Re: New results against SHA-1
On Thu, 30 Apr 2009, David Shaw wrote: http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf There is not much hard information yet, but the two big quotes are SHA-1 collisions now 2^52 and Practical collisions are within resources of a well funded organisation. === so... when is the open-pgp spec moving beyond SHA1 hashes to identify public keys? what's next? will it have to be a bigger hash? -- ...atom http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 - Workers of the World, Unite! You have nothing to lose but your chains. -- Karl Marx, 1848 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
My apologies to the group. I meant to say gpg --gen-key I have a customer who can not accept our pgp public key. They are asking for a specific cipher to be used in generating the public key. After some reading yesterday, it seemed that gpg might be the solution. I don't have any experience with gpg, and limited pgp experience. Regards, Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Smith, Cathy Sent: Thursday, April 30, 2009 2:54 PM To: 'gnupg-users@gnupg.org' Subject: Selecting cipher to generate a key pair Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? I've read email posted in the archives, and FAQ that indicates this is possible. I don't see an option to do that just running pgp --gen-key Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Smith, Cathy cathy.smith () pnl ! gov wrote on Date: 2009-05-01 16:08:44 : I have a customer who can not accept our pgp public key. They are asking for a specific cipher to be used in generating the public key. this sounds like there might be a 'problem' ... there are people who 'can' use 'any' cipher, but prefer a particular one, or have a company policy to use a specific one, e.g . AES-256 or 3DES and there are people whose programs can use only 'one' cipher, and no others at the risk of taking 'wild guesses' ;-) the only situations i can think of where a person 'cannot' accept anything other than one cipher are: [1] a die-hard pgp 2.x user who needs a v3 key using IDEA (yes, they still exist, but probably won't survive the move to 64 bit systems) [2] a company that is bound by some standard to use AES or 3DES (i can't imagine any company really insisting on 'only Blowfish' and nothing else ;-) ) [ anyway, it was 'cracked on 24' and shown on network tv to have a 'backdoor' ;-) ] {please excuse the 'semi-off' geek humor, blowfish has 'no' backdoor and is still quite secure, no matter what hollywood writers say ;-)) } if you have situation [1], you are out of luck using any current gnupg or pgp, (there was a post on how to do this with an older gnupg version, but it would be much simpler to just use pgp2.x to generate it) if you have situation [2], it is much easier, temporarily put the following 2 lines in your gpg.conf expert s2k-cipher-algo name ('name' is the name of the cipher your client wants) then save your gpg.conf and run gpg --gen-key the key will be generated with the cipher your client wants if this still doesn't help, then please post 'exactly' what you need done vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click to learn about options trading and get the latest information. http://tagline.hushmail.com/fc/BLSrjkqecvgtaqxBQoBwCwuiy1xiCJDJ0xgdXq4JeQ5VIifkutIcKtAkaYI/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Robert J. Hansen Sent: Thursday, April 30, 2009 9:14 PM To: Allen Schultz Cc: gnupg-users Subject: Re: Selecting cipher to generate a key pair Allen Schultz wrote: What's the default to encrypting/hashing the secret key? And how good is it? CAST5-128. It's hard to talk about how good it is. Cryptography is an intensively mathematical discipline, and most people are not very well-equipped to discuss those details. Ultimately, it would be like arguing whether King Kong or Godzilla is better at urban destruction. Biologists can argue until the cows come home which one would be better and why, but from the perspective of your average inhabitant of Tokyo or New York City the answer is, Who cares? Get out of town _right now_! From the perspective of the overwhelming majority of OpenPGP users, CAST5-128 does the job just fine. The only instances I'm aware of in which CAST5-128 doesn't do the job well are ones where bureaucratic rules require specific algorithms, and CAST5-128 isn't on that checklist. That's a bureaucratic failing, though, not a failing of CAST5-128. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Smith, Cathy wrote: Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. r...@chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. I've sent him a GnuPG-generated key, and asked him to find out if they are using GnuPG. I haven't heard from him today. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 3:58 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. r...@chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Smith, Cathy wrote: The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
