it on Vista (report in group if you choose but also tell me directly if you use Vista and either had or didn't have problems - you may not be able to get it to work at all) unless you run the program that installs the domains not allowed to set cookies in that elevated privileges Command Prompt. BTW, the add2ffox.exe only runs in a Command Prompt anyway. If you use SpyWareBlaster or similar programs I would run the program each time after you run their updates since they may remove what I have identified are the most prevalent tracking cookie domains on the Internet. The only thing that should be in the blocked cookie list are those domains you hit most of the time. That is all it does too, blocks cookies. If you want to restrict domains, your only option in Firefox is NoScript. PAC filters, blocking hosts files, and Ad Blockers BLOCK entirely, not just restrict. So what does all of this have to do with GnuPG? I think any changes or attempts to make GnuPG work on Vista need to have these things kept in mind. Vista is not just a minor twist in the way of doing things coming out of Redmond. It is entirely new in many ways. It is why I finally abandoned
Re: easy way to confirm email validity
Henry Hertz Hobbit wrote: SNIP As an aside, if you are concerned about DNS cache server poisoning, then take the IP address and stick it into the hosts file (make sure hosts come before DNS in the nsswitch.conf file in nix machines). If nothing else it stops the chatter happy Zone Alarm firewall from querying for its IP address every five seconds. The host / domain name has more than one IP address? randomly pick one of them. Check back that they are the same but not every five seconds. Try every six hours for a week or so until all the DNS TTLs have timed out. djbdns anybody? I am interpreting your statement as saying all of the people you will be sending to are only moderately interested in verification rather than paranoid, and that they will all be using Windows. Correct me if I am wrong. If the conditions are not these, the next statement has NO meaning. Now that we know a little better what you want to do (just one way verification of emails with them verifying you but not vice versa) you MAY be best served by using X.509. I really don't like the idea of that web verification scheme. Once you look at X.509 you will see that is better. I have had mail redirects in the past week from several universities, and one of them was from MIT! It is just too easy for Mallory to say click on this link to verify, and back we go to phishing 101. In other words, there is no substitute but for the people who are getting your messages to assume some of the responsibility for verification themselves. One of the key things in Bruce Schneier's security service are people monitoring what is going on. The people receiving your messages need to assume some of the responsibility themselves. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re:
Zeljko Vrba [EMAIL PROTECTED] writes: Jim Berland [EMAIL PROTECTED] writes: There are other flaws in the computer system that would have to be addressed (a secretary has root access to the server to let her start the daily backup process after work), but I'm not in charge of that. Huh? That requires only a single suid-root command. You said root so I assume Unix. Better yet, that requires nobody at all unless you need somebody to change the media. Just use cron to do automated backups. For Fedora / RedHat / OpenSuse / Novell the default crond chkconfig setting enables it (I can't speak for other versions of Linux or Macs): crond 0:off 1:off 2:on3:on4:on5:on6:off On older style Unix systems, they MUST have cron running. That is what is used to trim the logs, etc. For MS Windows you also have software to do backups for you in an automated fashion. Your not in charge makes me worry about the politics of what you are doing. Since I'm going through the trouble of setting everything up and teaching our employees, though, it would be great to also use GPG with business partners. I don't think it's really going to happen, but If you want secure communication with your partners, you might have better luck with X.509 certificates. They just work under windows. The only needed initial setup is import of the root certificate. Free certificates are available from www.cacert.org ... All of the things Zeljko said here (why repeat it?) are true. More to the point, X.509 are what most other MS Windows oriented companies will be using. They may not be using the free certificates though. Everybody I have heard wants a middle company doing some sort of investigation of both parties. It gives them that warm fuzzy feeling. It's not that the companies don't trust the OpenPGP WOT model; they don't even know about it. There are cases where other companies