Re: Backup of encrypted private key on uncontrolled disks

[Jason Antony]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2014-11-21 03:54, Shea Levy wrote:

> Hmm, I’m having a hard time imagining how someone could get me to 
> divulge the passphrase if they couldn’t also get me to hand over
> the key backups I own. Of course, my imagination is not the limit
> here, so is there something I’m missing?

It's not easy to withstand rubber-hose cryptanalysis for long periods
of time: http://xkcd.com/538/

Cheers,

Jason
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJUbtrjAAoJED1Q2DsLuMaGqLYP/jl8lN2/3kzPcyxZzp4AfMna
18uCQo+MQHNbEW4J2YxOtfjvWhXqvmwPX9eX+6zIoqzr9sEQLcCHQbjD6sCOfna+
BDXXA3JUQcCziFnkD71GqcHgx1OkgQE5OF7aJRObE6EFr0egNIXq5wL5bSlEcZnz
NkumnqFCrMBKRP4AlZdnCtcAXCitTWEj/uuKG5zhNQlOzexi330Mn7INL98w3LZy
swpkwTKQ8d7FRWvvNizw5vXmV44KstTSf1/5JTNNfXSNUEY1tJhDFwGimEfUi5N9
R+DuDT5gb5Z/JApPhxAHdIii8rdGETcAw5JM7w9xkNgTmrn9jbKokpaaQgp1pEKm
2RA8kUiKRXnW2mQFpQe8Iwv2AuGCPPYwFNgbM0GiX0Z7LWJ/U4jXyLoijrCeozCJ
gQcMTzxoRm1GvVDWorq0YkLYOraAaPCbDvi+xW5JN/XX8zuqPfOouHCsrNnjvqOu
UkT607podLWwJ0CTR6yUcCPNCJ4DdGRpq7AofF96QqtvwiXA2BVRAUm7jb566Tdz
GXmLRvK76Bub9ZqoC7TgK2aSuNLtab+8NsiZCugj2jMiDvzLhvY1y6m+jbVyvlCp
lD9ZBeDvZDsTgwt0So8ce6zafF2p/aVNkiBevcF5EnO1OV2Wu/iop20nf93smD9O
DDLY8XGTMb8AgMB4Zg2W
=NeYL
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encryption on Mailing lists sensless?

[Schlacta, Christ]

On Nov 20, 2014 1:58 PM, "Ingo Klöcker"  wrote:
>
> On Tuesday 18 November 2014 22:43:18 MFPA wrote:
> KMail encrypts an individual copy for each BCC recipient. I thought
> Thunderbird+Enigmail would also do this.
>
> Any mail client not doing this completely subverts BCC (unless
--throw-keyids
> or --hidden-recipient is used, but even throwing the key IDs still leaks
the
> number of hidden recipients).
There's nothing preventing a list server or mail client from intentionally
adding a pseudo random quantity of invalid or junk keys to the recipient
list, thus obfuscating the number of additional recipients, only providing
an upper bound to the estimate.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encryption on Mailing lists sensless?

[Ingo Klöcker]

On Tuesday 18 November 2014 22:43:18 MFPA wrote:
> On Tuesday 18 November 2014 at 6:15:57 PM, in
> , Mirimir wrote:
> > As long as messages were separately encrypted to each
> > recipient, no third parties would be involved.
> 
> For an email message with multiple recipients, I think most mail
> clients and OpenPGP encryption agents that I have looked at encrypt
> the message to all addressees at once. I only recall one combination
> that encrypted an individual copy for each addressee, and am not sure
> I correctly remember which it was.

KMail encrypts an individual copy for each BCC recipient. I thought 
Thunderbird+Enigmail would also do this.

Any mail client not doing this completely subverts BCC (unless --throw-keyids 
or --hidden-recipient is used, but even throwing the key IDs still leaks the 
number of hidden recipients).


Regards,
Ingo

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: problems with pinentry-0.9.0 (Werner Koch)

[Rex Kneisley]

Gracious reply:

 

>Install the pkg-config package:

 

  >apt-get install pkg-config

 

 

>Shalom-Salam,

 

   >Werner

 

Thank you!

