Re: GnuPG (GPG) Problem
On Mon, 21 Aug 2006 12:50:05 +0200, "Henk M. de Bruijn" <[EMAIL PROTECTED]> wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >On Sun, 20 Aug 2006 09:40:45 +0200GMT (20-8-2006, 9:40 +0200, where I >live), Bo Berglund wrote: > >... > >> I wonder about the gpg.conf file: >> Is it used at all in Windows? >> I looked at my own one at "C:\Documents and >> Settings\\Application Data\gnupg" and found only commented >> out lines there. The word keyring appeared only twice and this was in >> descriptive text, not in a setting. > >> So how does one do this on Windows > >Mine is in my gnupg home directory c:\program files\gnupg and works like a >charm. As I said, on my installation there is nothing in the isntall dir for GnuPG only in my home (which on Windows translates to C:\Documents and Settings\) it is located in a subdir \Application Data\gnupg and mine is completely empty of any active lines. Seems like it is not in use at all (because if it were every line should not be commented out). Maybe the Windows version stores all of this in the Registry? This forum tends to treat everything from a Linux perspective, which is fine except for us who use Windows where Linux tricks seem not to work... I was just hooking on to this discussion in order to find out how one can control *where* GnuPG will look for the keyrings the conf file apparently is not the answer. Bo Berglund ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Structure of pubring.gpg
Why are the keys in pubring.gpg in the order in witch they were imported? Is this not considered a security risk? Would it not be safer and more convenient to have the keys sorted by user ID or key ID? I deleted all files in my .gnupg directory, and then imported a public key. Then I exported the key in binary form and compared the file with pubring.gpg in a hex editor. The beginning of both files were identical, but from the middle and onward they differed. How and why are keys changed when imported? Oskar ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What does key properties validity and trust 'None' mean???
On Mon, 21 Aug 2006 10:38:35 +0200, Werner Koch <[EMAIL PROTECTED]> wrote: >Hi! > >FWIW, there is a little script in the gpg-distribution: > ># lspgpot - script to extract the ownertrust values ># from PGP keyrings and list them in GnuPG ownertrust format. > >I have not used it for a long time, but it might be helpful. Run it >with PGP's pubring as argument. > Probably good on Linux systems but I can't find anything in my GnuPG installation on WindowsXP-Pro. And I doubt scripts will run on Windows... (I installed using gpg4win-1.0.4) Bo Berglund ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive!
On Mon, 21 Aug 2006 20:11, [EMAIL PROTECTED] said: > if the secret key was generated before the fix of the > * quick-check * problem of PGP symmetric encryption, > http://eprint.iacr.org/2005/033 It has always beed solid practise to avoid oracles thus this problem is not very real. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive!
>Date: Sat, 19 Aug 2006 21:17:58 -0400 >From: David Shaw <[EMAIL PROTECTED]> >Subject: Re: Don't store your key on a flash drive! [was Re: GnuPG > (GPG) Problem] [...] >> there's nothing inherently dumb about putting a private key on a >USB >> dongle as long as the passphrase is sufficiently strong. > >This is quite correct and frequently misunderstood. After all, >the >secret key encryption is essentially the same symmetric encryption >that is used to encrypt messages. If you're trusting it to >protect >your messages, you probably should trust it to protect your key as >well. if the secret key was generated before the fix of the * quick-check * problem of PGP symmetric encryption, http://eprint.iacr.org/2005/033 then does the passphrase need to be changed with a newer version of gnupg, or did this only apply to symmetric encryption of messages, and not symmetric encryption of the secret key? TIA, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG neophyte inquiries.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 20 Aug 2006, Qed wrote: -pgpenvelope processed message On 08/20/2006 07:31 AM, Caitlin wrote: 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on it, would this represent a potential security concern? Your keyring would be stored in your personal home dir, if you have installed XP on a NTFS partition(i.e.: permissions are enabled) Assuming they spent the extra $100 for XP Professional rather than the XP Toy^wHome edition that comes with most PCs (which has only the protection-free VFAT). - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFE6a4is/NR4JuTKG8RAq26AJ9PMiuL3EgjTbodD+IHKvqXLWoCRgCfeMWi 6oFQdu5mdMQ7gWWzphuc6Fg= =Ypql -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG neophyte inquiries.