will specify OpenPGP, and there is one case in the GnuPG archives for you to look at. The posters were using a Sun Solaris system on their end but I can't remember what the people on the other end were using other than it was also a Unix system. Look around your shop. If it is almost all Microsoft Windows then lean towards X.509. If it is all Linux, then lean towards OpenPGP. But when it comes to other companies other than your own, ASK THEM. Ask all the other companies you deal with what they want you to use. Zimmerman made the statement to the effect that it isn't so much big brother that will be doing the spying as it is other companies that will be spying on your company to gain a competitive advantage. You have already alluded to the loss of confidential information. In other words, you need SOME sort of encryption. But more to the point, you need the blessing of those that are in charge to implement it, at least on a trial basis in those areas where your company is having problems. Since you have already had cases of stolen information, that should be an easy sell. But sometimes it isn't. There an awful lot of Paris Hilton's out there (people that don't secure their data). Worse, they don't see any reason for securing their data either. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --batch -ea -r keyid filename
Jane Grove wrote: Message: 4 Date: Mon, 14 May 2007 12:51:21 -0500 From: jane grove [EMAIL PROTECTED] Subject: Encrypt in Batch Mode with Key ID To: gnupg-users@gnupg.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, I tried to use the command: gpg --batch -ea -r keyid filename to encrypt a file in batch mode with a recipient public key ID. I got an encryption failed: unusable public key error message. Interestingly, when I use the command without batch mode like gpg -ea -r keyid filename, I'm able to encrypt the file. So the batch mode is having problems. How can I encrypt the file using recipient public keyid correctly in batch mode? Try: gpg --batch -ea -r KEYID filename filename.asc On Windows in *.BAT, that would perhaps be best written as (name the script file pcrypt.bat and put it some place in your %PATH%). I leave it to you do add more than one argument which is best done in VBScript, not BAT. -- @echo off REM Add gpg.exe to the path if you did not do already REM PATH=%PATH%;%ProgramFiles%\Gnu\GnuPG if %1 == goto instruct setlocal if exist %1 ( if exist %1.asc del %1.asc gpg --batch -ea -r KEYID %1 %1.asc ) else ( echo FILE %1 does not exist ) goto exit :instruct echo usage: pcrypt file_to_encrypt :exit endlocal -- You didn't say what platform you are on. If you are on some sort of Nix platform, you can use the pcrypt script file in this zipped folder to automate the encryption (it has MY KEYID, and I tested it and it WORKS - replace my KEYID with one of your choice): http://www.securemecca.com/Crypto.zip MD5:942e18704f65f14551535c6e086128c3 SHA1: 5b17554888d7ad4fc8376ed71c4a8a92f8ff2888 Check sums were created with the -b option on Linux. Since ALL of files in the folder have only LF rather than CR+LF on the ends of the files (they were written with the BASH shell in mind), I suggest using GVim on Microsoft Windows since it is the only editor that I know about that can see the files (there are probably others): http://www.vim.org/download.php#pc http://www.vim.org/ I strongly suggest you get the gvim71.exe unless you are a masochist. If you don't like tilde backup files, add the following line to the start vimrc file: set nobackup If you or others want it in VBScript, let me know and I will try to add a VBScript file to do it, if I ever get back on MS-Windows. I have been on Linux for three plus weeks solid right now. My Anti-Virus program is probably so far out of date I will have to reinstall it! You may have a damaged keyring, or the particular key is munged (hopefully it isn't yours). In that case search the archives for how to clean it up. There is a lot of good advice on how to do that from quite a few people. I would try the batch encrypting with other keys, and if it works with the other keys but not the one you are mentioning, then the key is the problem. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: W32 version tries to write to /dev/null
