apache https gnupg
I searched the above combination of keywords on http://marc.theaimsgroup.com/ and got nothing. I assume, then, that this group has no messages dealing with the question of whether or not I can use GnuPG to create certificates that I can use to support https on Apache. The more general searches I used provided lots on the details of creating certificates and keys for use in encrypting and signing documents, but nothing on the more specific questions of practical application. I actually have a couple concerns. One dealing with supporting HTTPS on the Apache web server (instead of buying one from, e.g., GoDaddy - and a related question being can I sign a web page, which may not be sent via https, so that the user viewing it knows it has not been altered in transit) and the other dealing with authentication of users submitting data to a web application that lives on Apache, and similarly the authentication of folk sending email to my server, in both cases, meaning, is the person providing the data who he says he is. For this second issue, it is a question of being able to support non-repudiation (i.e. to ensure a person can't enter data on one date and then deny he did so subsequently). I have read enough to know I can use GnuPG to encrypt data on my various machines, but I haven't yet found where to look for information dealing with practical application in securing web applications and proving the identity of users of those applications. In ecommerce, for example, one of the big risks involves customers buying a product or service and then demanding a refund claiming he didn't buy that product or service but rather someone was impersonating him. I am looking to see if there is a practical application of GnuPG to let me prove that a user is who he says he is and take that a step further in providing evidence that the user did, in fact, make the purchase he now denies (i.e. non-repudiation). I recall, when I first read about PGP, many years ago, there was a section that talked abstractly about non-repudiation, but now I am looking study the practicalities of applying it in a selection of web applications (and these applications do involve use of email, so that needs to be secured also). I don't expect anyone to write a tome on this, but a few links on, first, is it possible, and then, if so, how to deploy on Suse or Ubuntu Linux, would be appreciated. NB: I have a growing collection of tools I can use to support my efforts, so in a sense, this is a question of whether or not I can, and should, add GnuPG to my toolkit. Cheers Ted ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keytocard: bad secret key
Am 10.07.2012 21:22, schrieb bo...@z1p.biz: I'm trying to save a 4096 bit RSA key to my OpenPGP smartcard v2.0 but I get an error about a bad secret key. I use Ubuntu 10.04 with a self-compiled GnuPG 2.0.19 Verbose-mode doesn't tell more details and according to Google I am the only one with that problem... You should check if your smartcard reader can handle extended APDU as described here: http://pcsclite.alioth.debian.org/ccid.html I had only success with extended APDU readers with 4096bit keys. Roman ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Wed, 11 Jul 2012 07:56, r...@sixdemonbag.org said: V5 discussions will not kick off in earnest until NIST announces the new hash standard, or so I've heard people from the working group say. And even then it will take 5 years or so until it it has been deployed widely. Even GnuPG 1.2 is still in use; despite that it has been declared EOL ages ago. The fingerprint and the special features building upon it (e.g. revocation keys) are targets for an attack based on a SHA-1 *pre-image* attack. We need to analyze the possible problems and if needed deploy workarounds for them. SHA-256 for signatures is already in widespread use - thus I don't see a problem right now. The real problem I see for GnuPG is that its maintenance is heavily under-financed and the pool of volunteers, taking care of it, is quite small. I am not sure whether PGP is in a better position; giving its current owner. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: very cautious :-)
On Wed, 11 Jul 2012 01:22, mailinglis...@hauke-laging.de said: gpg --options /dev/null --keyserver hkp://keys.gnupg.net --search-keys ... gpg: external program calls are disabled due to unsafe options file permissions Use --no-options instead. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: why is SHA1 used? How do I get SHA256 to be used?