After installing pkg-config as suggested,

Looks like I'm down to the wire:

 

checking whether mlock is broken... no

checking for byte typedef... no

checking for ulong typedef... yes

checking for setcap... /sbin/setcap

checking for cap_set_proc in -lcap... no

checking for initscr in -lncursesw... no

checking for initscr in -lncurses... no

checking for tgetent in -lcurses... no

checking for tgetent in -ltermcap... no

checking for tgetent in -ltermlib... no

checking for initscr in -lcurses... no

checking for pkg-config... /usr/bin/pkg-config

checking for gtk+-2... no

configure: WARNING: pkg-config could not find the module gtk+-2.0

checking pkg-config is at least version 0.9.0... yes

checking for QT4_CORE... no

configure: error: No pinentry enabled.

 

I have tried:

 

sudo apt-get install gtk+-2

 

I get:

 

Reading package lists... Done

Building dependency tree   

Reading state information... Done

Note, selecting 'gir1.2-gtk-2.0' for regex 'gtk+-2'

Note, selecting 'libspice-client-gtk-2.0-1' for regex 'gtk+-2'

Note, selecting 'gir1.0-gtk-2.0' for regex 'gtk+-2'

0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

 

 

With the same ./configure results

 

 

 

Rex Kneisley

818-429-7472

  re...@me.com

 



 

Want to keep your emails private? Ask me how.

 

Public OpenPGP key 0x393214E81D291F8C at hkp://pool.sks-keyservers.net

Fingerprint=3D1A 46CB 14EF C5DF 68BA  3554 3932 14E8 1D29 1F8C

 

Got bitcoins?

-BEGIN PGP SIGNATURE- 
Version: GnuPG v2 

owEBPAHD/pANAwACATkyFOgdKR+MAcsMYgBUXad4RGRkDQogiQEcBAABAgAGBQJU 
Xad4AAoJEDkyFOgdKR+MhvUH/jmzcbRrm+kDlBCcBCHNmGMZ2jWFZZm2HLprjaoj 
Qtybh0f/dRjpWoOr8l04IaxH1Wwiqt+DYXXy2ZBcXAwLmzMbucH6AAWu+meDl1zG 
qzw9FjLuEJ+W+vu5s7byVnlLbk3pynwrwtPwvsyv36POQTh/jjuh/MgEKNzZikKs 
c+gb87Dm9Qvv0NDSzAAwnXPnx6OmCNzTgwFAlcCwgKcCmg3WDZR4RAzY0JXRx/Ev 
fi2En8UYMBES5iVASh+Bw1185TCe9gt5kewAH/4Xt9teEkA+YOUsQBfY05rguo9O 
E05dv2CM1r2AvyzHf6yKtCVTHPTcKpFzCWxopUI2fbk34EI= 
=/h8w 
-END PGP SIGNATURE- 

 

 

 

 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Symmetrical encryption or ...

[Dave Pawson]

Requirement.
Two machines (one Linux, one Windows).

I want a secure file 'shared' between them, as a pwd-safe.

Only I use the two machines, but need the file encrypted.

Any alternatives to symmetrical encryption of a file?

TiA,



-- 
Dave Pawson
XSLT XSL-FO FAQ.
Docbook FAQ.
http://www.dpawson.co.uk

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

[Brian Minton]

I put in a bug report: issue 1769 on http://bugs.g10code.com/gnupg

On Thu, Nov 20, 2014 at 2:11 PM, Werner Koch  wrote:
> On Thu, 20 Nov 2014 17:12, br...@minton.name said:
>> ECDSA/EDDSA subkeys.  The encryption and signing seems to work, so
>> it's mainly just an informational message:
>
> Actually this revealed a real bug: The code to figure out the best
> matching hash algorithm for ECDSA was not anymore working.  Fixed with
> commit f80c2dd.
>
> Thanks,
>
>Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

[Werner Koch]

On Thu, 20 Nov 2014 17:12, br...@minton.name said:
> ECDSA/EDDSA subkeys.  The encryption and signing seems to work, so
> it's mainly just an informational message:

Actually this revealed a real bug: The code to figure out the best
matching hash algorithm for ECDSA was not anymore working.  Fixed with
commit f80c2dd.

