Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
Any way for two correspondents to set up gnupg within a few moments without having to become expert? The usual gnupg materials are very dense. Ask an expert to do the setup. After that usage is simple. In my opinion public license software is about empowering people. If you need an expert to install a software for you, the dependency on a software vendor is replaced by the dependency on an expert, which might be even worse in some circumstances. Experts should also see their role in empowering people. Yes, there is a necessity to have good GUI based installers that don't need an experts assistance to get things right (and eventually change the insecure gpg defaults for that matter...) gpg4win works just fine.(So does Truecrypt or Academic Signature if you look at other crypto) The users must invest some minutes in understanding what asymmetric cryptography is about, however. That should be well within the scope of people with normal intelligence. Without that very basic understanding, using GnuPG(or other public key crypto) would be reckless nonsense anyways. Becoming a console wizard should definitely not be necessary. Regards Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble reseting OpenPGP card after admin PIN lockout
TL;DR: I think you might be helped by [4]. Do an scd killscd from gpg-connect-agent, install and start pcscd, install the Python module pyscard and run the script from [4]. By the way, if you have an OpenPGP v.1 card, you're screwed, they self-destruct on 3 wrong Admin PINs. On 21/01/14 02:37, Paul R. Ramer wrote: I am having trouble reseting an OpenPGP card on which I locked the admin PIN. Since you already locked the PIN, the 8 commands that represent VERIFY attempts with a wrong PIN should no longer be needed. They are these commands: scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 For the normal PIN (to be overly exact, for doing a signature) scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 For the admin PIN scd apdu 00 44 00 00 ERR 100663405 Card reset required SCD This would normally be the first step of getting the card back to an unlocked, clean state. Note that an OpenPGP v1.1 card will self-destruct on 3 wrong admin PINs. If you have a v1.1 card, you're out of luck. However, a v2.0 card can be quite a bitch as well. I grabbed an unused v2.0 card to try to replicate your situation. I exhausted the Admin PINs, disconnected and reconnected the reader, and tried to re-initialise it. It wouldn't work. I accidentally lost the log of what I did, but it would respond to TERMINATE DF with the expected status 90 00, but ACTIVATE FILE would give an error in SW1-SW2. Then I also exhausted the regular PINs, thinking that maybe both need to be locked. No luck again. I interspersed all with the following APDU I constructed from the docs: scd apdu 00 ca 5f 52 00 Which gets the DO Historical bytes and looks like this for one of my v2.0 cards: D[] 00 31 C5 73 C0 01 40 05 90 00 90 00 The fourth-to-last byte, 05, indicates it is in Operational state. At no point did the test card leave this state, even though after TERMINATE DF it should say 03 for Initialisation state, IIUC. I changed the order of TERMINATE DF and ACTIVATE FILE, and sometimes repeated one of those, but no matter what I tried, I could never get 90 00 for both commands, always only one of them. Then at some point, my card stopped working. I would get Incorrect value if I remember, euh... correctly. I got a bit worried at this point, and decided to kill scdaemon and gpg-agent to start with a clean slate. gpg-agent however is started by my X session, and killing it only made it defunct. At this point I logged out, and lost my log of what I had done. Oops! There goes an exact and detailed transcript of how it went wrong. Aaarrrggh! Why didn't I set screen to log all to a file?! So now, the OpenPGP card would not select the OpenPGP application. A log of all APDU's, generated by scdaemon (debug 2048) is: -8-8- 2014-01-21 10:51:00 scdaemon[9568] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=00 p2=0C lc=2 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 00 0C 02 3F 00 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=04 p2=00 lc=6 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 04 00 06 D2 76 00 01 24 01 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6285 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=7 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 04 0C 07 D2 76 00 00 03 01 02 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=12 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 04 0C 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=08 p2=0C lc=2 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 08 0C 02 2F 00 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=01 p2=0C lc=2 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 01 0C 02 50 15 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=9 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 04 0C 09 D2 76 00 00 25 45 50 02 00 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] DBG: send apdu: c=00 i=A4 p1=04 p2=0C lc=6 le=-1 em=0 2014-01-21 10:51:00 scdaemon[9568] DBG: raw apdu: 00 A4 04 0C 06 D2 76 00 00 66 01 2014-01-21 10:51:00 scdaemon[9568] DBG: response: sw=6B00 datalen=0 2014-01-21 10:51:00 scdaemon[9568] no supported card application found: Invalid value -8-8- I tried to