I'd much rather fail to generate a signature than generate one using an algorithm which is very weak. My feelings as well. Date: Tue, 10 Jul 2012 23:59:45 + From: sand...@crustytoothpaste.net To: gnupg-users@gnupg.org Subject: Re: why is SHA1 used? How do I get SHA256 to be used? On Tue, Jul 10, 2012 at 10:10:12AM -0400, Robert J. Hansen wrote: SHA1 is no longer secure. At the present moment, SHA-1 is just fine. In the fairly near future, anywhere between six months to a few years, I expect this will change. But SHA1 is no longer secure is factually untrue, at least where OpenPGP is concerned. SHA-1 is considered cryptographically broken. It does not provide the level of security it claims. Practically, collisions can be generated for 75 of the 80 rounds[0]. I hardly consider an algorithm this close to a collision just fine. There's no need to run screaming to the exits, but a quick and orderly transition has been appropriate for some time. The time to move to something else is ending soon. I don't recommend SHA-1 for new signatures, but if you have a choice between sending a SHA-1 message which your recipient can verify or a SHA-256 message which your recipient can't, well -- that math's pretty easy to do. SHA-1 isn't a good choice for new signatures, but it's a lot better than no signature. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. I'm not going to cater to people using really old versions, especially when security is involved. The good news is that no one's asking you to. You're only being advised, don't use --digest-algo SHA256, it's unwise and can break interoperability. Use --personal-digest-preferences SHA256 instead. This is the same advice that has been given by the GnuPG developers, by the Enigmail team, and by many other people within the community. It's a best-practices thing for GnuPG. The question is, will GnuPG fall back to SHA-1 if it's not in my digest preferences? I'd much rather fail to generate a signature than generate one using an algorithm which is very weak. [0] http://eprint.iacr.org/2011/641 -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Intro.
Good Day Folks, I am a retired doc 65 and a scrunch,a Master Bard Priest to the Sanctuary of the Healers' Heart, and due to necessity I am becoming involved in signing and encryption I am somewhere in the mid range of computer skills better with Linux than Winblow$. I am a total noobe with both the signing Encryption. I use T-bird with Enigmail and will have questions about it's use and some more on the workings of GNuPG . If I ask something that is common knowledge to you I ask your forbearance and ask for basic explanations initially. I'm sure that as I learn my questions will indicate that. I am also a musician, artisan, and writer as well. I am willing to help others as I learn. Be Well, Be at Peace and spend loving time with your families as we never know how long we'll be graced with their presence. In Service In Health, Dr. C. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
How to activate gpg.conf entries?
I've added the following 3 lines to my gpg.conf file: 1) to use stronger hash when supported by others, I added this line = personal-digest-preferences SHA256 2) to use the SHA256 hash when I Sign a message, I added this line = cert-digest-algo SHA256 3) to change what is used when a new key is generated I added this line = default-preference-list SHA256 SHA384 SHA512 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed If I am using the wrong command for my intended purpose, please do let me know :) What procedure should I now do to activate or put into effect these preferences? Once done, is there a way to verify that these preferences are in effect, how can I verify? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2012-07-11 16:09, Sam Smith wrote: I've added the following 3 lines to my gpg.conf file: 1) to use stronger hash when supported by others, I added this line = *personal-digest-preferences SHA256* 2) to use the SHA256 hash when I Sign a message, I added this line =*cert-digest-algo SHA256* This is not what cert-digest-algo does, I'd recommend removing this line at all, but; --cert-digest-algo name Use name as the message digest algorithm used when signing a key. Running the program with the command --version yields a list of supported algorithms. Be aware that if you choose an algorithm that GnuPG supports but other OpenPGP implementations do not, then some users will not be able to use the key signatures you make, or quite possibly your entire key. 3) to change what is used when a new key is generated I added this line = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed* Note that as per RFC4880 this will still not remove SHA1[0: 13.3.2.] or 3DES[0: 13.2.], as these are appended tacitly to be able to ensure a matching set between implementations. If I am using the wrong command for my intended purpose, please do let me know :) What procedure