gnupg binaries too big? / OpenBSD Moving Towards Signed Packages — Based On D. J. Bernstein Crypto
Hi, Is there any possibility to create a minimal version of gnupg? http://bsd.slashdot.org/story/14/01/19/0124202/openbsd-moving-towards-signed-packages-based-on-d-j-bernstein-crypto # --- /It's official: 'we are moving towards signed packages http://marc.info/?l=openbsd-miscm=138992613426488w=2,' says Theo de Raadt on the misc@ mailing list. This is shortly after a new utility, signify http://bxr.su/OpenBSD/usr.bin/signify/signify.c, was committed into the base tree. The reason a new utility had to be written in the first place http://www.tedunangst.com/flak/post/signify is that gnupg is too big to fit on the floppy discs, which are still a supported installation medium for OpenBSD. Signatures are based on the Ed25519 http://ed25519.cr.yp.to/ public-key signature system from D. J. Bernstein and co., and his public domain code once again appears http://bxr.su/OpenBSD/usr.bin/signify/mod_ed25519.c in the base tree of OpenBSD, only a few weeks after some other DJB inventions made it into the nearby OpenSSH http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein as well./ Kind regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)
Am 08.12.2013 19:13, schrieb NdK: Why is everyone thinking 'BIOS' as backdoorable piece of sw? Why not the hard disk? http://spritesmods.com/?art=hddhack Just another piece to think of when building a secure system... Excellent article! Thank you. Writing firmware I meant every piece of code for / inside all involved hardware components and in particular with their own controllers (eg. keyboard, USB ...) and not only the BIOS of the motherboard. Some backdoors can be hardcoded in the hardware of controller chips (eg. network controller etc). Sending a special sequence of data to them can turn them in the debug or whatever mode. Hacking smartcards is more complicated but possible. BTW: there is no video at: http://achtbaan.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v Kind regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Implementation idea of CURVE25519 for gnupg 2.1
Hi, There is GPL 3 based implementation of CURVE25519 called Pretty Curved Privacy (pcp1). http://www.daemon.de/PrettyCurvedPrivacy What do you think about using parts of the ppc1 source code to implement such functionality into gnupg 2.1? http://www.daemon.de/idisk/Apps/PrettyCurvedPrivacy/pretty-curved-privacy-0.1.4.tag.gz Myself I like this SCII Case Demo video how to use this utility: http://asciinema.org/a/6135 Short description (from the website): # --- Pretty Curved Privacy (pcp1) is a commandline utility which can be used to encrypt files. pcp1 uses eliptc curve cryptography for encryption (CURVE25519 by Dan J. Bernstein). While CURVE25519 is no worldwide accepted standard it hasn't been compromised by the NSA - which might be better, depending on your point of view. Caution: since CURVE25519 is no accepted standard, pcp1 has to be considered as experimental software. In fact, I wrote it just to learn about the curve and see how it works. Beside some differences it works like GNUPG. So, if you already know how to use gpg, you'll feel almost home. # --- Kind regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Threema. / don't trust closed source software
Am 10.11.2013 02:46, schrieb Robert J. Hansen: Looking over their site briefly I was unable to find a link for source code. As a result, I think very little of it. I don't think it's wise to trust unknown third-party binaries that don't provide source. It is commercial iOS and Androif application without source code and evenn such important details like the used encryption. Don't trust closed source software products! regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org http://git.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2048 or 4096 for new keys? aka defaults vs. Debian
Am 27.10.2013 20:41, schrieb Werner Koch: On Sun, 27 Oct 2013 17:47, gn...@oneiroi.net said: Numbers please? Or are you talking about personal/subjective impressions? What about you running some benchmarks for us? Let's say: a 4k RSA key signed by 90 other 4k RSA keys, 8 2k RSA keys, and one 8k RSA key. For security reasons key signature chaching has been disabled (--no-sig-cache) because you obviously can't accept that in this high security theater. Run encryption+signature tests for 2 recipienst out of the set of these 100 keys. Compare that do a set of 2k keys with only one 4k key. Run these tests again on an average netbook. Are there formal reasons why the max length of the RSA key is limited in gnupg[2] linux packages to 4096 Bits only? One thing are the available performance and sane defaults, the other one the available security. (without patching the source code and rebuilding packages) The max length of the key does not have anything to do with zero-exploits. When collecting tons of data there is only this data .. nothing else to break in. I don't trus NIST myself and I guess most of you know why. The question is if similar institution in Europe, Asia, Africa or Australia cen be trusted more. Shalom-Salam, Werner p.s. Once I did tests with off-the self smartcards. Signing a mail with 1k RSA key using these smartcards took more than one second - it was barely unusable for every days mail processing. Only when we moved to our own smartcards (the old AVR based 1k RSA keys) using a smartcards was actually usable (100ms). You don't want to wait 10 seconds to decrypt a thread of 10 mails just to notice that it was only CCed office chitchat. Kind regards, Mark -- m...@it-infrastrukturen.org http://rsync.it-infrastrukturen.org ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users