Re: Migrating from PGP to GPG question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Laurent Jumet wrote: > > Hello Smith, ! > > "Smith, Cathy" wrote: > >> I've tried using the --yes option without success to suppress this >> interactive prompt doesn't pop up. This encryption does need to run in a >> batch job. What do I need to do in order all interactive prompts are >> surpressed, and that the assumption is they are answered "yes". > > Try using: > --batch > --yes > --no-tty Why not try adding to gpg.conf trust-model always This will suppress the prompt/warning as well. Of course, since the Keys still have their Signatures Cathy could always rebuild the Trustdb. JOHN ;) Timestamp: Friday 05 Mar 2010, 07:39 --500 (Eastern Standard Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Personal Web Page: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJLkPt5AAoJEBCGy9eAtCsPyqQIAJkQ2GW6nYRWmhA2g2jrYbJ4 sy5fuPSXS5jn+c8yoTO5vDpJK4ibdqGF4zghzsRP7FhSKxehYCdqHm1nYT7Kge8+ OwdCL2F6hwIZ4Dui+cHBaSXc6MCY5rKVCoKWduXDiNMU77D0aD4wI007rITlhRJh qs1KNZraV1416/rM4udjTUQqqNl8+YVlF9YQ8o+UzVQ81wVgKkWJAOihYxnAX8xI JpAkrVR2zIIKKq1bq9Q6v1uXn/08V4GnylRBQaOtOoyozODm/urlyM++lMkdNj/x iiJ445n9yUsc4H+MN2+wIza3/LDNV4S3YxgpVsjTSlr4Svw1bcnUOJXMpWAQyvM= =Dq6B -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating from PGP to GPG question
On Mar 5, 2010, at 7:39 AM, John W. Moore III wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Laurent Jumet wrote: >> >> Hello Smith, ! >> >> "Smith, Cathy" wrote: >> >>> I've tried using the --yes option without success to suppress this >>> interactive prompt doesn't pop up. This encryption does need to run in a >>> batch job. What do I need to do in order all interactive prompts are >>> surpressed, and that the assumption is they are answered "yes". >> >>Try using: >> --batch >> --yes >> --no-tty > > Why not try adding to gpg.conf > > trust-model always > > This will suppress the prompt/warning as well. This would be my advice as well. The web of trust is generally a useful thing, but in environments where the keys are only provided by the batch owner, it does not add much that is useful to the equation. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating from PGP to GPG question
On 03/05/2010 01:30 AM, Smith, Cathy wrote: > The gpg --list-sig shows that the keys are signed. Do I need to create a > new signature key, and re-sign all the public keys that I imported? I think the simplest thing for you to do is to modify the ownertrust of your old signing key on the new installation. That is, you say that all the keys are signed, presumably by some particular key that you used in your PGP installation. Let's pretend that key's ID is 0xDECAFBAD. You'd do: gpg --edit-key 0xDECAFBAD and then from the gpg subshell, do: trust which will give you a menu like this: Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu indicate that this installation should trust your signing key "ultimately", and then type "save" into the gpg subshell. Now, you can encrypt to any key that has been certified by 0xDECAFBAD and you won't get that warning, because gpg trusts the certifications made by your signing key. hth, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: manipulating the set of keys that can decrypt a file/message
On Thu, Mar 04, 2010 at 06:13:17PM -0500, David Shaw wrote: > On Mar 4, 2010, at 4:34 PM, Nicolas Boullis wrote: > > > Reading RFC 4880 (OpenPGP standard), if I am able to decrypt the session > > key, it should be possible to create a new Public-Key Encrypted Session > > Key packet to allow a new key to decrypt the file/message. Removing a > > Public-Key Encrypted Session Key should also be trivial. > > Yes. > > > Does gnupg allow such manipulations? > > No. > > > Or does anyone have suggestions how I should implement this? Libraries > > to use? > > You might be able to hack something together using the GnuPG sources. > Certainly all of the parts you need are in there - you'd just have to > put them together. OK, thanks for your answer. I will now have a look at how things are organised in GnuPG code. Would you suggest that I look at the GnuPG 1 or GnuPG 2 code? And if I succeed to implement this correctly, do you think the feature might be merged in GnuPG? > Alternately, take a look at > http://openpgp.nominet.org.uk/cgi-bin/trac.cgi for a library that you > might also borrow some code from. As I understand it, it does not support ElGamal, which is a show-stopper for my needs. But that's interestig anyway. Regards, -- Nicolas Boullis signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: manipulating the set of keys that can decrypt a file/message
On 3/5/10 9:51 AM, Nicolas Boullis wrote: > I will now have a look at how things are organised in GnuPG code. > Would you suggest that I look at the GnuPG 1 or GnuPG 2 code? If memory serves, the codebases are identical with respect to this. Shouldn't matter which one you use. > And if I succeed to implement this correctly, do you think the feature > might be merged in GnuPG? I am not a GnuPG developer. I have no say in what they will or will not do. However, my impression is that GnuPG tends to only adopt features that will be broadly useful to a number of users. This seems like a really niche case. If you think this feature should be merged into GnuPG, I would suggest by finding ten people who have an actual, real need for this feature. Not "I think it would be cool if...", but "I need this right now because...". If you can present real users who have real needs, that will do a lot to increase the chances of it being merged into the mainline. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: manipulating the set of keys that can decrypt a file/message