should I now do to activate or put into effect these preferences? Once done, is there a way to verify that these preferences are in effect, how can I verify? Clearsign some text and see what hash it yield? Also note what has been mentioned regarding the use of 1024 bit DSA keys, which are limited to the use of 160 bit hash algo. If you wish to use a non-truncated version of SHA256 and have such a key, you'll have to propagate to a new one. [0] http://tools.ietf.org/html/rfc4880 - -- - Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws - This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ - Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/ZOjAAoJEBbgz41rC5UI5MMQAJih43IyXYh7BpxOe22PQkJS xc3F2sRfbyjyWE2trLyNhP+TVGFPeej7rx39wYzgr05VBktN0kavjQ5THWlS6P5T e6byMSdF0gfveEq8LVu87iDkR9105H9f2exoq+/DJA7DcLJ7DDtKtk6K7UBu2D02 x6Lu7kAx6ixqUVW+QwT/WCSEWhVe8ELOS923AergJl6f0UeUUFnpr+RHdH/gwz2d ejA77HlVgA85WcF6lkzvIXtmwWnMw/f7kDmOLyggtqIm2xu4C+woU6glyFpeJiym F0Zuj6IZRv22ZJhWbfiI691SXN+HaV5aZdPi2HwMdM2IF5E5XL82P4zwJgCAPgL/ Amywqdv0nWfJ3nBOY4YuzDmnhiIyvjjOCcJg2/GHBN0flKEJ+47wWTFqQkFGCUCg RWK8qPJJvihIaVXztyGwSDMqPSBAEBSA4FQ2JGphjDXcBBrBcgd1FpgInXY11ovq vf4NXSHtp7qkZTRS8xuu6IqomuKsjdHOAWwTbPMGkgw1XrR9UqAnHDuS7AFjVyiZ nU+gN0Ub6/OhEBID6ANFodEmL/TthpcrlyZK6IxEPrYiOwM64cnIZ0qmhNP0MBBu 2VpQJdMYTbHpIhPvLVdHuuBY/KRaceuhqkUtz8Ut6zGOK0/N260bAW8txfHkZQjH rVkNcAhTFX/nkqjMHpJy =t6mT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On 7/11/2012 10:09 AM, Sam Smith wrote: 1) to use stronger hash when supported by others, I added this line = *personal-digest-preferences SHA256* I would suggest SHA256 RIPEMD160, myself. There are no known attacks on RIPEMD160, and if you're in a situation that requires the use of a 160-bit hash it will allow you to fall back to a still-trusted hash rather than SHA-1. 2) to use the SHA256 hash when I Sign a message, I added this line =*cert-digest-algo SHA256* That's not what cert-digest-algo does. 3) to change what is used when a new key is generated I added this line = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed* There's nothing technically wrong with this, but I'd advise doing something different. Remember, the preflist on a certificate is (somewhat) misnamed: it's meant to show both capabilities *and* preferences. For instance, you can use Blowfish and Twofish and Camellia256 and whatnot. These are all believed to be safe, so there's really no reason to omit them from your certificate prefs. Push SHA-1 to the back of your hash prefs, certainly -- but if you don't have a strong reason to omit believed-safe algorithms from your pref list, I would consider it best to include them. What procedure should I now do to activate or put into effect these preferences? Once done, is there a way to verify that these preferences are in effect, how can I verify? Sign a message and send it to the list. Don't forget to add enable-dsa2 to your gpg.conf file *if* (a) you're using a DSA-1k signing key and (b) you want to be able to use truncated SHA256 with it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: How to activate gpg.conf entries?
Thanks. The clearsign test worked. What does cert-digest-algo do? I read the description in the GnuPG manual and what you quoted, but I still don't understand. Could someone explain to me what cert-digest-algo does and how it differs from digest-algo when placed in gpg.conf? so personal-digest-preferences SHA256 will specificy that SHA256 be used for digitally signing my messages, right? and default-preference-list is only used for when user generates a new key, right? To: gnupg-users@gnupg.org From: k...@sumptuouscapital.com Subject: Re: How to activate gpg.conf entries? Date: Wed, 11 Jul 2012 16:54:27 +0200 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2012-07-11 16:09, Sam Smith wrote: I've added the following 3 lines to my gpg.conf file: 1) to use stronger hash when supported by others, I added this line = *personal-digest-preferences SHA256* 2) to use the SHA256 hash when I Sign a message, I added this line =*cert-digest-algo SHA256* This is not what cert-digest-algo does, I'd recommend removing this line at all, but; --cert-digest-algo name Use name as the message digest algorithm used when signing a key. Running the program with the command --version yields a list of supported algorithms. Be aware that if you choose an algorithm that GnuPG supports but other OpenPGP implementations do not, then some users will not be able to use the key signatures you make, or quite possibly your entire key. 3) to change what is used when a new key is generated I added this line = *default-preference-list SHA256 SHA384 SHA512 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed* Note that as per RFC4880 this will still not remove SHA1[0: 13.3.2.] or 3DES[0: 13.2.], as these are appended tacitly to be able to ensure a matching set between implementations. If I am using the wrong command for my intended purpose, please do