I agree that with the lack of understanding. It's been difficult to get specific information from the customer. I don't have the option of saying it's their problem. The GnuPG was a guess after I read something about specifying the cipher algorithm. The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. I've talked to the folks here at work who understand these things better than I, and all have shook their head. I appreciate your assistance. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 4:22 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Thanks. I'll try that. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 4:39 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen wrote: Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? :-\ JOHN ;) Timestamp: Friday 01 May 2009, 19:49 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ+4qAAAoJEBCGy9eAtCsP3o8H/ja6jCWz1bYjjTNXbhLzd5OE BIgvdlCCsR0Nrm4VY5jGXiOPbk9NYse/43F/DZyQQyyowuRBj3whtpUx6Ueacy+o u5R6skOdk5AG+HKPVwQ4Zgb4LZhl1Fu4VxOOxWXSW01MnJoxVdtwpj5ylZU5vC7C EtytAK4HOh1DuQLQYLICupYXhK4TvnbeDRR9s2n6s9n+q1JXFpOEIk5w5d1iJfOk vn2p8TQ9PrTkMFxweA9gbNoTesH9U5tqmXockb1Mp6JoUz1n56pPWLCyWMxub6f2 GyQNc17RZ/J5qwiY+qK+Mf1L1ONJO3y2zCJfJQxqL0MpODaZFYiOyr3Ws9tVafU= =A7I6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
John W. Moore III wrote: Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? You're assuming the customer's key is correctly advertising their preferences. If their proprietary implemention is a shoddy one, then maybe it advertises capabilities they don't really have. If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? You'd hope so, yes -- but I think we might want to consider the possibility the customer's implementation is terribly broken. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John W. Moore III escribió: ... Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? Yes, I was thinking the same thing... But don't forget the customer can handle Blowfish too (but GPG can handle it too, so the question remains the same). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5UqAAoJEMV4f6PvczxAjCsH/RhAjA+2N62EnIetXz2PXQoS dOxLLIVmOB0eDKdm/E2lP2rb5Wtn2T6AESyDjlgNS+YviUeiMdmmN7uwaiEkmr0d RFBlqnTrs3OwlGzgR4mP9hx6MHQZo7+7rb1/9BwxWv9oOrD6Zelts5MbKHvn1DnW JPFi+lLP8CenkvDsB6XThv5tCavNXaVGFnE6gC2tUqmhQsCNqo5MB0LAPiNjpmPw hSybaPXEOboD3zZrVX1Wyl0+oZ8r1Q/DHrn6mSfoo14KmxVujoKcPxwyw1i0cNEN +59G0RlRmDsyNtDRy0Z8k29sgDNyRZGgqOKoI7mJ2HKkWQcOsvW4RPsLpnCj5T4= =ekv7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES But... isn't GPG expected to recognise the preferences (or capabilities) in the customer's key and use the right algo automatically? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5RfAAoJEMV4f6PvczxAWw8IAJ5sC1DHLeG+AujAPlCw2OUV LhsgMuPpA/fc5A4UpA4fuZMAWdKYS/xhFiJ8c/aLTJrK3CToCXaR9NVdJLMzNNaq cRISV2Qfe8HVxVttVyk2pDIUHFxt6yIvAn8BomC6MDu2Mo/VUwm9WcUfdR4nsspI jetzKZmxKLpckpoOCTW7IHNpD83LGsyksPI5hJq5AMHfcHIWGelTYGeyeFnUdQaN o9c42ibDx/GjInzRWxt+9JtY9wqGzLfHopdDvxTPGpm9r+PnZ/qxJeIdGB7UJjcj JvC/c7QSLQ8CvAbuPGYl6c7ZaM6/IsZKeBifxkZwaxfr/epkWqDBvcK3KUZLe38= =XEB/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: John W. Moore III wrote: Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? You're assuming the customer's key is correctly advertising their preferences. If their proprietary implemention is a shoddy one, then maybe it advertises capabilities they don't really have. Ahh... Ok, that explains it. Is it possible to change the preferences (edit the public key) without having the private key? Or maybe to set a rule somewhere to force gpg to use Blowfish or 3DES, but just for that specific customer? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5WmAAoJEMV4f6PvczxAuskH/iM7aDpvm5ijLT/HPKpdQheO lJdXl5LOe20uWQDYg3enkFGtOBsaAq9z2kvvmQfV2aSpll90M3QBTjk7hPk1iQfp FqkZe/G6L2ato7QbO+hb4yrQXhjJrgUI52CH5LAr1BjaOauVJO7TTLwHzxIg37c9 R6ojXoZitwjLo5kKvWHewg+WGaBCjZIfx6oPaLLSG2Ehw2cyGtl2NwPX5t7mlakW A6CYL5mZ4XtyDw5D/jbFpddQl3Y8LDeliw9li52C5E1K1hOgjdtwUL/UXDJ6CiKS 8iVbwqXmp384tVTqZHsWpgpx56/dsovErmUVkd9jZbfeOjLnlBsdkDG79E/YUzg= =7mDX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
questions: no input file, and pascal programming
Hi I have some questions about gpg 1. using gpg command line, can I pass data to be encrypted to gpg that isn't in a file? For example if I want to encrypt Mary had a little lamb to a an asc file but I don't want to put that text onto the hard drive unencrypted first. 2. is there something like gpgme that can be used easily for pascal programmers? Personally I use freepascal and I just want to be able to select a key, encrypt and decrypt from within my program. If anyone knows of any opensource pascal programs that use gnupg it would be appreciated. thanks, Philip ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users