Local file encryption
I have been using gpg to encrypt/decrypt files on my computer for my eyes only. I have been using my public/private keypair on my keyring to do so. I just discovered that I can use encrypt/decrypt local files using a symmetric cipher--i.e., you enter one secret passphrase to encrypt and then enter the same secret passphrase to decrypt. Since my encryption is only for files for myself, do you think using a symmetric cipher would be a better idea, or doesn't it matter?Or is choice of a passphrase a bigger issue than the type of cipher -- symmetric vs. public/private keypair ? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Local file encryption
[EMAIL PROTECTED] wrote: I have been using gpg to encrypt/decrypt files on my computer for my eyes only. I have been using my public/private keypair on my keyring to do so. I just discovered that I can use encrypt/decrypt local files using a symmetric cipher--i.e., you enter one secret passphrase to encrypt and then enter the same secret passphrase to decrypt. Since my encryption is only for files for myself, do you think using a symmetric cipher would be a better idea, or doesn't it matter?Or is choice of a passphrase a bigger issue than the type of cipher -- symmetric vs. public/private keypair ? If your GnuPG keyring files reside on the computer, then either approach is equivalent -- your protection is ultimately determined by the strength of the chosen passphrase protecting the secret key or the encrypted file. Either method will encrypt the file using a symmetric cipher. The difference is that in OpenPGP, a random session key is generated and that is used to symmetrically encrypt the file. Then, the session key is encrypted using the chosen public key(s). The passphrase is only one protection on your keypair and it's pretty much the protection of last resort - given an easily guessable/brute-forced passphrase, it's Game-Over. if an attacker gets access to the keyring files. Another protection is to physically secure your keyring files (or at the minimum, the secret ring) by storing it on removable media of some sort: floppy, PCMCIA flash card, USB dongle,... and removing that media when you leave the computer. Now, an attacker must have both the media with the secret keyring as well as the secret key's passphrase. If removable media is not an option, or for additional security on removable media, you may use a disk encryption product such as TrueCrypt to create an encrypted volume to store your keyring files. (Hint: Use a new key and passphrase.) -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A what's the key to success?/ two words: good decisions. what's the key to good decisions? / one word: experience. how do i get experience? / two words: bad decisions. Just how do the residents of Haiku, Hawai'i hold conversations? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: storing password lists in mails to myself on IMAP?
Robert J. Hansen wrote: Maybe you should think things through, or God forbid even run a few tests or something before puffing your chest there Robert. Especially when you're in the unenviable position of potentialy being your own proof of concept. I don't know why you have such an allergy to being shown wrong. Or why you think I do. It works like this: if you can find me a commonly-used IMAP client that's this stupid, then I will welcome being shown wrong. And really, why shouldn't I? Being wrong isn't the end of the world. Well Robert, unless you care to further debase yourself by trying to argue the Thunderbird isn't a commonly-used IMAP client you've been handed the very example you're harping about. By two different people no less. It was in the part you snipped and ignored, in case you were wondering. The bottom line is this: There's probably a lot of IMAP clients out there that will by default or design write portions or whole copies of unencrypted text to a server. It really doesn't take a boat load of IQ points to realize this is the nature of IMAP. Storing pass phrases in email at all is bad idea for a number of reasons. You don't have many clues what a client does with it when it's open for one. The odds you'll inadvertantly click where you shouldn't and send an unencrypted copy some place you don't want it to go increase dramatically too. Likewise the chances of corruption or compromise at the hands of some script kiddie. If we invested a little thought in the project though we could probably come up with a few dozen reasons why mailing passwords about is a bad idea even if you have absolute control over the hardware at the end points of the encryption, let ALONE any scenario where you can't guarantee they won't be written to hardware you don't own. In the clear. :-( ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Local file encryption