Andrew Berg wrote: Werner Koch wrote: On Mon, 7 May 2007 16:58, [EMAIL PROTECTED] said: gpg: can't create `/dev/null': No such file or directory gpg: signing failed: file create error Fixed in my working copy by using /dev/nul instead How would that help? /dev/nul can't exist on a Windows system either. But NUL (nul) does exist, at least for now: command 1 NUL 21 I use it all the time in my BAT, VBS, JS and PL (PERL) script files. But almost none of those script files work properly any more with Vista because any time you wander into protected areas you need administration privileges. I am talking about NORMAL Vista accounts, nothing special. Actually, you can start an elevated shell on Vista to run the script, but that is a real pain if you made it so people could just double-click on script files to run them. Here is the article on NUL and redirection: http://support.microsoft.com/kb/110930 Just be sure if you are throwing it away, then throw it ALL away. If you don't, you will still see the message. I have NO idea whether it works the same in both scripts and inside C / C++ / C# programs. Windows is notorious for having scripting and binaries frequently behaving differently and you can't interspangle a script that calls a binary that in turn calls another script on pre-Vista Windows like you do on 'nix machines. Supposedly, the new PowerShell (PS1) scripting is going to make the mixing of binaries and scripts possible; hopefully NUL will be a first class object. BAT is gone on Vista, and PowerShell is Object shell scripting (with LOTS of gotchas). HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Convert Public Key to Decimal
acudetox wrote: Thanks man, pardon the very bad pun...lol :) Anyhow I'm using a pc, and all the searching on the net for man bc seemed to point to Mac's, the most amazing computers on the market by the way... Anyhow, do you know how I can use bc on an xp windoze verson? Thanks man, no pun this time. Another way is to use what you have (now that we know what OS you are using); Start - [All] Programs - Accessories - Calculator View - Scientific Pick Hex radio button Input hexadecimal number Pick Dec radio button (it auto converts it) Sorry, but you will have to toggle back and forth with the radio buttons, or do as somebody else suggested and install CygWin (it give a Unix-like environment on Windows). It just depends on how often you are going to do the conversion. HHH ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Generating and storeing keys on usb pen
On Mon, 2007-04-23 at 13:46 -0400, David Shaw wrote: On Sun, Apr 22, 2007 at 01:42:37PM -0700, rocko wrote: I want to generate a new key pair, but i want to save it to a usb pen drive so i can keep it safe. I don't want any gpg keys stored on my laptop, in case it gets lost or stolen, the culprits won't have access to my gpg keys. There is an incorrect assumption underneath this question. GPG keys are stored on a usb drive in exactly the same format they are stored on a laptop: encrypted. (Well, encrypted by default - if you didn't explicitly remove the passphrase, they're encrypted). My point is that storing the keys on a usb drive doesn't change anything if the keys are lost. If someone steals your laptop, they have the encrypted keys. If they steal your usb drive, they have the encrypted keys. There is no difference. Either way you cut it, the thief has an encrypted copy of your key. Unless the thief can figure out your passphrase, the key is useless to him. It's quite a bit easier to lose a usb drive than it is to lose a laptop... I must preface this with the statement I do not even OWN a USB pen drive. That does NOT mean I don't see the advantages of having one. Your last paragraph is true but only partially complete. It is easy to slip that USB pen drive into your pockets or put it some place else like that to keep it safe. But a lap-top isn't easily stuffed into pockets. In addition to losing (and it is easier to lose the USB pen drive than it is to lose a lap-top) which ever, the other half of the original statement is what you had was stolen. Thieves usually don't steal USB pen drives; there is almost no market for stolen USB pen drives. Lap-tops are one of the most stolen items out there; there is a BIG market for stolen lap-tops. If your lap-top gets stolen but you have the USB pen drive, you still have your keys, safe and sound. Keeping your keys on a USB pen drive has the additional benefit that you can use them on multiple machines without having multiple copies of the keys and the problems inherent with keeping the multiple copies of your keys in sync. So as long as you make backups of your keys (and put the backup in a safety deposit box) and keep the working copy on the USB pen drive, the likelihood of you losing control of your keys is probably lower. So your keys were on your lap-top and it got stolen, or they were on your USB pen drive and it got lost. Now what do you do? 1. Continue using the existing keys because you planned ahead and pulled the copy from your safety deposit box and restored them to your new lap-top. 2. Same as number one, but you change your pass-phrase, and you upload that to the key servers. Is this really necessary? 