Re: Setting up shared access to gpg on a UNIX server
On 30/01/14 02:14, DUELL, BOB wrote: On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global access (777). I set the permission on all the files in this directory to allow global read access (744). If you're trying to achieve by the 744 what I think you're trying to achieve, namely that users can't change the files, I think you're mistaken[1]. Look at the following session I just did[2]: -8-8- $ ll -R .: total 4 drwxrwxrwx 2 root root 4096 Jan 30 11:40 gpg ./gpg: total 4 -rwxr--r-- 1 root root 17 Jan 30 11:40 gpg.conf $ cd gpg $ cat gpg.conf intended content $ echo unwanted addition gpg.conf bash: gpg.conf: Permission denied $ cp -a gpg.conf gpg.conf.new $ echo unwanted addition gpg.conf.new $ mv gpg.conf.new gpg.conf mv: try to overwrite ‘gpg.conf’, overriding mode 0744 (rwxr--r--)? y $ cat gpg.conf intended content unwanted addition $ ll total 4 -rwxr--r-- 1 peter peter 35 Jan 30 11:42 gpg.conf -8-8- The thing is, you're not allowed to change any files, but you are allowed to replace those files by your own. The sticky bit might help, but I'm not sure. gpg does stuff with a bunch of files in the homedir, and I suspect that some might need the permission to overwrite files one of your other users created. I haven't thought about the rest of your setup, this is just one issue that stood out to me so I commented on that. HTH, Peter. [1] Additionally, why are all files executable? [2] ll is shorthand for ls -l -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Setting up shared access to gpg on a UNIX server
On Thursday 30 January 2014 11:49:47 Peter Lebbing wrote: If you're trying to achieve by the 744 what I think you're trying to achieve, namely that users can't change the files, I think you're mistaken[1]. Look at the following session I just did[2]: The thing is, you're not allowed to change any files, but you are allowed to replace those files by your own. Just in case this isn't clear to everybody already: The write-permission on the directory are the problem here, not the 744 on the file. gpg does stuff with a bunch of files in the homedir, and I suspect that some might need the permission to overwrite files one of your other users created. If one really wanted to use a shared secret key in this way (as opposed to a token), I would only share the keyrings, not the home directory. Like that (only a mockup): ls -la /opt/app/apps/dbmprod/gpg -rwxr-x--- 1 root gpgusers . -rw-r- 1 root gpgusers secring.gpg -rw-r- 1 root gpgusers pubring.gpg Limiting readability to a user group would at least limit the access to the key material w.r.t. unprivileged processes running on the same machine. gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg ... As to what Bob wrote in the original message: I suppose that my use of a private key without a passphrase might be of some concern, but I never figured out a better way to do this. In other words, if the single key required a passphrase, I'd have to give out that passphrase to everyone, so what would be the point? It might not make much of a difference, but having a strong passphrase would still protect copies of your key lying on some backup. Other than that, I guess Diego's advice is sound -- limiting the potential damage by using a token/smartcard. Johannes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 January 2014 at 12:58:44 AM, in mid:20140130005844.1f0f5b54@steves-laptop, Steve Jones wrote: The advantage you have here though is the web of trust. 1 level 1 signature would probably be not enough, but 5, 10, 100..? If the signatures are made automatically be email software without verifying identity, where is the web of trust? Lots of such signatures would tie the key to the email address but not to a person. Email addresses, just like phone numbers, may be re-used by a different person today to who used them last year. There comes a point where you have to decide that a certain level of security is good enough. That is one of the points of the oft-repeated mantra It depends on your threat model. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Great minds discuss ideas; Average minds discuss events; Small minds discuss people. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLqv59XFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pT/8EAI9tSZ3POJC+LVqut0YRQFslGcxTZlROLJUb QLfAwUTb2u0o9sla57Seqpxcop8BV9ypbTS4raPMEOjrL0t/fz5kWb6I9sNguaxf szfcOq2KLwh/KzgaWKJrDEiTPxcQk1skevohts7137E+fGk7I/aBiMqX0AJTvW+8 I56nkmBm =JI5Y -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
On Thu, Jan 30, 2014 at 09:09:45PM +, MFPA wrote: The advantage you have here though is the web of trust. 1 level 1 signature would probably be not enough, but 5, 10, 100..? If the signatures are made automatically be email software without verifying identity, where is the web of trust? Lots of such signatures would tie the key to the email address but not to a person. Email addresses, just like phone numbers, may be re-used by a different person today to who used them last year. Well... To this at least I can answer. Sure, it links a key to an email address. Yet, more often than not one knows the email address of the intended recipient (otherwise, how would he/she send the email?). So knowing an email address is associated to a key can be useful. About emails reused by different persons... AFAICT most major email services never re-issue the same email address twice. Which could be considered good practice. If one worries about an email agency stealing the email addresses, well... A signature on an email UID means Yes, this key is used by the same person as the email address. So signing it automatically would not conflict with the meaning of the signature. Yet if the UID also includes a name, then it should be signed only after appropriate verification of the owner. Just my two cents, Leo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