On Mon, Feb 19, 2007 at 09:21:56AM -0500, [EMAIL PROTECTED] wrote: I have been using gpg to encrypt/decrypt files on my computer for my eyes only. I have been using my public/private keypair on my keyring to do so. I just discovered that I can use encrypt/decrypt local files using a symmetric cipher--i.e., you enter one secret passphrase to encrypt and then enter the same secret passphrase to decrypt. Since my encryption is only for files for myself, do you think using a symmetric cipher would be a better idea, or doesn't it matter?Or is choice of a passphrase a bigger issue than the type of cipher -- symmetric vs. public/private keypair ? It doesnt matter, in both cases the files are symmetrically encrypted, only keying method changes. I prefer to use pubkey encryption anyway, , one passphrase less to remember. -- JID: [EMAIL PROTECTED] PGP: 0x46399138 od zwracania uwagi na detale są lekarze, adwokaci, programiści i zegarmistrze -- Czerski ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver refresh period after gpg --send-keys
On Sun, Feb 18, 2007 at 11:31:55PM -0500, David Shaw wrote: On Sun, Feb 18, 2007 at 11:11:37PM +0100, Bruno Costacurta wrote: I updated the expiration (via gpg --edit-key using expire option) of my key and (re)sended it to a keyserver (via gpg --send-keys [my key id]) to keyserver subkeys.pgp.net. However key is still not updated after few hours. What are normal delays ? Keys do get temporarily trapped on the SKS keyserver network until keyserver.kjsl.com copies them over to the rest of the planet. BTW, your subkey isn't currently usable: sub 2048g/0CC897B5 2006-06-11 [subkey] Key fingerprint = CCE0 5315 0022 9460 0337 6C6F 4253 1C9A 0CC8 97B5 sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f] sig 0x18 2E604D51 2006-06-11 [skey EXPIRED 2006-12-08] [keybind, hash: type 2, e0 0f] There is not an easy answer to that question. subkeys.pgp.net is not actually a keyserver, but rather a collection of (at the moment) 5 different keyservers. When you use it, you get one server from the pool in a round-robin fashion. Generally speaking, any given keyserver in the pool that you update reflects the update immediately, but frequently people update one keyserver in the pool, but then check for the update from another server in the pool which hasn't gotten it yet. NB: I think if GPG printed the IP address of the keyserver it used, it could end some of this confusion. Specifically, these were in a batch update from SKS to onak/OpenPKSD/pks/ etc. (all times are TZ=UTC): 2007-02-06 23:02:08.290952260 display_new_sig: new sig 28 by 2E604D51 added to 2E604D51 Bruno Costacurta [EMAIL PROTECTED] 2007-02-06 23:02:08.291023778 display_new_sig: new subkey sig by 2E604D51 added to 2E604D51 these were first seen from pgp.nic.ad.jp: 2007-02-16 13:41:00.597122207 display_new_sig: new sig 1 by 2E604D51 added to 2E604D51 Bruno Costacurta [EMAIL PROTECTED] 2007-02-16 13:41:00.597182829 display_new_sig: new sig 2 by 2E604D51 added to 2E604D51 pubmb02 [EMAIL PROTECTED] and these were in another batch update: 2007-02-18 23:02:27.870255691 display_new_sig: new sig 71 by 2E604D51 added to 2E604D51 Bruno Costacurta [EMAIL PROTECTED] 2007-02-18 23:02:27.870319946 display_new_sig: new sig 72 by 2E604D51 added to 2E604D51 pubmb02 [EMAIL PROTECTED] -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpFyjN7NndU0.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Local file encryption
On 2007-02-19, John Clizbe wrote: The passphrase is only one protection on your keypair and it's pretty much the protection of last resort - given an easily guessable/brute-forced passphrase, it's Game-Over. if an attacker gets access to the keyring files. Another protection is to physically secure your keyring files (or at the minimum, the secret ring) by storing it on removable media of some sort: Is there any reason to physically secure your *public* keyring in normal use? (Well, I suppose you might want to hide your secret identity!) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Key signing at FOSDEM
Hi, this is just a reminder that there's a key signing party at FOSDEM this year again. I am a bit late to post this note (due to carneval season), submissions are already closed by now, but it's possible to exchange key fingerprints according to the usual scheme (with me ;-) FOSDEM takes place in Brussels, 24/25th this month. http://fosdem.org/2007/keysigning#gpg for more info PS: There's a CAcert event as well, in case you are interested. -- left blank, right bald pgpWcW28xQydE.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver refresh period after gpg --send-keys