On Mar 5, 2010, at 9:51 AM, Nicolas Boullis wrote: > On Thu, Mar 04, 2010 at 06:13:17PM -0500, David Shaw wrote: >> On Mar 4, 2010, at 4:34 PM, Nicolas Boullis wrote: >> >>> Reading RFC 4880 (OpenPGP standard), if I am able to decrypt the session >>> key, it should be possible to create a new Public-Key Encrypted Session >>> Key packet to allow a new key to decrypt the file/message. Removing a >>> Public-Key Encrypted Session Key should also be trivial. >> >> Yes. >> >>> Does gnupg allow such manipulations? >> >> No. >> >>> Or does anyone have suggestions how I should implement this? Libraries >>> to use? >> >> You might be able to hack something together using the GnuPG sources. >> Certainly all of the parts you need are in there - you'd just have to >> put them together. > > OK, thanks for your answer. > I will now have a look at how things are organised in GnuPG code. > Would you suggest that I look at the GnuPG 1 or GnuPG 2 code? I'd look at the GnuPG 2 code, or more specifically, the GnuPG 2 code plus libgcrypt (the crypto library that GnuPG 2 uses). This allows you to more easily write something standalone outside of GnuPG. > And if I succeed to implement this correctly, do you think the feature > might be merged in GnuPG? I don't know if this is a generally useful thing (you're not the first person to suggest this, but you are not more than the 3rd in the past 5-8 years or so). Each additional feature adds complexity to the code base. If you are going to write something, I'd recommend a standalone tool using libgcrypt for the crypto part. That way the feature exists, and it doesn't have to be carried along with GPG. That's what I did when I wrote 'paperkey'. It could have been part of GPG (as a new output format), but it didn't really make sense as a built in. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Migrating from PGP to GPG question
Folks Thanks for your suggestions. They worked. Regards, Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of David Shaw Sent: Friday, March 05, 2010 6:00 AM To: John W. Moore III Cc: Smith, Cathy Subject: Re: Migrating from PGP to GPG question On Mar 5, 2010, at 7:39 AM, John W. Moore III wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Laurent Jumet wrote: >> >> Hello Smith, ! >> >> "Smith, Cathy" wrote: >> >>> I've tried using the --yes option without success to suppress this >>> interactive prompt doesn't pop up. This encryption does need to run in a >>> batch job. What do I need to do in order all interactive prompts are >>> surpressed, and that the assumption is they are answered "yes". >> >>Try using: >> --batch >> --yes >> --no-tty > > Why not try adding to gpg.conf > > trust-model always > > This will suppress the prompt/warning as well. This would be my advice as well. The web of trust is generally a useful thing, but in environments where the keys are only provided by the batch owner, it does not add much that is useful to the equation. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating from PGP to GPG question
Daniel Kahn Gillmor wrote: > On 03/05/2010 01:30 AM, Smith, Cathy wrote: >> The gpg --list-sig shows that the keys are signed. Do I need to create a >> new signature key, and re-sign all the public keys that I imported? > > I think the simplest thing for you to do is to modify the ownertrust of > your old signing key on the new installation. That is, you say that all > the keys are signed, presumably by some particular key that you used in > your PGP installation. Let's pretend that key's ID is 0xDECAFBAD. > PGP and GnuPG have different mechanisms for marking the trust of a signing key. In PGP, it's called 'Implicit Trust' and is a check box in Key Properties. It's stored as part of the key. In GnuPG, the same trust level is called 'Ultimate trust' and trust values are stored in a separate file, trustdb.gpg. It's the most common problem I've seen when a user migrates keyrings. Having done this migration several times to answer migrating users' questions, I can confirm the 'proper' solution is as Daniel suggested: edit your signing key(s) and set the trust level to ultimate. 'Trust' will then propagate from your key to the keys you have signed. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Memory forensics
http://jessekornblum.livejournal.com/259124.html For quite some time we've known that hibernation files present risks for information security. However, there are always those who say "until I see an actual demonstration, I won't believe it." The upshot: we now have an actual demonstration. The takeaway is that you should be very, very careful about hibernating your computer while passphrases are cached, or while GnuPG is actively processing a file. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Memory forensics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen wrote: > http://jessekornblum.livejournal.com/259124.html > > For quite some time we've known that hibernation files present risks for > information security. However, there are always those who say "until I > see an actual demonstration, I won't believe it." > > The upshot: we now have an actual demonstration. The takeaway is that > you should be very, very careful about hibernating your computer while > passphrases are cached, or while GnuPG is actively processing a file. Most 'Hibernators' I know are laptop/notebook/netbook Users who are too important to wait for boot-up when the unit is Opened. :-D JOHN 8-) Timestamp: Friday 05 Mar 2010, 16:42 --500 (Eastern Standard Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Personal Web Page: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJLkXrbAAoJEBCGy9eAtCsPAiMH/RuY+C0xEmAhBKZb0t/K8bDP 6uxToYMhb1IaLZQhXvbdJqCRXKQrodqpM3Pt80/lkQptnS16QDECjEieuB2zblaP NUCYsnUv4MrXkWWKUymZIEqtMoPbAnMSw4Ip7/Jclx6JmsmWweTK+85ZEZOk2l/Z zhEdPDPXd1SA6WlDkdsCFaXUSxnI54mQCpUSlkpHVUkJNI/1/SFOQpZIDOoxQkBV vI+u7jYf3x1oi5QV07XU13731m1Ec+YrfVgem9sCTUZlMy5JqBQRgME5OUsJKp4h 0GaSJ3OmZXicy1mTwZMo0LdgOOqPSiMKtoyTUaCi8KKPe/EdgU7WLm4zAXSVbhY= =VJ+y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Memory forensics
