Re: GnuPG on MS Vista
On Thu, 8 Feb 2007 23:02, [EMAIL PROTECTED] said: That's up to the GnuPG developers, and whether they have any Vista boxes available to do regression testing on. They may have already No, I don't have decent hardware to install Vista on it. I plan to do so but it may take sometime. A points which needs some investigation is the entropy gatherer - this is very system specific code and we need to check whether it will still deliver enough entropy. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Newbie question
Hi all, I have a question concerning an unusual way of using gnuPG... I don't want to encrypt emails, I just want to encrypt binary data and deliver that over the internet. Consider the following scenario: I have a program that gets deliverd to various clients. The program is a viewer for 3d models. The viewer can load and display various types of input formats (e.g. CAD models). It can also load models directly from a URL. Now we'd like to put some cool models on our web page but we don't want people to disassemble the file and thus getting to the mathematic definition of a CAD model (people giving you a CAD model of e.g. a brandnew car are very concerned about their data!!!). So I thought to protect the data with public/private key encryption. We encrypt the data with a private key and put the result on our server. Our viewer contains the public key for decryption. You might say that it's easy to get to the data anyway, you just have to dump the memory of the program after the data has been decypted But that requires some higher criminal energy, and I think I can live with the risk... - So actually, my question is: Does this approach make any sense for you crypto-gurus out there? (Please forgive me my ignorance, I have just a vague memory of my cryptography lessons...). - Does libcrypt do the job? - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank you and kind regards, Toni ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Newbie question
Hi Sven, Hi! Private/Public key does not buy you much in this case if all you want is to obfuscate the file contents. Just use some AES implementation with the same symmetric key on the server and the client. Despite you seem to be aware of it, let me stress again: It cannot possibly be secure if the decryption key is stored alongside with the enrcypted data (which is why I chose the word obfuscate above). Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. Else, how should he read your mail? Am I totally wrong? Bye, Toni ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question
On Fri, 9 Feb 2007 11:36, [EMAIL PROTECTED] said: Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. Else, how should he read your mail? Am I totally wrong? It is the way around. You use the *public* key to *en*crypt to the recipient. The recipent uses his *private* key to *de*crypt. Of course you could include a private key in a viewer software so that anyone can encrypt files for use by this viewer. I think that is what you had in mind. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Newbie question
Hi, On Fri, 9 Feb 2007 11:36, [EMAIL PROTECTED] said: Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. Else, how should he read your mail? Am I totally wrong? It is the way around. You use the *public* key to *en*crypt to the recipient. The recipent uses his *private* key to *de*crypt. Of course you could include a private key in a viewer software so that anyone can encrypt files for use by this viewer. I think that is what you had in mind. Exactly. I interchanged the terms. Weird. Shouldn't public be public??? Thank you for clearing this up. There are the other two questions still open ;) : - Does libcrypt do the job? I guess so... - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank's and Salam, Toni ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question
On Fri, Feb 09, 2007 at 11:36:35AM +0100, Antonio Bleile wrote: Hi Sven, Hi! Private/Public key does not buy you much in this case if all you want is to obfuscate the file contents. Just use some AES implementation with the same symmetric key on the server and the client. Despite you seem to be aware of it, let me stress again: It cannot possibly be secure if the decryption key is stored alongside with the enrcypted data (which is why I chose the word obfuscate above). Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. The receiver has the *private* key. The sender encrypts with the *public* key. -- Hans Ekbrand (http://sociologi.cjb.net) [EMAIL PROTECTED] Q. What is that strange attachment in this mail? A. My digital signature, see www.gnupg.org for info on how you could use it to ensure that this mail is from me and has not been altered on the way to you. signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Newbie question
On Fri, 9 Feb 2007 12:01, [EMAIL PROTECTED] said: - Does libcrypt do the job? I guess so... No. Libgcrypt provides basic building blocks but has no support for any specific protocol. - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? It all depends on the protocol used. Getting the protocol right is not easy and thus the best advise I can give is to use an established protocol like OpenPGP or CMS (pkcs#7) For your application I would simply use a different file suffix or a special MIME type and pipe the data through gpg while reading. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
new (2007-02-04) keyanalyze results (+sigcheck)
New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-02-04/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the permanent files: b3d0aacd19c088a661a19e37d74d7e1996fccb1514459760preprocess.keys c946effa31b83959f501dbfe95109d38cab85a698480415 othersets.txt b072ddbaceabe9eaa3a4256e7a4aaf10d0a6f6e03477622 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f1450index.html fccd1b1cf5e7c6611e7950a2a7d741aff08f91532278keyring_stats 397cd852840bb462638ca7096800399f828b7c471368288 msd-sorted.txt.bz2 e0ced60c9562daa3032abe7551a26a7a5afce36b26 other.txt e86c800743a8ab0a16952ebeb6de2e355e27d87f1839751 othersets.txt.bz2 82ce02825d887ff48aed71efa4ba82b0a7e599575880850 preprocess.keys.bz2 3c86a21d7d6e444e43a15f98bc92f8bbf50e059314725 status.txt d4973bf6a1f33319d91cd4e7c1f5f6c46214a81f194595 top1000table.html a23e213fb8c0a2a6064100d392b337127824fdf429780 top1000table.html.gz dae7b4ddf0d5d71940632bffb9cdbfe9a54cd80d9782top50table.html e26e21e89dc47cbe4a79f8bf775c7eb0edb243412529D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpo9fjLPRWut.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
sig-keyserver-url
I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on Windows XP. I have it specified in my gpg.conf: sig-keyserver-url hkp://subkeys.pgp.net ...but it doesn't seem to have any effect. I also try to specify it on the cmd line: gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ...and it proceeds with signing but leaves off the keyserver URL. I have found only one way to make it work on my own key. If I first self-sign my key, quit, then return to edit and use the 'keyserver' command it will work. If I try to do both things in the same edit session it will quietly take the command but do nothing. Unfortunately edit mode won't allow me to do this on someone else's key because I don't have the private key. I'm using the openpgp option (no-force-v3-sigs) and I have successfully set the cert-policy-url in my gpg.conf and it works every time. I have set list-options and verify-options show-keyserver-urls. verbose and debug 1024 options yield no useful output for this issue. I'm able to reproduce the behaviour on another Windows XP computer with a different key. Is this a bug? Is there anything I can do to provide more info to better troubleshoot the issue? TIA, Greg Reaume ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: sig-keyserver-url
On Fri, Feb 09, 2007 at 07:09:02PM -0500, Greg Reaume wrote: I'm having troubles with the sig-keyserver-url option in GPG 1.4.6 on Windows XP. I have it specified in my gpg.conf: sig-keyserver-url hkp://subkeys.pgp.net ...but it doesn't seem to have any effect. I also try to specify it on the cmd line: gpg --sig-keyserver-url hkp://subkeys.pgp.net --sign-key ...and it proceeds with signing but leaves off the keyserver URL. I have found only one way to make it work on my own key. If I first self-sign my key, quit, then return to edit and use the 'keyserver' command it will work. If I try to do both things in the same edit session it will quietly take the command but do nothing. Unfortunately edit mode won't allow me to do this on someone else's key because I don't have the private key. I'm using the openpgp option (no-force-v3-sigs) and I have successfully set the cert-policy-url in my gpg.conf and it works every time. I have set list-options and verify-options show-keyserver-urls. verbose and debug 1024 options yield no useful output for this issue. I think there is some confusion here. sig-keyserver-url applies to signatures. That is, signatures on data (--sign-file or the other signature making commands). It has no effect on signing keys (--sign-key). What are you trying to accomplish? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users