GPG's vulnerability to quantum cryptography
GPG encrypted data (using RSA) can be collected today and easily decrypted after 50-100 years using a quantum computer. See: https://en.wikipedia.org/wiki/Shor%27s_algorithm For this reason, what I do today is share long keys with people I know *in person*. We then use regular AES-256 to encrypt/decrypt our messages back and forth. Every 6 months we meet in person to renew our keys. (To be more secure, we actually create the keys in portions via in-person at different places, OTR, SMS, landline phone, mobile phone, and snail mail.) AES-256 is not vulnerable to quantum cryptography as RSA is, so we feel much safer this way. What are your thoughts on these issues? Why do you keep using GPG, knowing that your data may easily end up out in the open on Google or The Pirate Bay a few decades from now? Are there any plans for added security measures in GPG given how vulnerable it is? For instance, any plans for adding quantum safe public key crypto alternatives to RSA? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG's vulnerability to quantum cryptography
What are your thoughts on these issues? Why do you keep using GPG, knowing that your data may easily end up out in the open on Google or The Pirate Bay a few decades from now? Bluntly, my thoughts are that 99% of the people who talk about quantum computation couldn't identify a Hadamard transformation if they tripped over its brakets. Shor's Algorithm requires 2N qubits, where N is the size in bits of the composite you wish to factor. So for a 2048-bit certificate that requires 4096 qubits, representing a state space of over 10^1100. That's a quantum computer so ludicrously powerful that if one were to exist it would transform the world in ways we literally cannot imagine. This is a quantum computer so powerful that it defies even the dreams of science fiction authors. I literally lack the skill in the English language to describe just how eye-popping this thing is. The best analogy I can think of is that we're a bunch of primitive hominids just beginning to learn how to knap obsidian into knife blades, and you're saying What are your thoughts on how obsolete these knives will be once we develop thermonuclear bombs? I mean, they're going to make these knife blades just ... *obsolete*. What are your thoughts on these issues? Why do you keep using GPG, knowing that your data may easily end up out in the open on Google or The Pirate Bay a few decades from now? If that happens, I'll have much bigger things to worry about. I'll let you worry about the thermonuclear age: for now, I'd rather focus on the advent of the Bronze Age. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Result of the crowdfounding
Hi freaks, Hi Werner, I was now looking at the results of the last goteo-campain and I am a little bit shocked about the costs for such a campaign. I am shure, that everybody did his best and for better understanding would like to submit some questions: - there ist a position of: Campaign manager 5390,-- € and an other of: Goteo fee 2939,-- € What for is this campaign manager? - Is this a part of goteo or of gnupg or somebody else? another question ist the VAT for about 5212,-- € What are these taxes for? - I thought the vat of the t-shirts and stickers would be included? or is it as supplement for the goteo fee? Nevertheless - there are for a for a result of 37270,-- € Costs in an amout of 50%! Means that of every euro arrives to the goal only 1/2 an euro. My question now: Would'nt it be better to put every year some Index in the top of the gnupg-website with the actual need for the runnig year and beg for direkt donations? 1.) we would save all the stress and stuff of a campaign 2.) there would be much less costs and less need to spend. or 3.) more money for the objectives... I think the rebuild of the website should include such a feature and if not some of the rest of the money should be used for realizing it for. best wishes Ralf ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Result of the crowdfounding
Goteo fee 2939,-- € Goteo charges an amount proportional to the funds that are raised. 2939 euros on 37270 is about an eight percent overhead. Seems reasonable to me. My question now: Would'nt it be better to put every year some Index in the top of the gnupg-website with the actual need for the runnig year and beg for direkt donations? It would be better if it worked. It doesn't, so the GnuPG folks tried something different, which turned out to work better despite the increased overheads. If funding increases by a factor of ten, then even if overhead eats up half that funding is still increased by a factor of five. I think the rebuild of the website should include such a feature and if not some of the rest of the money should be used for realizing it for. Donating to GnuPG is already quick and easy. Yet despite this, people overwhelmingly tend not to do it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG's vulnerability to quantum cryptography
