Re: Is the OpenPGP model still useful?
On 7/23/11 2:36 PM, Marcio B. Jr. wrote: > Secrecy sharing constitutes sort of a "symmetric fact" when more than > one instance is involved and you ask me for a citation? Yes. I am quite certain that if, say, Daniel Gillmor were to assert "the Earth is round" and I were to ask him for a citation, he would refer me to Eratosthenes's trigonometric analysis of the angles of sunlight incidence in Syene and Alexandria, and would not find my request to be in the slightest bit unusual. There is no fact, however obvious, which is guaranteed to be obvious to everyone. When people ask for citations for "obvious facts," the only thing it means is it is not obvious to them. The courteous and genteel thing to do is to provide a citation, so that the person in question might learn. What you're saying is at odds with everything I've come to learn about DHKEA. What you're saying is extremely nonobvious to me. Please present a citation for your assertion that DHKEA shares secrets more than another competing protocol. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is the OpenPGP model still useful?
Hi Robert. Secrecy sharing constitutes sort of a "symmetric fact" when more than one instance is involved and you ask me for a citation? I resumed this thread in order to clarify whether Kopete's OpenPGP plugin was really superior, compared to the OTR one, and all people say is OTR and its Diffie-Hellman algo are great, but no comparison is ever made because choice depends on threat model. Come on, this is not an academic seminar. It would be simpler to put some hypothetical situation in which you'd choose one of the options, and explain the reason behind that choice. What can I say? My situation is a regular one. Privacy and/or authenticity are needed in varying degrees. Regards, On Sat, Jul 23, 2011 at 2:16 PM, Robert J. Hansen wrote: > On 7/23/11 1:04 PM, Marcio B. Jr. wrote: >> You know, secrets are shared. 100% increase (at least) in "exposing" >> risks. > > I need to see a citation for this. What you're claiming is at odds with > everything I've ever learned about how DHKEA operates. > Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is the OpenPGP model still useful?
On 07/23/2011 07:04 PM, Marcio B. Jr. wrote: > On Wed, Jul 6, 2011 at 5:49 PM, Robert J. Hansen wrote: >>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the >>> Diffie-Hellman key exchange method with block ciphers. >> >> Why is this a problem? > > You know, secrets are shared. 100% increase (at least) in "exposing" risks. I am struggling with how to respond to your messages since i find them confusing. Are you aware that the purpose of OTR is to allow two parties to communicate confidentially? In a confidential communication, a secret message is sent from party A to party B. The entire purpose is to share the secret between the two parties. They have to share the key to the cipher in order to share the secret. OpenPGP itself uses this sort of symmetric encryption to encrypt messages with a random session key, and only uses asymmetric encryption to encrypt the session key itself. If you research other popular encryption standards (e.g. TLS), you'll find this "hybrid" approach is quite common. If there's a serious downside or risk to it, could you outline the sort of attack you're concerned about? Thanks, --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: IM encryption options [was: Re: Is the OpenPGP model still useful?]
Hi Aron, you are somewhat arrogant. Please read what I wrote till completion. Regards, On Fri, Jul 22, 2011 at 9:17 PM, Aaron Toponce wrote: > On Fri, Jul 22, 2011 at 07:56:42PM -0300, Marcio B. Jr. wrote: >> Hello Daniel, >> sorry for such a delay; this has been a wild JULY. >> >> >> On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor wrote: >> > On 07/06/2011 01:28 PM, Marcio B. Jr. wrote: >> >> So far, OTR adoption seems unjustifiable, really. I mean, it uses the >> >> Diffie-Hellman key exchange method with block ciphers. >> > >> > Why does this seem unjustifiable to you? DH and block ciphers are >> > widely-reviewed parts of the standard crypto toolkit. Do you have >> > reason to believe they're generally bad? >> >> It seems unjustifiable because there exists an option in which secret >> keys need not to take risks. And if there's any security concern and >> one's to choose between zero risk and any other positive-value risk, >> it's reasonable to pick the former. > > Are you familiar with the DH key exchange? It doesn't seem that you are. > There is no risk in sharing the private key between the two parties. It > basically goes like this: > > Step 1: A generates the private key. > Step 2: A encrypts the private key with a one-time session key. > Step 3: A sends the encrypted private key to B. > Step 4: B encrypts the encrypted private key with his 1-time key. > Step 5: B sends the doubly-encrypted private key to A. > Step 6: A decrypts what he can with his one-time session key. > Step 7: A sends the resulting encrypted key to B. > Step 8: B decrypts the private key with his 1-time key. > > B now has the private key. > > The one-time session keys are never shared, but stored locally on the > machine. Once the DH key exchange finished, the session keys are destroyed. > No where in the exchange is there any risk of the private key being > compromised. A MITM can grab all the packets he likes. Unless he has one or > both session keys, he's not getting the private key. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is the OpenPGP model still useful?