[resent, this time to the mailing list] Hi, On Thursday 30 January 2014 21:09:45 MFPA wrote: mid:20140130005844.1f0f5b54@steves-laptop, Steve Jones wrote: The advantage you have here though is the web of trust. 1 level 1 signature would probably be not enough, but 5, 10, 100..? If the signatures are made automatically be email software without verifying identity, where is the web of trust? Lots of such signatures would tie the key to the email address but not to a person. If the same email-address is used together with the same key for a long time, it effectively ties the email-address to a person for all practical concerns. After all, you are communicating via email with someone you have never seen. Otherwise, you would have exchanged keys in person. Just take this list: I don't give a damn whether Werner Koch is the real name of that guy working on that awesome piece of software. I do care about that awesome piece of software being signed by the same Werner Koch as last year. If I needed to clarify a legal issue pertaining to the German citizen Werner K., I would prefer a key that I can link to a government-issued id. Email addresses, just like phone numbers, may be re-used by a different person today to who used them last year. If someone else hijacks (maliciously or not) the email address without also infiltrating that person's PC and stealing the secret key, then the key would change. If the initial communication was subject to a MITM-attack, the key would change as soon as the MITM attack stops or gets sidestepped. The quality of this canary improves with the number of signatures over an extended time. In either scenario, you would notice that something was afoul as soon as the key changes and investigate. The result is not perfect glorious privacy, just pretty good for the average(tm) user. Cheers, Johannes ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
On Thu, 30 Jan 2014 21:09:45 + MFPA 2014-667rhzu3dc-lists-gro...@riseup.net wrote: On Thursday 30 January 2014 at 12:58:44 AM, in mid:20140130005844.1f0f5b54@steves-laptop, Steve Jones wrote: The advantage you have here though is the web of trust. 1 level 1 signature would probably be not enough, but 5, 10, 100..? If the signatures are made automatically be email software without verifying identity, where is the web of trust? Lots of such signatures would tie the key to the email address but not to a person. Email addresses, just like phone numbers, may be re-used by a different person today to who used them last year. Well therein lies my problem with the PGP system. It relies on the notion of there being this singular thing called your identity. This doesn't really match how people work in the world, it certainly doesn't match how things work online. There are plenty of people I've known for years by a particular name and using a particular email address, but by the standards of PGP I haven't verified their identity so shouldn't sign their key. In online communications so many people are just names, urls or email addresses, their identity is just the things they've said and published. If I was accepting a cheque from one of those people I'd probably look for an identity confirmation, if I just wanted to talk to them in probable privacy then a few other people saying effectively Yeah I've used that key for that person is enough. To put it somewhat glibly, if a friend introduces someone to you do you ask for an affidavit that your friend has seen two forms of state issued photo id before you'll talk to them? There comes a point where you have to decide that a certain level of security is good enough. That is one of the points of the oft-repeated mantra It depends on your threat model. Yes, entirely. As it stands however the standard thread model seems that we have to assume that all attackers are the NSA. -- Steve Jones st...@secretvolcanobase.org Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?
If you know a user has a signature that they use to always end a message with, does that data aid in the decryption of the file? Would this exploit be applicable to symmetric encryption methods as well? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Setting up shared access to gpg on a UNIX server
Hi again, Firstly, as a Windows Outlook user, I've never figured out the correct etiquette on formatting responses to list-server messages, so I'm just going to post a new message without previous references. Taking previous comments to heart, I've altered my home directory permissions to remove write access to every other than the owner (755). I believe this plugs the hole that would have allowed others to replace files as Peter demonstrated. The reason I allowed write was to overcome an error message users were getting. Apparently, gpg needs to create some file in that location. Allowing write permission was the first thing that came to mind when I first started using gpg and it's stayed that way for several years. I was not previously familiar with the --keyring and --secret-keyring options and I believe that helps me a lot. So now, to encrypt files: gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --always-trust --no-secmem-warning --recipient vendor-id? --encrypt file-name I found I had to add the --always-trust option to prevent a prompt for batch processes. The keys are all trusted in my home directory, but I didn't find an option to point to the trustdb file. And to decrypt a file: gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --no-secmem-warning --output file-name --decrypt file-name.gpg It seems that since my secring only contains the private key used by vendors to send files to us, I do not need to actually specify the key by name. My initial testing