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On 21/01/14 10:45, Michael Anders wrote: Yes, there is a necessity to have good GUI based installers that don't need an experts assistance to get things right (and eventually change the insecure gpg defaults for that matter...) You mean what you personally consider insecure defaults. Please let's not confuse people by stating opinions as facts. You're entitled to your opinion, though. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
You mean what you personally consider insecure defaults. Please let's not confuse people by stating opinions as facts. You're entitled to your opinion, though. HTH, Peter. My opinion is that SHA1 should no longer be used. A link on SHA1 security: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html regards, Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On Tue, 21 Jan 2014 14:03:07 +0100 Michael Anders micha...@gmx.de wrote: My opinion is that SHA1 should no longer be used. A link on SHA1 security: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html How do I prevent gnupg from using SHA1? Also how do I update my key to not use SHA1 digests which it appears to be using, as well as listing SHA1 as my second favourite algorithm. -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On Tue, 2014-01-21 at 14:19 +, Steve Jones wrote: How do I prevent gnupg from using SHA1? Also how do I update my key to not use SHA1 digests which it appears to be using, as well as listing SHA1 as my second favourite algorithm. I found a description in the web( http://sparkslinux.wordpress.com/2013/02/21/hashing-algorithm-is-your-gpg-configuration-secure/) that told me to do the following: You locate the file gpg.conf On my ubuntu it is in the directory ~/.gnupg/ In this file you can add the three lines at the bottom personal-cipher-preferences AES256 TWOFISH AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP to set the preferences. GnuPG is supposed to pick the leftmost possible in the respective lists. But backup before editing! I remember some recent posts on problems editing GnuPG config files and tranferring to and fro windows and linux. There seems to be a danger to mess up things using wrong editor settings. I don't know if hash preference information is additionally attached to keys. I would guess it is not, it wouldn't make sense to me. regards, Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
Am Di 21.01.2014, 16:06:36 schrieb Michael Anders: I don't know if hash preference information is additionally attached to keys. I would guess it is not, it wouldn't make sense to me. Unfortunately that's not a reliable guide. http://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Esoteric-Options.html --default-preference-list Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On Jan 21, 2014 5:32 PM, Hauke Laging mailinglis...@hauke-laging.de wrote: Am Di 21.01.2014, 16:06:36 schrieb Michael Anders: I don't know if hash preference information is additionally attached to keys. I would guess it is not, it wouldn't make sense to me. Unfortunately that's not a reliable guide. http://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Esoteric-Options.html --default-preference-list I've found http://www.debian-administration.org/users/dkg/weblog/48 to be a reasonably sensible guide for setting stronger preferences. I also added Twofish and Blowfish after AES256 and AES, respectively. I've not heard of any issues with that setup, but your mileage may vary. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Looking for simple wrapper for symmetric key file encryption
As already mentioned, you could decrypt the file to a ram disk -- the /dev/shm directory should already be there, but if you're trying to bypass creating an unnecessary file altogether, you need something else. I actually wrote a GUI frontend for this purpose (among others) a while back. It's called pyrite and available at: https://github.com/ryran/pyrite It's extremely versatile and can do everything but manage keys -- basically you can do any kind of signing verifying with or without any kind of encryption/decryption (including symmetric). Your workflow with it could look like this: 1.) Run pyrite /path/to/encrypted/file [GUI opens up with text-input populated by encrypted text] 2.) Decrypt text [Cipher-text is replaced with decrypted version; never saved to disk] 3.) Make your edits/changes 4.) Re-encrypt 5.) Click save-to-disk button On Sun, Jan 19, 2014 at 4:48 PM, Mr. Clif c...