3. Sit there and twiddle your fingers and thumbs because the only copy of your keys you had were on that lap-top or USB pen drive and that is the only copy you had. You didn't make a backup. You made a revocation file, but you don't have the keys any more. You took the default TTL which is your keys will live forever, and you uploaded the keys to the key-servers. So you make a new set of keys. The thrust is that a USB pen drive is no better than a lap-top. The FBI of the US has had anywhere from 100 to 1000 lap-tops that have gone missing (it is hard to pin down actual numbers): http://tinyurl.com/38hsvh http://www.cnn.com/2007/US/02/12/fbi.laptops/index.html http://msn-cnet.com.com/8301-10784_3-6158839-7.html Don't depend on JUST a USB pen-drive. Do the rest to be complete: [a] Make a backup of your keys and store the backup in a safe place where it is hard to lose it, like in a safety deposit box. [b] Create a revocation file for your keys and also store it in a safe place. [c] Give your keys a expire data rather than assuming they will be good forever. Be sure to have your day planner or what ever else you use give warnings when the time comes to decide whether to change the expiration date of the keys or say goodbye to them and create a new set of keys. Give yourself plenty of time; one to two or even three months before they expire is good. This takes on even more importance if you upload your keys to a key-server. Sure, you will have problems if you just created the keys and uploaded the keys to the key servers, but I would much rather live with that mistake for 2-3 years, rather than forever. [d] Encrypt the entire hard disk drive on your lap-top. PGP Corporation makes this a part of their product. There are also other good Gnu options for doing this. Search the archives of this news group for the other options. But David Shaw is correct; you don't buy a lot more protection by moving your keys from the hard drive to the USB pen drive if that is all you do. The keys ARE encrypted. You just buy yourself less grief if the lap-top is stolen or damaged to the point that it can't be
Re: UID changes (was Key Revocation)
David Shaw wrote: SNIP You select the user id with uid x where x is the number of the user ID. Then revuid. Optionally, later on you can also do a (again, you have to pick whether to revuid or deluid) (a # indicates a comment): $ gpg --edit-key 98E6705C Command uid # shows uids so you can pick one. Sorry, I don't trust order # to always be right, so I make SURE I get the right one. Use # the number next to the old UID in the next command. Command uid 2 Command deluid # you can type quit instead of save next and no changes # are made. Command save You may get confused, so when editing a key do a: Command ? To get a list of the commands. The ones that are relevant only to UIDs are the first five. The last two are relevant to any changes you make to your keys: uid adduid deluid primary revuid save# changes won't occur unless this is done quit# bails out and makes NO changes. Be sure that if you revoke, you revoke the UID, NOT the key. quit is your friend in case you get confused. If you quit ALL of the changes are scrapped. Nothing is actually done until you save. BTW, I would call this UID changes, since you are adding a new UID (adduid), making it a primary (uid 1, primary - be sure to do this to make your new email address the primary), and optionally later on either revoking (revuid) or deleting (deluid) the old UID. You are NOT revoking the keys (you have two - the 1024D/98E6705C DSA key and your sub g/ ElGamal key); you are just modifying the UID list. It may be helpful to think of the key numbers themselves as being the primary entities, and the user IDs as being subservient to them, but all of them exist together. You need at least one UID for the key. You can have as many UIDs associated with a key as you need or wish to have (within reason). I say that since you may want to purchase your own domain and email address from a company you think will be there for quite a while. 1and1.com is selling them for about $20 a year, and Yahoo is selling them for about $35 a year. Once that is done, the musical email addresses can be tamed a little bit. You have the additional benefit of a blissfully short user name ([EMAIL PROTECTED] is available; you or somebody else already took chrispollock.org). Once your changes are done, make sure you generate a new revocation file with a: $ gpg -a --gen-revoke 98E6705C rev_cpollock_embarqmail_com.asc Store it in a safe place. If you forget your passphrase, import it later on to revoke your keys to the key-server if it becomes necessary. Oh yes, once all of those changes have been made, BACK up your keys (pubring.gpg, secring.gpg, trustdb.gpg). Store that back-up in the same safe place as your revocation file. A bank safety deposit box is not out of line (no kidding). HHH signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users