Thanks, 

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[Jeremy Reeve]

A keystroke logger?

Jeremy


On 20 November 2014 16:54, Shea Levy  wrote:

> Hmm, I’m having a hard time imagining how someone could get me to divulge
> the passphrase if they couldn’t also get me to hand over the key backups I
> own. Of course, my imagination is not the limit here, so is there something
> I’m missing?
>
> Thanks,
> Shea
>
> > On Nov 20, 2014, at 11:27 AM, Robert J. Hansen 
> wrote:
> >
> >> My private key is encrypted with a very strong passphrase (10 word
> >> diceware [1], not written down, 129 bits of entropy). Given that, is it
> >> safe to back it up on disks I don't control, such as a private S3 bucket
> >> or a VPS? My intuition says yes, but I've learned to never trust my
> >> intuition when it comes to security.
> >
> > If you are completely confident that no one will ever get your
> passphrase from you, this is safe.  Otherwise, it's not.
> >
> > It may be appropriate to have a little caution with respect to whether
> you believe anyone will ever get your passphrase from you.
> >
> > ___
> > Gnupg-users mailing list
> > Gnupg-users@gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[Robert J. Hansen]

Hmm, I’m having a hard time imagining how someone could get me to
divulge the passphrase if they couldn’t also get me to hand over the
key backups I own. Of course, my imagination is not the limit here,
so is there something I’m missing?


http://en.wikipedia.org/wiki/Robin_Sage

The people fooled by Robin Sage were all intelligence professionals of
one stripe or another.  These are people who have been vetted for their
reliability and discretion, and who regularly get briefed about efforts
by foreign powers to get information out of them.  They were all aware
of the risks.  Despite this, they were fooled.

It's really easy to point fingers at them and say, "man, what chumps."
But the reality is none of us on this list are different than they are.
We're human, with the same foibles and weaknesses, and I'm pretty sure
Robin Sage would rip through this mailing list like a chainsaw.

(For that matter, I have no reason to think one isn't doing so right
now.  It's worth thinking about.)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[NdK]

Il 20/11/2014 18:33, Dave English ha scritto:

> Hint: do you always wear a hood over your head and the keyboard when entering 
> your passphrase?
Could simply use different passphrases for regular use and backups...

BYtE,
 Diego.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[Dave English]

Hint: do you always wear a hood over your head and the keyboard when entering 
your passphrase?

ATB
Dave English

> On 20 Nov 2014, at 16:54, Shea Levy  wrote:
> 
> Hmm, I’m having a hard time imagining how someone could get me to divulge the 
> passphrase if they couldn’t also get me to hand over the key backups I own. 
> Of course, my imagination is not the limit here, so is there something I’m 
> missing?
> 
> Thanks,
> Shea
> 
>> On Nov 20, 2014, at 11:27 AM, Robert J. Hansen  wrote:
>> 
>>> My private key is encrypted with a very strong passphrase (10 word
>>> diceware [1], not written down, 129 bits of entropy). Given that, is it
>>> safe to back it up on disks I don't control, such as a private S3 bucket
>>> or a VPS? My intuition says yes, but I've learned to never trust my
>>> intuition when it comes to security.
>> 
>> If you are completely confident that no one will ever get your passphrase 
>> from you, this is safe.  Otherwise, it's not.
>> 
>> It may be appropriate to have a little caution with respect to whether you 
>> believe anyone will ever get your passphrase from you.
>> 
>> ___
>> Gnupg-users mailing list
>> Gnupg-users@gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[Shea Levy]

Hmm, I’m having a hard time imagining how someone could get me to divulge the 
passphrase if they couldn’t also get me to hand over the key backups I own. Of 
course, my imagination is not the limit here, so is there something I’m missing?