let me know :) What procedure should I now do to activate or put into effect these preferences? Once done, is there a way to verify that these preferences are in effect, how can I verify? Clearsign some text and see what hash it yield? Also note what has been mentioned regarding the use of 1024 bit DSA keys, which are limited to the use of 160 bit hash algo. If you wish to use a non-truncated version of SHA256 and have such a key, you'll have to propagate to a new one. [0] http://tools.ietf.org/html/rfc4880 - -- - Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk - Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws - This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ - Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/ZOjAAoJEBbgz41rC5UI5MMQAJih43IyXYh7BpxOe22PQkJS xc3F2sRfbyjyWE2trLyNhP+TVGFPeej7rx39wYzgr05VBktN0kavjQ5THWlS6P5T e6byMSdF0gfveEq8LVu87iDkR9105H9f2exoq+/DJA7DcLJ7DDtKtk6K7UBu2D02 x6Lu7kAx6ixqUVW+QwT/WCSEWhVe8ELOS923AergJl6f0UeUUFnpr+RHdH/gwz2d ejA77HlVgA85WcF6lkzvIXtmwWnMw/f7kDmOLyggtqIm2xu4C+woU6glyFpeJiym F0Zuj6IZRv22ZJhWbfiI691SXN+HaV5aZdPi2HwMdM2IF5E5XL82P4zwJgCAPgL/ Amywqdv0nWfJ3nBOY4YuzDmnhiIyvjjOCcJg2/GHBN0flKEJ+47wWTFqQkFGCUCg RWK8qPJJvihIaVXztyGwSDMqPSBAEBSA4FQ2JGphjDXcBBrBcgd1FpgInXY11ovq vf4NXSHtp7qkZTRS8xuu6IqomuKsjdHOAWwTbPMGkgw1XrR9UqAnHDuS7AFjVyiZ nU+gN0Ub6/OhEBID6ANFodEmL/TthpcrlyZK6IxEPrYiOwM64cnIZ0qmhNP0MBBu 2VpQJdMYTbHpIhPvLVdHuuBY/KRaceuhqkUtz8Ut6zGOK0/N260bAW8txfHkZQjH rVkNcAhTFX/nkqjMHpJy =t6mT -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scope of standard authority
On 7/11/2012 11:09 AM, Hauke Laging wrote: Does it make sense that a standard overrides a user's decision to prefer security over compatibility (sure, you can still check afterwards what has happened but that can be difficult especially if gpg is not used directly but called by a MUA e.g.)? Yes. The entire point of a standard is to allow interoperation. That means there has to be some final fallback mode. SHA-1 is that fallback mode. With luck we'll see this get changed once the new hash standard is announced. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On Wed, 11 Jul 2012 17:11, r...@sixdemonbag.org said: I would suggest SHA256 RIPEMD160, myself. There are no known attacks on RIPEMD160, and if you're in a situation that requires the use of a But only because RIPEMD160 does not get as much attention as SHA-1. I doubt that RIPEMD160 is in any way stronger than SHA-1. Even European authorities switched to SHA-1 a few years ago. Another advantage of SHA-1 and SHA-2 are the hardware accelerators available in modern CPUs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: How to activate gpg.conf entries?
For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. which command states this preference for when a message is sent to someone using their public key? the default-preference-list is for gen new key. Is it also used to tell others what preference I have for when they digitally sign a message that is intended for me? Or is there another command that specifies my preference for when they sign a message that is intended for me? Date: Wed, 11 Jul 2012 17:50:25 +0200 From: kristian.fiskerstr...@sumptuouscapital.com To: smick...@hotmail.com CC: gnupg-users@gnupg.org Subject: Re: How to activate gpg.conf entries? On 2012-07-11 17:46, Sam Smith wrote: Thanks. The clearsign test worked. What does cert-digest-algo do? I read the description in the GnuPG manual and what you quoted, but I still don't understand. Could someone explain to me what cert-digest-algo does and how it differs from digest-algo when placed in gpg.conf? Note that cert-digest-algo specify when signing a key, which is different than signing a message. so personal-digest-preferences SHA256 will specificy that SHA256 be used for digitally signing my messages, right? For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. and default-preference-list is only used for when user generates a new key, right? right -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scope of standard authority
Am Mi 11.07.2012, 11:13:46 schrieb Robert J. Hansen: The entire point of a standard is to allow interoperation. That means there has to be some final fallback mode. IMHO the second sentence effectively rewrites the first to: The entire point of a standard is to ENFORCE interoperation. I don't see the benefit of forcing someone to something in a security context if the direction is not to more but to less security. The two cases are: a) I try to send an email or sign a file. This fails with the hint that I have to correct my configuration. I then can decide whether to do that or not. b) I believe to make signatures of type X or Y only. But in rare cases such a standard feature (which maybe not more than a tiny share of the users know about) makes me unawarely create one of type Z. Who would choose (b) for himself and how big would the damage of getting there via (a) be for those? It seems to me that --digest-algo does have its use case and that the documentation is wrong: --digest-algo name [...] --personal-digest-preferences is the safe way to accomplish the same thing. It's obviously not the same. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