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On 08/21/2006 02:59 PM, Mark H. Wood wrote: >>> 1). My roommate and I share a WinXP box. If I install GnuPG 1.4.5 on >>> it, would this represent a potential security concern? >> Your keyring would be stored in your personal home dir, if you have >> installed XP on a NTFS partition(i.e.: permissions are enabled) > > Assuming they spent the extra $100 for XP Professional rather than the > XP Toy^wHome edition that comes with most PCs (which has only the > protection-free VFAT). I had forgotten that distinction, I use Un*x. But I believe even the home version has NTFS support, not per-user/group permissions(maybe there was a tweak to enable them) nor EFS. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6beCH+Dh0Dl5XacRAxjoAJ9zQ4Zsxh32UOI0vARDT/P5TjkI1ACeNEhk FehMNsIRMt0ACKuFw9Zjl7w= =uiJ8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive!
On Mon, 21 Aug 2006 14:27, Alphax said: > - Smartcards are largely experimental and don't have the instant > usability of a USB stick About 800 million users of cell phones probably don't share your opinion that GSM cards are only experimental. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
Alphax wrote: > I don't use a flash drive or a smartcard, for the following reasons: ... and in a follow-up to my own follow-up, apparently Rainbow got bought out by SafeNet. The iKey is still available and the specs haven't changed from the last I used them some years ago. They're handy little devices. Any possibility of supporting this from GnuPG? If so, it might be a good compromise between smartcard and flash-based solutions. Of course, it still only supports RSA/1024. Sigh. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
Alphax wrote > - Flash drives are too prone to failures at bizzare moments > - Smartcards are largely experimental and don't have the instant > usability of a USB stick A few years ago Rainbow Technologies came out with a device they called the iKey. Smartcard with a USB connector, about the same form factor as a car key. Lovely hardware, but programming for it is a bear. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
Robert J. Hansen wrote: > Janusz A. Urbanowicz wrote: >> You can't read a private key from the smartcard, but you can read it >> from the flashdrive. SC is a crypto processor + storage, flashdrive >> only storage. > > All of which is true. However, the bit to which I was replying was: > > "A smartcard is very convenient as far as it's a multi application > device, so you can store much other info apart from GnuPG keys, i.e. > Mozilla passwords or such." > > ... And I'm still trying to figure out how that's different from a flash > drive. Maybe there is a difference and I'm not seeing it. Or maybe > there isn't one. > I don't use a flash drive or a smartcard, for the following reasons: - Flash drives are too prone to failures at bizzare moments - Smartcards are largely experimental and don't have the instant usability of a USB stick (/me mutters something about "The right tool for the right job"...) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG (GPG) Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, 20 Aug 2006 09:40:45 +0200GMT (20-8-2006, 9:40 +0200, where I live), Bo Berglund wrote: ... > I wonder about the gpg.conf file: > Is it used at all in Windows? > I looked at my own one at "C:\Documents and > Settings\\Application Data\gnupg" and found only commented > out lines there. The word keyring appeared only twice and this was in > descriptive text, not in a setting. > So how does one do this on Windows Mine is in my gnupg home directory c:\program files\gnupg and works like a charm. - -- Henk M. de Bruijn __ The Bat! Natural E-Mail System version 3.81.15 Beta Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6-svn4225HdB (Msys/MingW32) iQEVAwUBROmP0BHuy+60ZN0PAQpN0Qf9GQNU6l6RXueBN9sb/3gvon1t4Jp2HqV/ fnmri1bijnahKTMF+3BjwrMS/qW1rANeQal6ansZKtOH9Msw4vqbcg2xUV6j5ELd Rr6OWVHXhZI3fF44SIPBBlL0OfdNnJzDJJTAUvRMbSd3GK6fv3FuB18qSvYDP9bZ 0wJqn2yriL/UqYlbAXguY9XXHLI54Bn9C07ktbGFuzj/BqSVJ869zHx1vOFu5xHU /WZd+35UXIhcqz0fHjGVhL2s7t7SRDwfBEnLrONpsumNHPqNO0qo+8T2mQRGpfiw oDCjZEiKILTTOOMCrJiud6FLCnnxYMrIIEv00kHBkk0K/JRGTrbGqg== =MmfH -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
Janusz A. Urbanowicz wrote: > You can't read a private key from the smartcard, but you can read it > from the flashdrive. SC is a crypto processor + storage, flashdrive > only storage. All of which is true. However, the bit to which I was replying was: "A smartcard is very convenient as far as it's a multi application device, so you can store much other info apart from GnuPG keys, i.e. Mozilla passwords or such." ... And I'm still trying to figure out how that's different from a flash drive. Maybe there is a difference and I'm not seeing it. Or maybe there isn't one. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Don't store your key on a flash drive! [was Re: GnuPG (GPG) Problem]
On Sun, Aug 20, 2006 at 09:18:13AM -0500, Robert J. Hansen wrote: > Ismael Valladolid Torres wrote: > > A smartcard is very convenient as far as it's a multi application > > device, so you can store much other info apart from GnuPG keys, > > i.e. Mozilla passwords or such. > > ... I'm sorry, I'm scratching my head over here trying to figure out how > a flash drive doesn't also share these properties. In fact, given the > limited space available on a smartcard, the limited application support > for them, etc., it seems flash drives are the clear winner in this context. You can't read a private key from the smartcard, but you can read it from the flashdrive. SC is a crypto processor + storage, flashdrive only storage. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple recipients
On Fri, Aug 18, 2006 at 03:09:43PM -0500, Brian Rosenvinge wrote: > We have decided to decrypt using a "special" user and re-encrypt the > file to multiple users. Our concern is that unless we want to do this > manually it has to be scripted and that will require the "special" > user's passphrase to live in the script or on a server in plaintext. No > one in IS wants to add this to their daily responsibilities and we > really should not have access to the data anyway as it is meant for our > finance department. > put the special key on a smartcard with no passphrase, only the physical avaliability of the sc will descrypt the data, and the key will be unstealable electronically a ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Book advice
On 08/20/2006 10:08 PM, Johan Wevers wrote: > Not directly related to GnuPG, but does anyone here know the book > "Handbook of Applied Cryptography" fromn A.J. Menezes, P.C. van Oorschoot > and S.A. Vanstone, printed in 1996? I found it on eDonkey and wanted to > know if someone knows if it is advisable. It appears quite mathematical > in its approach, much more so than Schneier's "Applied Cryptography". At http://www.cacr.math.uwaterloo.ca/hac/ you can find the last e-version of this nice book directly from its authors. -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What does key properties validity and trust 'None' mean???
