Re: Implementation question: validating left two of signatures

2011-08-12 Thread David Shaw 
On Aug 12, 2011, at 3:27 PM, brian m. carlson wrote:

> I have a quality-of-implementation question (more in general than
> specifically about GnuPG).  I am writing an implementation of OpenPGP
> that verifies signatures, among other things.
> 
> Signatures contain the left two bytes of the hash as a quick check.
> I've noticed that a small number of signatures are in fact valid even
> though this quick check does not match the hash.  Is it considered
> acceptable to fix up this value if it is wrong?  If not, is it
> acceptable to treat two signatures as the same signature if they are
> identical but for the left two?  Does GnuPG (or any other
> implementation) actually give any credence to the left two whatsoever?

I can't speak for other implementations, but GnuPG does not look at the left 
two at all, and jumps right into checking the whole signature. It *generates* 
the quick check bytes, of course, as that is mandated by the standard, but it 
does not look at them itself.

I think that behavior is fine - the real check is the signature itself.

> If there's an OpenPGP implementers' list or another, more appropriate
> forum, please feel free to point me in that direction.  I couldn't find
> one, so I posted here.

You might also try the ietf-openpgp list: http://www.imc.org/ietf-openpgp/

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Implementation question: validating left two of signatures

2011-08-12 Thread brian m. carlson 
I have a quality-of-implementation question (more in general than
specifically about GnuPG).  I am writing an implementation of OpenPGP
that verifies signatures, among other things.

Signatures contain the left two bytes of the hash as a quick check.
I've noticed that a small number of signatures are in fact valid even
though this quick check does not match the hash.  Is it considered
acceptable to fix up this value if it is wrong?  If not, is it
acceptable to treat two signatures as the same signature if they are
identical but for the left two?  Does GnuPG (or any other
implementation) actually give any credence to the left two whatsoever?

If there's an OpenPGP implementers' list or another, more appropriate
forum, please feel free to point me in that direction.  I couldn't find
one, so I posted here.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how can i generate a keypair without reading anwsers from stdin?

2011-08-12 Thread Jerome Baum 
> You can simply write the answers down like you would in an interactive
> session with gpg. Then feed this file with `gpg --gen-key ... < file`
>
> gpg just reads from standard input. There is no difference between a
> user pressing return and a newline character in a text file.
>
> If you want to generate multiple key from one file, try something like
> `while gpg --gen-key ...; do true; done < file`

I certainly think the batch solution is more appropriate. The batch
interfaces will be more consistent across different gpg versions,
while the numbers/letters you enter at the prompt can quickly change
if different algorithms are supported in a new version etc.

So stick with the batch and with-colons interfaces whenever you can.
They are also easier to script -- computer-readable and all that.

-- 
Jerome Baum

Hessenweg 222
48432 Rheine
GERMANY

tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
Einigkeit und Recht und Modeerscheinung
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
http://five.sentenc.es

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: How to validate encryption

2011-08-12 Thread Yadav, Amarjeet 
Thanks.

-Original Message-
From: Hauke Laging [mailto:mailinglis...@hauke-laging.de] 
Sent: Friday, August 12, 2011 5:16 PM
To: gnupg-users@gnupg.org
Cc: Yadav, Amarjeet [Tech]
Subject: Re: How to validate encryption

Am Donnerstag, 11. August 2011, 15:47:40 schrieb Yadav, Amarjeet:
> Hi ,
> We have requirement where we would like to check for encrypted file 
> its valid or not before decrypting it. Thanks

Why? In order to prevent the usability of GnuPG exploits?

If you trust the sender (and his systems) then the simple answer is: Have the 
sender sign the encrypted file. I hope that would not result in "we would like 
to check its validity before we check the signature"...


Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how can i generate a keypair without reading anwsers from stdin?

2011-08-12 Thread Florian Philipp 
Am 12.08.2011 08:41, schrieb 赵小强:
>  Hi there:
> I want to generate a keypair . But i dont want to type "gpg --gen-key"
> and then answer questions.
> I want to write all the answers in a file and then let gpg read the
> answer from the file in batch mode.
> What the format of the file should be? Any help?
> 

You can simply write the answers down like you would in an interactive
session with gpg. Then feed this file with `gpg --gen-key ... < file`

gpg just reads from standard input. There is no difference between a
user pressing return and a newline character in a text file.

If you want to generate multiple key from one file, try something like
`while gpg --gen-key ...; do true; done < file`

Hope this helps,
Florian Philipp



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Secure PIN entry

2011-08-12 Thread Jerome Baum 
> No, it is not implemented for PC/SC - only if use the internal driver
> which is not available under Windows.

How much work is it to implement this -- either by using the internal
driver or otherwise maybe using the CTAPI? Is this a very far away
target, or just "there's lots of stuff and little time"?

-- 
Jerome Baum

Hessenweg 222
48432 Rheine
GERMANY

tel +49-1578-8434336
email jer...@jeromebaum.com
web www.jeromebaum.com
--
Einigkeit und Recht und Modeerscheinung
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
http://five.sentenc.es

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Secure PIN entry

2011-08-12 Thread Werner Koch 
On Thu, 11 Aug 2011 23:00, jer...@jeromebaum.com said:

> Can I get the secure PIN entry (using built-in pin-pad) working for
> this reader? For my homebanking software (i.e. HBCI card), it works
> with CTAPI but now PC/SC. What settings can I fiddle with, and what
> log/debug output is relevant?

No, it is not implemented for PC/SC - only if use the internal driver
which is not available under Windows.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how can i generate a keypair without reading anwsers from stdin?

2011-08-12 Thread Werner Koch 
On Fri, 12 Aug 2011 08:41, zxq_yx_...@163.com said:

> I want to write all the answers in a file and then let gpg read the
> answer from the file in batch mode.
> What the format of the file should be? Any help?

See the chapter "Unattended GPG key generation" in the manual, for
example online at 




Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to validate encryption

2011-08-12 Thread Werner Koch 
On Thu, 11 Aug 2011 15:47, amarjeet.ya...@gs.com said:

> We have requirement where we would like to check for encrypted file
> its valid or not before decrypting it.

You mean whether it has been tampered with?  You can't do that without
decrypting it.  GPG checks that the decrypted file is valid - usually
by checking the signature but if it is not signed gpg checks the MDC
(modification check code - a kind of checksum).

Of course you could use a detached signature (or a hash digest of the
file convoyed via a second channel) to detect modification before
processing the file.  However the entire file needs to be processed in
any case.  Thus if modifications are rare it would take longer to check
the file first and then do the encryption which does yet another check.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to validate encryption

2011-08-12 Thread Hauke Laging 
Am Donnerstag, 11. August 2011, 15:47:40 schrieb Yadav, Amarjeet:
> Hi ,
> We have requirement where we would like to check for encrypted file its
> valid or not before decrypting it. Thanks

Why? In order to prevent the usability of GnuPG exploits?

If you trust the sender (and his systems) then the simple answer is: Have the 
sender sign the encrypted file. I hope that would not result in "we would like 
to check its validity before we check the signature"...


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

how can i generate a keypair without reading anwsers from stdin?

2011-08-12 Thread 赵小强 
 Hi there:
I want to generate a keypair . But i dont want to type "gpg --gen-key"
and then answer questions.
I want to write all the answers in a file and then let gpg read the
answer from the file in batch mode.
What the format of the file should be? Any help?


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

How to validate encryption

2011-08-12 Thread Yadav, Amarjeet 
Hi ,
We have requirement where we would like to check for encrypted file its valid 
or not before decrypting it.
Thanks
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users