cert-digest-algo clarification
To make sure I understand correctly: 1) cert-digest-algo SHA256 = will use SHA256 to sign KEYS with regardless of what preferences the key holder has stipulated 2) digest-algo SHA256 = will use SHA256 to sign MESSAGES with regardless of what preferences the recipient of the message has stipulated Do I understand these commands correctly? From: smick...@hotmail.com To: kristian.fiskerstr...@sumptuouscapital.com; gnupg-users@gnupg.org Subject: RE: How to activate gpg.conf entries? Date: Wed, 11 Jul 2012 11:57:29 -0400 For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. which command states this preference for when a message is sent to someone using their public key? the default-preference-list is for gen new key. Is it also used to tell others what preference I have for when they digitally sign a message that is intended for me? Or is there another command that specifies my preference for when they sign a message that is intended for me? Date: Wed, 11 Jul 2012 17:50:25 +0200 From: kristian.fiskerstr...@sumptuouscapital.com To: smick...@hotmail.com CC: gnupg-users@gnupg.org Subject: Re: How to activate gpg.conf entries? On 2012-07-11 17:46, Sam Smith wrote: Thanks. The clearsign test worked. What does cert-digest-algo do? I read the description in the GnuPG manual and what you quoted, but I still don't understand. Could someone explain to me what cert-digest-algo does and how it differs from digest-algo when placed in gpg.conf? Note that cert-digest-algo specify when signing a key, which is different than signing a message. so personal-digest-preferences SHA256 will specificy that SHA256 be used for digitally signing my messages, right? For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. and default-preference-list is only used for when user generates a new key, right? right -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cert-digest-algo clarification
On Jul 11, 2012, at 1:06 PM, Sam Smith wrote: To make sure I understand correctly: 1) cert-digest-algo SHA256 = will use SHA256 to sign KEYS with regardless of what preferences the key holder has stipulated 2) digest-algo SHA256 = will use SHA256 to sign MESSAGES with regardless of what preferences the recipient of the message has stipulated Do I understand these commands correctly? Not exactly. For signing keys (#1), there are no preferences, so there is nothing to override. It's just whatever you set cert-digest-algo to. Note, though, that this includes signing your own key, so if you make a subkey or add a user ID, the binding signature will also use that digest. For #2, you do understand correctly. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scope of standard authority (was: Re: How to activate gpg.conf entries?)
On Jul 11, 2012, at 11:09 AM, Hauke Laging wrote: Am Mi 11.07.2012, 16:54:27 schrieb Kristian Fiskerstrand: Note that as per RFC4880 this will still not remove SHA1[0: 13.3.2.] or 3DES[0: 13.2.], as these are appended tacitly to be able to ensure a matching set between implementations. Does it make sense that a standard overrides a user's decision to prefer security over compatibility (sure, you can still check afterwards what has happened but that can be difficult especially if gpg is not used directly but called by a MUA e.g.)? As someone stated here recently, he would rather not make a signature at all than one which he considers unsafe. The standard specifies how algorithms are chosen and ensures that communication can always take place (eg. if all else fails, pick 3DES). It does not mandate that the message must be sent. It is obviously legal for a client to say I settled on 3DES, but you don't permit 3DES, so I give up - I'm not able to continue. The standard controls how messages are generated, and if the client gives up before generating the message, the standard is not involved. It is not legal for the client to say I settled on 3DES, but you don't permit 3DES, so I'm going to use AES instead. It's important to differentiate between signing and encryption here. For encryption, 3DES is the fallback algorithm, and the standard is very clear - it's an explicit MUST NOT to use any algorithm that isn't in the preference list. For signing, it's not as simple - for example, there is no explicit recipient (and therefore no preference list) when signing without encrypting, such as is done on a mailing list. The standard acknowledges this and leaves it up to the signer to pick an algorithm, with the obvious caveat that the signer can make a message that can't be verified. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scope of standard authority (was: Re: How to activate gpg.conf entries?)