shows it works well. How does that look? From what I can tell, the remaining risk is that anyone can copy and use my private key because I do not have it passphrase protected. I'd be happy to add a passphrase, as long as I can figure out how to make the key easily used by any user. A couple folks (Diego and Johannes) mentioned using a smartcard or a token. I think a smartcard refers to a piece of hardware, but I don't know what a token means. Our server is in a datacenter and I'm sure I cannot attach any sort of hardware. I might be able to use a software only solution; I've heard something about agents, but don't really understand any details. Can such an agent be used, one that I can start and load the key with passphrase at system startup? Thanks again for the comments; very helpful so far! Bob ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 January 2014 at 10:43:39 PM, in mid:20140130224339.5fcb0d27@steves-laptop, Steve Jones wrote: Well therein lies my problem with the PGP system. It relies on the notion of there being this singular thing called your identity. I'll take that to mean your problem with the web of trust. The pedantry about verifying government-issued identity is perhaps necessary if you have the need to be confident the government knows the other person as John Smith and that they are the right one of the many John Smiths in existence. If that is not needed, the name by which any government knows the person is irrelevant. This doesn't really match how people work in the world, it certainly doesn't match how things work online. That's right, each context in which a person presents themself is effectively a distinct identity or persona. If the contexts overlap, there is a certain amount of blending between the distinct personas. There are plenty of people I've known for years by a particular name and using a particular email address, but by the standards of PGP I haven't verified their identity so shouldn't sign their key. Your certification on a key means exactly what you want it to mean. If your certification is published with a key, it is up to each user to interpret that certification as they see fit (or to ignore it entirely). In online communications so many people are just names, urls or email addresses, their identity is just the things they've said and published. Is that so different from the person you don't actually know, but they are sometimes on the train when you are commuting, and just occasionally you chat? If I was accepting a cheque from one of those people I'd probably look for an identity confirmation, If I didn't know their name or address, depending on the amount involved I may not accept the cheque. if I just wanted to talk to them in probable privacy then a few other people saying effectively Yeah I've used that key for that person is enough. Is what the signature means? Are they not simply saying, in effect, Yeah I've used that key for that _email address_? To put it somewhat glibly, if a friend introduces someone to you do you ask for an affidavit that your friend has seen two forms of state issued photo id before you'll talk to them? Depends on the conversation. (-; Yes, entirely. As it stands however the standard threat model seems that we have to assume that all attackers are the NSA. There is no standard threat model. But the NSA and others are, at least anecdotally, monitoring all communications and retaining copies if they are encrypted. And any person could come under scrutiny as a result of being only a small number of communication hops from a person of interest. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Lack of money is no obstacle. Lack of an idea is an obstacle. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLq+TFXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pArAD/i8aZhsGkl2sSAP9xGiRvpv8INKKdVQ+u5bg UcXmEXkFC3f1P3fmEaWOwilS71bOwmlicWSmi6SvLBFq+rW34BTamVG6W+YVN3gp xtHdOLFptzqVmHRrBardjTfA7UYsw5hZiOU6YVjuTKVRz05YFdvGiPyOYQP7MFDg NWI5jDv4 =beUa -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 30-01-2014 18:15, Donald Morgan Jr. escribió: If you know a user has a signature that they use to always end a message with, does that data aid in the decryption of the file? Would this exploit be applicable to symmetric encryption methods as well? I think padding helps to avoid that, but I'm not sure if gpg uses padding at the symmetric encryption step. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJS6uwZAAoJEMV4f6PvczxALTgIAJjfxFm1mkl4GtmoFk33q/xg fM7H+hE0NmpeUbNanGWplS8nTWftIHsqvLlo1Z9AVsn/hE+dDy4iNBZsi7hvwskG my2RCj2lAh2oZSTL/SnKaiLUPUGc8+L8Isje94oR0n+nKhUiJX8suGqkTQaoZ2ne SGSDGz7aGHKBF1sc7mWZCj435FMza8JY3UP6S0q7GO6MpoKzOZ4DjOjKeRPwBa7n m22MZZQQ2f4HpvY0hXvrgU7y+e3fhrybSnZFX6D+oCp6o/q0VjTGFQWAoVttG7vV oJKU4X8w8E403kK/obNRIweEtHvxfL77q67HZHNTMZGvLewXDO1pGalWdyGjqDQ= =zwS+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 January 2014 at 10:03:53 PM, in mid:1703510.WrKrPo3DPU@mani, Johannes Zarl wrote: If the same email-address is used together with the same key for a long time, it effectively ties the email-address to a person for all practical concerns. After all, you are communicating via email with someone you have never seen. Didn't two or three people on this list all use the same key to sign messages to this list a few years ago, for quite a while before anybody noticed? If someone else hijacks (maliciously or not) the email address without also infiltrating that person's PC and stealing the secret key, then the key would change. Fair point. If the initial communication was subject to a MITM-attack, the key would change as soon as the MITM attack stops or gets sidestepped. The quality of this canary improves with the number of signatures over an extended time. If the MITM attack lasts an extended time all the signatures would be on the key of the MITM-attacker... In either scenario, you would notice that something was afoul as soon as the key changes and investigate. You _might_ notice. The result is not perfect glorious privacy, just pretty good for the average(tm) user. (-; - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net A wise man once said ...I don't know. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLq/DtXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pJw0D/iIg2+QPC9BhsyRJUeWvr9yuw0OzGrhO0ggq kdxWyzuKRVo2PLRWUhZ6hazO4miiosOW52D5WvTb6/UDM04xK7d4fjKmOmHobbgv fioOmpUCjWGxaKDo0kour7+gqiY54QVgi6XbdeXsmvLQcDJz+9oqWT53TtEnIdSq qDyTK9DO =E4xw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MUA automatically signs keys?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 30 January 2014 at 9:28:27 PM, in mid:20140130212827.GA30954@leortable, Leo Gaspard wrote: About emails reused by different persons... AFAICT most major email services never re-issue the same email address twice. Which could be considered good practice. Yahoo does. Some of my old yahoo accounts now say this when I log in: Your Yahoo account has been inactive for an extended period of time and is being recycled. If you need a new account, please sign up for a new one. Other, even older, yahoo accounts give This ID is not yet taken. Are you trying to register for a new account? If one worries about an email agency stealing the email addresses, well... A signature on an email UID means Yes, this key is used by the same person as the email address. So signing it automatically would not conflict with the meaning of the signature. Fair enough. Yet if the UID also includes a name, then it should be signed only after appropriate verification of the owner. Makes sense to me. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net War is a matter of vital importance to the State. -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlLrALlXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pOfsD/2s71tagOl3322f/WIbP5CaqwruiCtQO3B8f Sg3DuqmM8kNenFJgjbAq8PTf5FF4WXF/4xZasCvdPkMlgtFaCKcWgdEPo87cwBxY gEzjnZESkosq5m3vpD3PHxmeDzxP9QBp9ETuBNp745ZzcS8Oqiic3r6dfAxa5OyB PbF5ntLK =ODsN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?
Short answer: No. This would be a form of a (partially) known plaintext attack. Semantically secure ciphers are safe against this attack and it is not possible to extract information on the key. To be precise, you may of course be able guess a lot in the plaintext domain: Edward Snowden is a %@µ does leak further information and could easily be fully deciphered. But this has nothing to do with cryptography. However, in plain CBC ore counter mode(CTR) for the symmetric encryption it would be possible to change the blocks of known content against content of your liking. This is especially easy and undetectable to the recipient for CTR-mode(just XOR it out). In CBC mode it is more complicated and you would usually mess up some other parts of the decrypted message to unreadable gobbledonk. That is why you need special provisions to protect the authenticity of the cipher in transit if you are using symmetric cryptography only. In this case knowledge of the shared symmetric key is sort of proof that you are a legitimate sender. I don't know how gpg does it, in academic signature I use an hmac to protect solely symmetrically enciphered messages. There are standardized modes you might use to achieve that e.g. EAX or CCM. In an asymmetrically enciphered message it makes sense only to use digital signatures to protect the message or cipher(as opposed to the EAX, CCM or other symmetrically authenticated modes). Here the symmetric key is created on the fly for just this message and knowledge of the symmetric key alone would be no proof of anything other than that the sender is the sender. If you have a shaky system that might get disrupted by feeding it maliciously crafted information, it would make sense to asymmetrically sign the cipher and only decrypt if the signature is valid. Generally it is logically more sound to sign the content and then symmetrically encipher content and signature. Again I don't know how gpg does it. May be someone knowing the gpg internals might supply the information. Some people may disagree on the content of this last paragraph regarding usefullness of authenticated symmetric encryption in combination with asymmetric cryptography. There is even a proposed standard ECIES which combines asymmetric cryptography with symmetrically authenticated ciphers. I do not consider ECIES to be logically sound. If you are interested in this topic, you may have fun listening into Dan Bonehs great lectures on cryptography in coursera (for free). https://www.coursera.org/courses?orderby=upcomingsearch=cryptography regards Michael Anders ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cryptanalysis question: Does knowing some of the content of the message make the full message vulnerable to decryption?
On January 30, 2014 1:15:08 PM PST, Donald Morgan Jr. donaldmorga...@gmail.com wrote: If you know a user has a signature that they use to always end a message with, does that data aid in the decryption of the file? Would this exploit be applicable to symmetric encryption methods as well? A common form of cryptanalytic research involves trying to find a faster than brute force method of discovering a key when several plaintexts are know. The symmetric ciphers that are employed in GnuPG are, to my knowledge, very good in their resistance to cryptanalysis, including this method. Just know that no one is going to attack to the cipher itself to get to your messages. There are much easier methods such as installing a key logger. Why beat the door down if you can open the window? Cheers, --Paul -- PGP: 3DB6D884 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