Hi! FWIW, there is a little script in the gpg-distribution: # lspgpot - script to extract the ownertrust values # from PGP keyrings and list them in GnuPG ownertrust format. I have not used it for a long time, but it might be helpful. Run it with PGP's pubring as argument. Salam-Shalom, Werner #!/bin/sh # lspgpot - script to extract the ownertrust values # from PGP keyrings and list them in GnuPG ownertrust format. # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. if ! gpg --version > /dev/null 2>&1 ; then echo "GnuPG not available!" exit 1 fi gpg --dry-run --with-fingerprint --with-colons $* | awk ' BEGIN { FS=":" printf "# Ownertrust listing generated by lspgpot\n" printf "# This can be imported using the command:\n" printf "#gpg --import-ownertrust\n\n" } $1 == "fpr" { fpr = $10 } $1 == "rtv" && $2 == 1 && $3 == 2 { printf "%s:3:\n", fpr; next } $1 == "rtv" && $2 == 1 && $3 == 5 { printf "%s:4:\n", fpr; next } $1 == "rtv" && $2 == 1 && $3 == 6 { printf "%s:5:\n", fpr; next } ' ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multi-user gpg-agent question
On Sun, 20 Aug 2006 07:21, Dylan Vaughn said: > The issue is that after I start gpg-agent for one user, it does not work > for any other user on my machine. For example, after I do an initial Well, you need to start it for each user. > subsequent decrypt calls, then when I switch to a different user on my > machine and try to do the same thing gpg-agent doesn't prompt me for my > passphrase on the initial attempt and instead gives me this message: > > [EMAIL PROTECTED]:~/test$ eval "$(gpg-agent --daemon)" > [EMAIL PROTECTED]:~/test$ gpg -o clear.txt -d test.txt.asc The invocation og gpg-agent may have failed. You better run gpg-agent this way for testing: gpg-agent --daemon it should emit the the following lines: GPG_AGENT_INFO=/tmp/gpg-3JMzhv/S.gpg-agent:32230:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-gA6FYU/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=32230; export SSH_AGENT_PID; The SSH lines are because I have enable-ssh-support in my gpg-agent.conf. That is what the eval evaluates. Now cut+paste the GPG_AGENT_INFO line into the shell to manually do the eval. Then you can test whether it works: $ gpg-connect-agent enter for example GET_CONFIRMATION foo and the pinentry will appear to ask you about foo. Click on OK and you will seethe OK :-). Ctrl-D terminates gpg-connect-agent. You may run it with the option --verbose to see sonme diagnostics. The best way to debug it is by invoking gpg in a different way: $ gpg-agent --daemon --debug 1024 /bin/sh gpg-agent[32264]: reading options from `/home/test/.gnupg/gpg-agent.conf' gpg-agent[32264]: listening on socket `/tmp/gpg-g4KTHx/S.gpg-agent' gpg-agent[32264]: listening on socket `/tmp/gpg-MxP8eV/S.gpg-agent.ssh' This runs a shell under the control of the gpg-agent and also sets up the environment variables. How you may use gpg --use-agent at this shell but we want to try it manually: sh-3.00$ gpg-connect-agent gpg-agent[32265]: handler 0x808cae0 for fd 0 started gpg-agent[32265.0x808cde8] DBG: -> OK Pleased to meet you gpg-agent[32265.0x808cde8] DBG: <- RESET gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION display=localhost:11.0 gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION ttyname=/dev/pts/2 gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION ttytype=xterm gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION lc-ctype=en_US gpg-agent[32265.0x808cde8] DBG: -> OK gpg-agent[32265.0x808cde8] DBG: <- OPTION lc-messages=C gpg-agent[32265.0x808cde8] DBG: -> OK Here we have connected succesfully to the agent and the inital handshake has been done. "debug 1024" let you see all this. Now we enter: GET_CONFIRMATION bar and gpg-agent does its magic: gpg-agent[32265.0x808cde8] DBG: <- GET_CONFIRMATION bar gpg-agent[32265]: starting a new PIN Entry gpg-agent[32265]: DBG: connection to PIN entry established gpg-agent[32265]: command get_confirmation failed: Not confirmed gpg-agent[32265.0x808cde8] DBG: -> ERR 67108978 Not confirmed Well I clicked on cancel and gpg-agent returned ERR 67108978 Not confirmed the status code for cancel gpg-agent[32265.0x808cde8] DBG: <- [EOF] gpg-agent[32265]: handler 0x808cae0 for fd 0 terminated gpg-connect-agent has disconnected from the agent. and we want to terminate the agent too: sh-3.00$ exit exit $ gpg-agent[32265]: parent process died - shutting down gpg-agent[32265]: gpg-agent (GnuPG) 1.9.23-svn4218 stopped gpg-agent[32265]: secmem usage: 0/16384 bytes in 0 blocks System is clean again and ready for another test ;-) I hope this helps to understand how the agaent works. The actual command gpg uses to get the passphrase is: GET_PASSPHRASE X X X X (enter the X verbatim). You should also read the manual where the installation of the gpg-agent ins described. The manual is in info format, thus enter "info gnupg". The next version will also come with man pages automatically created from the Texinfo source. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users