Am Mi 11.07.2012, 13:57:58 schrieb David Shaw: For signing, it's not as simple - for example, there is no explicit recipient (and therefore no preference list) when signing without encrypting, such as is done on a mailing list. Is there any reason why known recipients should not be considered when signing only? I just noticed that gpg issues a warning if a recipient is given when signing only. But instead the public key could be used for hash selection. To avoid ambiguity this could fail if for any of the recipients the keys is missing. The calling application could check in advance which recipients have a key locally and only give those as recipients for the signing operation. As this is already done for encrypted signatures the required code should already be there. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On 2012-07-11 17:57, Sam Smith wrote: For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. which command states this preference for when a message is sent to someone using their public key? the default-preference-list is for gen new key. Is it also used to tell others what preference I have for when they digitally sign a message that is intended for me? Or is there another command that specifies my preference for when they sign a message that is intended for me? When public keys are involved it is necessary to determine common capabilities between the preferences of all. You can see these preferences e.g using gpg2 --edit-key 0xABCDEF01 and type showpref. To set this preference for your own public key you'd use setpref, which can also be used to update in accordance with the default-preference-list you set in gpg.conf. Note that for others to see the changes they will need an updated copy of the public key (typically; re-send it to the keyservers). -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On 2012-07-11 17:46, Sam Smith wrote: Thanks. The clearsign test worked. What does cert-digest-algo do? I read the description in the GnuPG manual and what you quoted, but I still don't understand. Could someone explain to me what cert-digest-algo does and how it differs from digest-algo when placed in gpg.conf? Note that cert-digest-algo specify when signing a key, which is different than signing a message. so personal-digest-preferences SHA256 will specificy that SHA256 be used for digitally signing my messages, right? For clearsigned messages, yes, for a message sent to someone else while using their public key, it will depend on the capabilities specified in their preference. and default-preference-list is only used for when user generates a new key, right? right -- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk Corruptissima re publica plurimæ leges The greater the degeneration of the republic, the more of its laws This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On 7/11/2012 11:51 AM, Werner Koch wrote: But only because RIPEMD160 does not get as much attention as SHA-1. True, but I'm not certain I believe SHA256 is much better. Let's look over the history of Merkle-Damgård hashes: MD2 (broken 1997, preimages 2004) MD4 (broken 1991, preimages 2008, can generate collisions with pen and paper!) MD5 (broken 1996, preimages 2012 presumably, based on public reports about Flame) SHA-0 (broken 1998, no preimages) SHA-1 (broken 2005, no preimages) RIPEMD (broken ... uh ... when?) SHA256 (unbroken) RIPEMD-160 (unbroken) History has not been kind to the Merkle-Damgård construction. The fact OpenPGP only contains Merkle-Damgårds has always bothered me: I'd feel much better if WHIRLPOOL had been standardized and included in the list. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Intro.
On 7/11/2012 9:50 AM, Healer 1 wrote: I am a retired doc 65 and a scrunch,a Master Bard Priest to the Sanctuary of the Healers' Heart, and due to necessity I am becoming involved in signing and encryption... You may also be interested in joining the Enigmail users mailing list: http://www.mozdev.org/mailman/listinfo/enigmail/ As a general rule, you'll get faster responses to Enigmail questions on that list, and faster responses to GnuPG questions on this list. Welcome to the community. We hope you'll find information that's useful to you! :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to activate gpg.conf entries?
On Wed, 11 Jul 2012 21:41, r...@sixdemonbag.org said: History has not been kind to the Merkle-Damgård construction. The fact OpenPGP only contains Merkle-Damgårds has always bothered me: I'd feel much better if WHIRLPOOL had been standardized and included in the list. On Phil’s request we tried to limit proliferation of algorithms and tried to agree on a common and useful subset of the allowed algorithms. Back then WHIRLPOOL doesn’t gave a clear improvement on the size of a digest and thus we did not considered it as something useful. Hash algorithm research was kind of black magic and most of us assumed that the NSA folks tried their best to come up with a solid hash design. WHIRLPOOL was a bit of obscure back then. That all happened 12 to 15 years ago. The last discussion I recall was during the second AES conference in 2000(?). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Wed, Jul 11, 2012 at 11:25 AM, Werner Koch w...@gnupg.org wrote: On Wed, 11 Jul 2012 07:56, r...