On 7/23/11 1:04 PM, Marcio B. Jr. wrote: > You know, secrets are shared. 100% increase (at least) in "exposing" > risks. I need to see a citation for this. What you're claiming is at odds with everything I've ever learned about how DHKEA operates. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is the OpenPGP model still useful?
Hello Robert. On Wed, Jul 6, 2011 at 5:49 PM, Robert J. Hansen wrote: >> So far, OTR adoption seems unjustifiable, really. I mean, it uses the >> Diffie-Hellman key exchange method with block ciphers. > > Why is this a problem? You know, secrets are shared. 100% increase (at least) in "exposing" risks. Regards, Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
2011/7/23 Ingo Klöcker : > There is already the option --ignore-cache-for-signing (curiously the > corresponding option for decryption is missing, i.e. it's not possible to use > the cache for signing but not for decryption), so why not add another option > like --share-signing-and-decryption-cache? (I guess, if I really wanted this I > should provide a patch. :-) ) That was precisely my point; if anything, entering the passphrase twice is more of a security risk than storing it for 2 subkeys at the same time (risk of being overlooked, etc.). Cheers Chris Poole [PGP BAD246F9] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Primary Key Security, Old DSA Key
On 7/23/11 10:19 AM, Edmond wrote: > But since AFAIK both 1024 bit DSA and SHA1 hashes are not recommended > for use anymore (at least in new systems), I was wondering if I should > issue a new primary key. This is impossible to answer, since we don't know exactly what threats you're facing. However, it's worth pointing out that you're correct: most of us no longer recommend DSA-1K or SHA-1 *for new systems*. Speaking personally, just for myself, I have not seen any instances where I thought someone who used DSA-1K needed to switch algorithms immediately. It's probably a good idea to migrate to a new certificate *sometime*. If right now is a convenient time for you to do it, then sure, go for it. But there's no rush. With respect to which algorithms to use... use GnuPG's defaults (RSA-2K right now, I believe). You don't need to tweak GnuPG in order to get a very high level of assurance from it. :) > I.e., the worst thing that could happen is that someone > issues new subkeys that claim to belong to my primary key when they > actually don't. Is that correct? Almost. The worst that could happen is someone could issue signatures and pretend they're from you. But if SHA-1 falls that far, well, we're all going to have a whole lot of problems above and beyond just that. :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Primary Key Security, Old DSA Key
Hello everyone, one of my keys (the one I'm signing this message with) was created a while back and uses a 1024 bit DSA primary key. For encryption I'm using a 4096 bit RSA subkey, and for singing a 2048 bit DSA subkey (due to the smaller signature). gpg2 --list-packets for my primary key and the encryption subkey spawns: iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: ... protect count: 96 and for my signing key: iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: ... protect count: 161 The 'protect count' of my signing key is higher as it was created using a relatively new version of GnuPG 2 on a newer CPU. An OpenPGP S2K count of 96 implies 65536 rounds. On my mobile computer, gpg-connect-agent 'getinfo s2k_count' /bye calculates 1102848 rounds; and on my desktop computer the number is almost four times as big. Hence I will soon increase the number of protection rounds to improve my secret key security, or even move those keys to a smartcard. But since AFAIK both 1024 bit DSA and SHA1 hashes are not recommended for use anymore (at least in new systems), I was wondering if I should issue a new primary key. What would you recommend? I have no signatures collected on my primary key (except my own). Since my encryption subkey is using a current algorithm/key length, my enrypted messages should be save regardless of the primary key's security, right? I.e., the worst thing that could happen is that someone issues new subkeys that claim to belong to my primary key when they actually don't. Is that correct? Thanks, Edmond signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
As far as I know every subkey holds its own passphrase (per default, they are all identical for a given primary key). This means that passphrase requests are actually not action-based, but key-based. Please correct me if I'm wrong. :) Richard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
On Friday 22 July 2011, Charly Avital wrote: > Chris Poole > > > wrote on 7/22/11 10:38:39 AM: > > On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote: > >> When your passphrase has been cached for each of those *actions*, > >> it will remain in gpg-agent's "memory" for the duration of the > >> cache set in your home directory ~/.gnupg/gpg-agent.conf > > > > That's a shame, but thanks. > > Shame? > I find it very convenient. You think it's convenient that you have to enter the same passphrase twice, once when you want to sign something and then again when you want to decrypt something? There are surely use cases for this, but for someone like me who is using gpg on a computer (resp. account) nobody else has (physical) access to it's just an annoyance (albeit a minor one). There is already the option --ignore-cache-for-signing (curiously the corresponding option for decryption is missing, i.e. it's not possible to use the cache for signing but not for decryption), so why not add another option like --share-signing-and-decryption-cache? (I guess, if I really wanted this I should provide a patch. :-) ) Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