@eugeneweb.com wrote: Hi Doug, Thanks for the comments. Yes the threat model is mostly the worry of having old temp files or even the original cleartext files left behind on the HD, or even worse having them backed up. ;-) At the very least I want something that tries to protect me from stupid mistakes. Yep the RAM disk idea was part of the solution I'm heading towards. So do you or does anyone know of a nice front end that helps with that? An example of behavior that doesn't seem helpful is that when I use GPA to decrypt a file it defaults to saving it on the HD. I'm not trying to knock GPA here but wouldn't it be better to display the contents in a window? Well I realize that might be just what I want, and others have use cases that it works fine for. ;-) Clif On 01/19/2014 01:23 PM, Doug Barton wrote: On 01/19/2014 08:56 AM, Mr. Clif wrote: So I'm trying to get a sense from the users here if they feel that the process of using gpg for symmetric encryption is safe enough, and they are not worried about leaving clear text behind. I think you're misunderstanding a few things. First, the problem of the plain text file is not exclusive to symmetric encryption. In fact there is no difference between that, and the plain text file that's left behind after public key encryption. Second, you haven't defined your threat model. You have given us a vague sense of wanting to have a secure system, but you haven't said what you're trying to secure it against. Thus it's hard to respond intelligently to your query. That said, I would suggest that you consider using a RAM disk to do your work on. It can be created to do the work, then deleted after you're done, with no risk of leaving a file behind on disk. Of course you'd want to make sure your RAM disk was not swap-backed. hope this helps, Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On Tue, 21 Jan 2014 17:39:13 +0100 Pete Stephenson p...@heypete.com wrote: I've found http://www.debian-administration.org/users/dkg/weblog/48 to be a reasonably sensible guide for setting stronger preferences. I also added Twofish and Blowfish after AES256 and AES, respectively. I've not heard of any issues with that setup, but your mileage may vary. Thanks, that was quite helpful. I've found I can just delete the self signatures on my UID and replace them with better ones but I can't see a way to change the subkey binding signature. -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any way for two correspondents to set up gnupg within a few moments without having to become expert?
On 21/01/14 14:03, Michael Anders wrote: You mean what you personally consider insecure defaults. Please let's not confuse people by stating opinions as facts. You're entitled to your opinion, though. HTH, Peter. My opinion is that SHA1 should no longer be used. Of course in the best of worlds it shouldn't be used anymore. But if everyone started signing their emails with SHA1 I couldn't be more pleased, because then you at least have the infrastructure in place, and can upgrade people later. The major problem we're facing is that we can't even get most people to use MD5 or DES. Heck, they don't even know who or what they are, and to be frank they shouldn't have to. Cheers, arne -- Arne Renkema-Padmos @hcisec, secuso.org Doctoral researcher CASED, TU Darmstadt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: using an OpenPGP card with Java (keytool and jarsigner)
Am 08.01.2014 16:26, schrieb Hans-Christoph Steiner: On 01/08/2014 07:02 AM, Werner Koch wrote: On Tue, 7 Jan 2014 15:32, h...@guardianproject.info said: OpenPGP card as a PKCS11 keystore. It seems that things are close: Java can use NSS as a provider of PKCS11. I guess the question is whether opensc is making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't Scute also provides an pkcs#11 interface to NSS. Thus you should be able to use it also with Java. I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11 interface to the OpenPGP card. I am able to get keytool to report the certificate in key position #3, but the question I have now is that given that key #3 is for authentication, is there some restriction in the OpenPGP card that would prevent the certificate/key combo in position #3 from being used for signing? I did read about using opensc with an OpenPGP card to provide S/MIME services. What I read there is that in order to use the certificate/key combo in position #3 for decrypting emails, the key in position #2 (decryption) must match the key in position number #3. Is there a similar restriction for signing? There is no restriction for Signing Key (first slot in OpenPGP card). For me Scute never worked successfully. I would recommend using OpenSC instead which is maintained actively. Best regards, Stefan I forget if I mentioned this, but the grand goal is to have a single hardware security module that can sign the Android APK using jarsigner, then make a OpenPGP signature on the APK, then optionally provide authentication for scp'ing the resulting files to the release server. .hc ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users