@sixdemonbag.org said: V5 discussions will not kick off in earnest until NIST announces the new hash standard, or so I've heard people from the working group say. And even then it will take 5 years or so until it it has been deployed widely. Even GnuPG 1.2 is still in use; despite that it has been declared EOL ages ago. The fingerprint and the special features building upon it (e.g. revocation keys) are targets for an attack based on a SHA-1 *pre-image* attack. We need to analyze the possible problems and if needed deploy workarounds for them. SHA-256 for signatures is already in widespread use - thus I don't see a problem right now. The real problem I see for GnuPG is that its maintenance is heavily under-financed and the pool of volunteers, taking care of it, is quite small. I am not sure whether PGP is in a better position; giving its current owner. A bleak but realistic assessment. But one thing that might be helpful to explain is this: what needs to be in the V5 key format aside from the change in fingerprint hash? Aside from that issue, the V4 key format seems to have been resilient. What are the other issues that need to be addressed? Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On Tue, Jul 10, 2012 at 08:15:32PM -0400, Robert J. Hansen wrote: There tends to be a lot of scaremongering in the world of crypto. I think it's generally wise to be careful in our declarations. It is enough to say SHA-1 is known to not meet its design specifications and that some fairly devastating attacks against it will likely be coming along in the near future. That's already a good enough reason to reduce our usage of and dependency upon SHA-1. There's no need to fearmonger about how the algorithm has already collapsed, because it hasn't. I'm not saying it has collapsed. I'm saying that it has weaknesses, and that the number and magnitude of the weaknesses continue to grow, and that I think it is imprudent to use SHA-1. I would much rather people make the move to something better now, because otherwise we'll all be stuck with SHA-1 long after it's insecure, just like it's been with MD5. Practically, collisions can be generated for 75 of the 80 rounds[0]. Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. A cryptographic break is not the same as a practical exploit. It's an indication of weakness. I've seen lots of people that work with crypto claim that we don't need larger margins of security. The cost of computation is so small that I'd rather overdo it than regret my decision later. I don't generate signatures with algorithms I consider insecure because that leads to people being able to forge signatures in my name. Then you need to stop using OpenPGP altogether, because you're already generating SHA-1 signatures with your certificate which can be lifted and dropped onto new messages if/when a preimage attack is introduced against SHA-1. Really? I'm pretty sure that I'm not generating SHA-1 signatures. This is signed using SHA-512, SHA-384, or SHA-256. When I sign another key, I use SHA-512. At least that's what I've configured GnuPG to do, and I'd be very surprised if it did not, in fact, do that. If it is using SHA-1, please report it to the list: it's a bug. Let me make this really clear: if you believe SHA-1 is insecure, you believe OpenPGP is insecure and you should stop using it. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The new V5 key format will almost certainly change this, but V5 won't be coming out for a good long while yet. SHA-1, for my current key, is being used to generate my fingerprint. It's being used in MDCs when I encrypt a message. And it's being used instead of the default checksum for my private key. That's it. Since my private key remains solely in my possession and is not subject to tampering, what checksum is used is really irrelevant. Since I sign my messages when I encrypt them, the MDC is essentially redundant, since it would be apparent that they'd been tampered with. It is extremely unlikely that an attacker would be able to tamper with the encrypted message such that they could produce a valid, signed unencrypted message. And I'm personally not happy with the use of SHA-1 for the fingerprint, but it'll have to do for a while. I wish we had chosen RIPEMD-160 instead. I feel it's a better, more conservative design. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Really? Can you show an example? If you truly believe this, stop using OpenPGP. Is my statement not true for MD5? -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 7/11/2012 9:23 PM, brian m. carlson wrote: If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Really? Can you show an example? If you *ever* signed a message with SHA1 and posted it publicly, (maybe in the 'olden days' before any vulnerability in SHA1 was known) then that signature could become a source for a forgery, whenever SHA1 becomes broken enough. (A clever, malicious attacker could backdate the clock, and have a forgery of something you did in the past, when you couldn't claim: Hey, that's an obvious forgery! I'm on record as saying I would never use SHA1 to sign anything anymore!) vedaal -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJP/kC7AAoJEFBvT6HTX7GGXV0P/jE4sQEIohwQ4s89wLRzLkji //WimhWcxBvuzSW/uTNaMwG1QwkDA/nbYwa3VUMv3BXNFA9bRaiLSG0QKo/4INo3 