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 13 May 2014 at 5:03:03 PM, in mid:de592877dc22eb2aad4beffad7a818e9.squirrel@lelantoss7bcnwbv.onion, David Q. wrote: GPG encrypted data (using RSA) can be collected today and easily decrypted after 50-100 years using a quantum computer. I'm not likely to be alive by then. Why do you keep using GPG, knowing that your data may easily end up out in the open on Google or The Pirate Bay a few decades from now? It's better than not using GPG, and knowing things could easily be in the open a few *hours* from now. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Was time invented by an Irishman named O'Clock? -BEGIN PGP SIGNATURE- iPQEAQEKAF4FAlNyawZXFIAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pv60EAKib9zr71D2315lArxy9GrmfrubY4PRPT8q7 Gi0DZl/Jq9DYpbldL6pBpeUxSzU1lV6eRhxyYt7f/BinTdidNP+hihJ4h4B15PM0 mik1wT0Fl4Lr4zuzhGywycWBi+/wHx8aCF/+TYS2iq2xyXIEHAzUqkzFwD7X8Nkj z7iaM8RF =4683 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases
I don't know if this is a bug, or if I am doing something wrong, so I might as well ask here. I ran the following command from my terminal, and cannot retrieve the fingerprint from the file: $ gpg --output 0xBB065B251FF4945B.gpg --export 0xBB065B251FF4945B $ gpg --with-colons --with-fingerprint 0xBB065B251FF4945B.gpg pub:-:2048:1:BB065B251FF4945B:2008-07-27:::f: uid:Daniel T. Hagan dan...@kickidle.com: sub:-:2048:1:6BA86443C0C6CDA2:2008-07-27 sub:-:2048:1:16C018D9B89B420A:2008-07-27 There should exist an ^fpr line in the output. Compare to: $ gpg --output 0x4713D527ECE16009.gpg --export 0x4713D527ECE16009 $ gpg --with-colons --with-fingerprint 0x4713D527ECE16009.gpg pub:-:1024:17:4713D527ECE16009:2005-06-06:::f:George Hacker (GLS) ghac...@redhat.com: fpr:8BFD3F436366D9820E9EAB2F4713D527ECE16009: uid:George Hacker geor...@axian.com: uid:George Hacker ghac...@axian.com: uat:1 2493: sub:-:1024:16:0D94CF6C0C8C2F1B:2005-06-06 Of the 453 keys in my public keyring, this happens on 8 of them (about 2%): 0x072DC7442B89BD45 0x14774C7B9958256C 0x4B2A4897D39DA0E3 0x63E42BD8C58C753A 0x677A7DE8CC9A6F67 0x6FA1B04BB6724E04 0x9710B89BCA57AD7C 0xBB065B251FF4945B Any ideas what is going on? Thanks, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o pgpjZIa4_wV0B.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases
On Tue, May 13, 2014 at 05:15:57PM -0600, Aaron Toponce wrote: I don't know if this is a bug, or if I am doing something wrong, so I might as well ask here. I ran the following command from my terminal, and cannot retrieve the fingerprint from the file: $ gpg --output 0xBB065B251FF4945B.gpg --export 0xBB065B251FF4945B $ gpg --with-colons --with-fingerprint 0xBB065B251FF4945B.gpg pub:-:2048:1:BB065B251FF4945B:2008-07-27:::f: uid:Daniel T. Hagan dan...@kickidle.com: sub:-:2048:1:6BA86443C0C6CDA2:2008-07-27 sub:-:2048:1:16C018D9B89B420A:2008-07-27 There should exist an ^fpr line in the output. Compare to: $ gpg --output 0x4713D527ECE16009.gpg --export 0x4713D527ECE16009 $ gpg --with-colons --with-fingerprint 0x4713D527ECE16009.gpg pub:-:1024:17:4713D527ECE16009:2005-06-06:::f:George Hacker (GLS) ghac...@redhat.com: fpr:8BFD3F436366D9820E9EAB2F4713D527ECE16009: uid:George Hacker geor...@axian.com: uid:George Hacker ghac...@axian.com: uat:1 2493: sub:-:1024:16:0D94CF6C0C8C2F1B:2005-06-06 Of the 453 keys in my public keyring, this happens on 8 of them (about 2%): 0x072DC7442B89BD45 0x14774C7B9958256C 0x4B2A4897D39DA0E3 0x63E42BD8C58C753A 0x677A7DE8CC9A6F67 0x6FA1B04BB6724E04 0x9710B89BCA57AD7C 0xBB065B251FF4945B Any ideas what is going on? This behaviour also occurs for me in 2.0.22. Instead of exporting the key, you could use --list-keys, which works for me: % gpg2 --with-colons --with-fingerprint --list-keys 0xBB065B251FF4945B tru::1:1400030831:0:3:1:5 pub:-:2048:1:BB065B251FF4945B:1217137867:::-:::scESC: rvk:::1::F7701DA413DC6B981706EF5314774C7B9958256C:80: fpr:F630376527F0512BF2A661DDBB065B251FF4945B: uid:-1364072645::12B7BA95C2486E8FE4309E7A9A64799703020225::Daniel T. Hagan dan...@kickidle.com: sub:-:2048:1:6BA86443C0C6CDA2:1217137868::e: sub:-:2048:1:16C018D9B89B420A:1217137868::s: Cheers, Fraser Thanks, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --with-fingerprint $FILE is not listing the keyfingerprint in some cases
On May 13, 2014, at 7:15 PM, Aaron Toponce aaron.topo...@gmail.com wrote: I don't know if this is a bug, or if I am doing something wrong, so I might as well ask here. I ran the following command from my terminal, and cannot retrieve the fingerprint from the file: $ gpg --output 0xBB065B251FF4945B.gpg --export 0xBB065B251FF4945B $ gpg --with-colons --with-fingerprint 0xBB065B251FF4945B.gpg pub:-:2048:1:BB065B251FF4945B:2008-07-27:::f: uid:Daniel T. Hagan dan...@kickidle.com: sub:-:2048:1:6BA86443C0C6CDA2:2008-07-27 sub:-:2048:1:16C018D9B89B420A:2008-07-27 There should exist an ^fpr line in the output. Compare to: $ gpg --output 0x4713D527ECE16009.gpg --export 0x4713D527ECE16009 $ gpg --with-colons --with-fingerprint 0x4713D527ECE16009.gpg pub:-:1024:17:4713D527ECE16009:2005-06-06:::f:George Hacker (GLS) ghac...@redhat.com: fpr:8BFD3F436366D9820E9EAB2F4713D527ECE16009: uid:George Hacker geor...@axian.com: uid:George Hacker ghac...@axian.com: uat:1 2493: sub:-:1024:16:0D94CF6C0C8C2F1B:2005-06-06 Of the 453 keys in my public keyring, this happens on 8 of them (about 2%): 0x072DC7442B89BD45 0x14774C7B9958256C 0x4B2A4897D39DA0E3 0x63E42BD8C58C753A 0x677A7DE8CC9A6F67 0x6FA1B04BB6724E04 0x9710B89BCA57AD7C 0xBB065B251FF4945B Any ideas what is going on? Looks like a bug. Note that on each of the keys that didn't work there is a direct signature on the key. This is not very common, and is usually used for a designated revoker (i.e. I permit so-and-so to revoke my key for me). I suspect there is a bug printing the fingerprints on a key from a key file (rather than from a keyring) for keys with a direct signature. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