On Mon, Feb 19, 2007 at 11:51:02AM -0500, Jason Harris wrote: There is not an easy answer to that question. subkeys.pgp.net is not actually a keyserver, but rather a collection of (at the moment) 5 different keyservers. When you use it, you get one server from the pool in a round-robin fashion. Generally speaking, any given keyserver in the pool that you update reflects the update immediately, but frequently people update one keyserver in the pool, but then check for the update from another server in the pool which hasn't gotten it yet. NB: I think if GPG printed the IP address of the keyserver it used, it could end some of this confusion. I think you're right (to print as a verbose thing for those who care to know or to help with debugging), but unfortunately there is not an easy way to get the IP address when using libcurl. I'm not particularly eager to start playing socket games with CURLINFO_LASTSOCKET just to get a string to print. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Secret key holder identity (was: Local file encryption)
On 2/19/07, Adam Funk [EMAIL PROTECTED] wrote: Is there any reason to physically secure your *public* keyring in ... (Well, I suppose you might want to hide your secret identity!) Unfortunately, the whole GPG, with WebOfTrust construct, makes the assumption that there is no need whatsoever to protect the identity of the secret key holder (and, by extension, that traffic analysis - as opposed to the secret content analysis - is not something to be concerned with). NikNot ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key holder identity (was: Local file encryption)
On Feb 19, 2007, at 11:54 AM, NikNot wrote: On 2/19/07, Adam Funk [EMAIL PROTECTED] wrote: Is there any reason to physically secure your *public* keyring in ... (Well, I suppose you might want to hide your secret identity!) Unfortunately, the whole GPG, with WebOfTrust construct, makes the assumption that there is no need whatsoever to protect the identity of the secret key holder (and, by extension, that traffic analysis - as opposed to the secret content analysis - is not something to be concerned with). NikNot ___ It's funny you mention this: I got into an argument with a consultant about how X.509 certificates are a privacy violation because your identity is encoded into the subject field. I kept asking him, How would you know whose cert. it is without it? At any rate, there are lot of bozos in the world posing as security experts who shouldn't be taken seriously. Joe smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Local file encryption
Adam Funk wrote: On 2007-02-19, John Clizbe wrote: The passphrase is only one protection on your keypair and it's pretty much the protection of last resort - given an easily guessable/brute-forced passphrase, it's Game-Over. if an attacker gets access to the keyring files. Another protection is to physically secure your keyring files (or at the minimum, the secret ring) by storing it on removable media of some sort: Is there any reason to physically secure your *public* keyring in normal use? Convenience of having all the files together in one place and mitigating the need to sync keys between public keyrings are only reasons that come to mind. Outside of convenience factors, there is no real need to secure public keyrings; that's why the keys are public. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A what's the key to success?/ two words: good decisions. what's the key to good decisions? / one word: experience. how do i get experience? / two words: bad decisions. Just how do the residents of Haiku, Hawai'i hold conversations? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key holder identity (was: Local file encryption)
On 2/19/07, Joseph Oreste Bruni [EMAIL PROTECTED] wrote: It's funny you mention this: I got into an argument with a consultant about how X.509 certificates are a privacy violation because your identity is encoded into the subject field. I kept asking him, How would you know whose cert. it is without it? At any rate, there are lot of bozos in the world posing as security experts who shouldn't be taken seriously. (Its not clear (to me) from the above what was the bozo saying: that the certificates _are_ or _are not_ a privacy violation?) I find it very interesting that Phil Zimmemann, who invented WOT, apparently realizes that times are changing, and that WOT has outlived its usefullness; specifically because - unlike perhaps at the time of birth of PGP - trafic analysis is a threat that may be naively ignored only in geek kindergartens, but not in the real life. NikNot ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users