PPUqlC3zIS7H7up5BxU2kKw7F45IIjkYuny7A5cZr/0wldyThe6OJrGhO7AjnIv9 YfHc5ztaG115ch7fF5S2SqX2ygsoAGromsfo/0OyAtQssmFIzuEsTpDNQgFjieh7 rVPIIqedITwpcV+BHH5QSETVjC0ZzERMokC/RaJ+Ta14IwHfpSv5cAkFoqTMouiA oJxrGWROepnlD371gNZ/2dD1N76LBqGrxIMrc2ZbDI9UvM3GrAqv2aqNn0LOdfMz t/JhGj1DGUeRyCgR2R4+TNY9L5yh+rq0/1oMGmzDg7D1x3uhJFWChDSY2cPc+r+x xqjrsgEcQejcSOD0YaDSOTII/cMY6Xm8pB60GaVtw5uTAErO4aPlat977JhO97IF CWHp9VwdbKl8BepiKhq8N4yyIA/1pDVtYQt2Ua3QSUJ4uNUiUGyhrypkLdViC/ws 9jj7Hb1J4f7bjko+gGi36r0OGHd6zBE+a1auV6tli3fBvss1BJ8lSNqUVPO/leqB CNjNQNMF1GJnOqU4UvTT84KHnQBCHGWneS61a94YiOTyYQqs0BAYc2y/z6JaQY/u JmW/+vlA5PAoKr0aRSKe =8Ycl -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 7/11/2012 9:23 PM, brian m. carlson wrote: Really? I'm pretty sure that I'm not generating SHA-1 signatures. This is not necessarily relevant. Here's a thought experiment for you. Someone creates a DSA-1k key and uses --cert-digest-algo SHA256 and --enable-dsa2. This creates 160-bit truncated SHA256 hashes. This person is at risk from a SHA-1 preimage collision, *despite the fact they've never generated a single SHA-1 signature*. All the attacker has to do is create a message which SHA-1s out to the same value as the truncated SHA-256 of a legitimate message. At that point, the forgery becomes possible. I don't specifically know how you're using SHA-256. Nor do I especially want to know. What I do know is that there are a surprising number of ways a SHA-1 preimage attack can screw over even people who have never used SHA-256. Don't put too much faith in if I switch to SHA-256 I don't need to worry about the SHA-1 attacks. It's probably not true. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
Am Mi 11.07.2012, 23:13:00 schrieb vedaal: (A clever, malicious attacker could backdate the clock, and have a forgery of something you did in the past, when you couldn't claim: Hey, that's an obvious forgery! I'm on record as saying I would never use SHA1 to sign anything anymore!) So what? A signature over a broken hash alone is worthless no matter what its timestamp says. If you want to prove anything by a signature at a time when the hash is considered broken you have to prove that the signature existed before that time. And this proof can obviously not be based on the broken hash. Thus you have to sign all signatures you want to be able to use after the announcement that they are broken (which can, of course, come surprisingly) by another hash or rather you have to get them signed by a trusted third party if you want to use them against someone. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
You're arguing two different contradictory things here: I'm not saying these attacks exist practically today against SHA1 (i don't know if they do), but collision-resistance is the relevant property, not resistance to pre-image attacks. And then: The places where it is thoroughly baked in are the MDC (not relevant cryptographically) and the V4 fingerprint (where the relevant property is resistance to a preimage attack instead of resistance to generated collisions. The relevant property can be resistance to preimage attack or it can be collision resistance. Pick a property and argue it, please. :) I am far more concerned about preimage attacks (which are the ultimate game-over) than random collisions (which affect a smaller fraction of the userbase). I'm not saying that random collisions are not troubling in their own right. Where exactly has the original poster signed anything over an MD5 digest? Refer to my subsequent message, where I backed off from that statement and clarified I was referring to the poster was already relying on the safety of SHA-1 -- and was just in denial about it. If you believe SHA-1 is insecure and you want to avoid it at all costs, you need to avoid OpenPGP. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: why is SHA1 used? How do I get SHA256 to be used?
On 07/10/2012 06:15 PM, Robert J. Hansen wrote: Right now, only random collisions can be generated. That's not any use in forging a signature, which requires a preimage collision. If the attacker can convince you to sign a chosen text (perhaps one that looks reasonable), then a failure in the digest's collision-resistance could very well be used to replay that signature over a different (but colliding) text (which may not be something reasonable). This does not require a preimage collision. I'm not saying these attacks exist practically today against SHA1 (i don't know if they do), but collision-resistance is the relevant property, not resistance to pre-image attacks. SHA-1 is hardwired into the OpenPGP spec in a few different places and, as of right now, cannot really be removed. The places where it is thoroughly baked in are the MDC (not relevant cryptographically) and the V4 fingerprint (where the relevant property is resistance to a preimage attack instead of resistance to generated collisions. If I use MD5, even for one message, that allows a moderately determined attacker to replay that signature on what is likely to become a fairly large set of messages. I'd rather avoid that, thank you. You've *already done this*. Where exactly has the original poster signed anything over an MD5 digest? --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users