On 3/5/2010 4:30 PM, Robert J. Hansen wrote: > http://jessekornblum.livejournal.com/259124.html > > For quite some time we've known that hibernation files present risks for > information security. However, there are always those who say "until I > see an actual demonstration, I won't believe it." > > The upshot: we now have an actual demonstration. The takeaway is that > you should be very, very careful about hibernating your computer while > passphrases are cached, or while GnuPG is actively processing a file. > > That article was a little vague. And I don't know much about memory forensics in practice. Do you know that it actually was a hibernation file and not swap space? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Memory forensics
On 3/5/10 5:04 PM, Grant Olson wrote: > That article was a little vague. And I don't know much about memory > forensics in practice. Do you know that it actually was a hibernation > file and not swap space? Note Jesse's phrasing: "volatile memory forensics." Swap space is nonvolatile storage. Hibernation files are just dumps-to-disk of the state of volatile memory when the laptop lid is closed. Extracting keys from swap space is a solved problem: hit Google Scholar and search for "file carving" and you'll get a lot of relevant papers. (While you're at it, check Google Scholar and search for "memory forensics kornblum" -- Jesse is pretty widely published in memory forensics. That doesn't mean he's automatically right, but he's not just some random LiveJournal account, either.) Further, two co-workers of mine have spoken in person with the investigators involved in this prosecution. These co-workers report to me that the investigators have confirmed it was hibernation file analysis. If you want to know specifics, I'd suggest calling the prosecutor and asking for copies of the indictment. It's a public record and the prosecutor is required to provide a copy upon request. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Memory forensics
On 03/05/2010 05:18 PM, Robert J. Hansen wrote: > On 3/5/10 5:04 PM, Grant Olson wrote: >> That article was a little vague. And I don't know much about memory >> forensics in practice. Do you know that it actually was a hibernation >> file and not swap space? > > Note Jesse's phrasing: "volatile memory forensics." Swap space is > nonvolatile storage. Hibernation files are just dumps-to-disk of the > state of volatile memory when the laptop lid is closed. Extracting keys > from swap space is a solved problem: hit Google Scholar and search for > "file carving" and you'll get a lot of relevant papers. > > (While you're at it, check Google Scholar and search for "memory > forensics kornblum" -- Jesse is pretty widely published in memory > forensics. That doesn't mean he's automatically right, but he's not > just some random LiveJournal account, either.) > > Further, two co-workers of mine have spoken in person with the > investigators involved in this prosecution. These co-workers report to > me that the investigators have confirmed it was hibernation file analysis. > > If you want to know specifics, I'd suggest calling the prosecutor and > asking for copies of the indictment. It's a public record and the > prosecutor is required to provide a copy upon request. > Thanks a million for all this. The company "Volatile Systems" was really messing with my google-fu. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGPCard Max PIN length changes?
>From what I understand, the v1.1 cards had a max pin length of 254 characters. Is this not the case with the newer v2.0 cards? My v2.0 card shows Max. PIN lengths .: 32 32 32. Is this a setting that can be changed? I didn't see anything in card-edit, and have I been digging around online, but have not come up with an answer. If in fact there was a change from v1.1/254 to v2.0/32, is there a reason for this change? Anyway to use longer PINs on the v2.0 cards? Talmage ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Memory forensics
> > Thanks a million for all this. The company "Volatile Systems" was > really messing with my google-fu. Err -- why? Volatile Systems is behind the Volatility framework, which is probably the best FOSS tool going right now for Windows memory analysis. (Admittedly, it only works on Windows XP... but given XP's userbase, even today, that's not a huge loss.) If you want to learn about what memory analysis can do, you could do a lot worse than to look into Volatility. Volatility can also inspect Windows XP's hibernation file and recover data structures from it. I seem to recall that Volatility was the toolkit used by the Madison investigators, but don't quote me on that. I may be barking wrong. smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