Thanks,
Shea

> On Nov 20, 2014, at 11:27 AM, Robert J. Hansen  wrote:
> 
>> My private key is encrypted with a very strong passphrase (10 word
>> diceware [1], not written down, 129 bits of entropy). Given that, is it
>> safe to back it up on disks I don't control, such as a private S3 bucket
>> or a VPS? My intuition says yes, but I've learned to never trust my
>> intuition when it comes to security.
> 
> If you are completely confident that no one will ever get your passphrase 
> from you, this is safe.  Otherwise, it's not.
> 
> It may be appropriate to have a little caution with respect to whether you 
> believe anyone will ever get your passphrase from you.
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

[Brian Minton]

oops, I meant to say I have an ECDH and EDDSA subkey, but no ECDSA.

On Thu, Nov 20, 2014 at 11:12 AM, Brian Minton  wrote:
> I'm seeing an interesting message when encrypting and signing with my
> ECDSA/EDDSA subkeys.  The encryption and signing seems to work, so
> it's mainly just an informational message:
>
> bminton@bminton:~$ echo hi|gpg2 -u 0424DC19B678A1A9 -r 0424DC19B678A1A9 -a -e 
> -s
> gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits
> -BEGIN PGP MESSAGE-
> Version: GnuPG v2
>
> [snip]
> -END PGP MESSAGE-
> bminton@bminton:~$ echo hi|gpg2 -u 0424DC19B678A1A9 -r
> 0424DC19B678A1A9 -a -e -s|gpg2
> gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits
> gpg: encrypted with 384-bit ECDH key, ID EA49CFDB55D113E9, created 2014-10-12
>   "Brian Minton "
> hi
> gpg: Signature made Thu Nov 20 11:06:18 2014 EST
> gpg:using EDDSA key 37B9507ACFF2016E
> gpg: Good signature from "Brian Minton " [ultimate]
> gpg: aka "Brian Minton " [ultimate]

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits

[Brian Minton]

I'm seeing an interesting message when encrypting and signing with my
ECDSA/EDDSA subkeys.  The encryption and signing seems to work, so
it's mainly just an informational message:

bminton@bminton:~$ echo hi|gpg2 -u 0424DC19B678A1A9 -r 0424DC19B678A1A9 -a -e -s
gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits
-BEGIN PGP MESSAGE-
Version: GnuPG v2

[snip]
-END PGP MESSAGE-
bminton@bminton:~$ echo hi|gpg2 -u 0424DC19B678A1A9 -r
0424DC19B678A1A9 -a -e -s|gpg2
gpg: ECDSA public key is expected to be in SEC encoding multiple of 8 bits
gpg: encrypted with 384-bit ECDH key, ID EA49CFDB55D113E9, created 2014-10-12
  "Brian Minton "
hi
gpg: Signature made Thu Nov 20 11:06:18 2014 EST
gpg:using EDDSA key 37B9507ACFF2016E
gpg: Good signature from "Brian Minton " [ultimate]
gpg: aka "Brian Minton " [ultimate]

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup of encrypted private key on uncontrolled disks

[Robert J. Hansen]

My private key is encrypted with a very strong passphrase (10 word
diceware [1], not written down, 129 bits of entropy). Given that, is it
safe to back it up on disks I don't control, such as a private S3 bucket
or a VPS? My intuition says yes, but I've learned to never trust my
intuition when it comes to security.


If you are completely confident that no one will ever get your 
passphrase from you, this is safe.  Otherwise, it's not.


It may be appropriate to have a little caution with respect to whether 
you believe anyone will ever get your passphrase from you.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Backup of encrypted private key on uncontrolled disks

[Shea Levy]

Hi all,

My private key is encrypted with a very strong passphrase (10 word diceware 
[1], not written down, 129 bits of entropy). Given that, is it safe to back it 
up on disks I don't control, such as a private S3 bucket or a VPS? My intuition 
says yes, but I've learned to never trust my intuition when it comes to 
security.

Cheers, 
Shea

[1] http://www.diceware.com___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: problems with pinentry-0.9.0

[Werner Koch]

On Thu, 20 Nov 2014 09:40, re...@me.com said:

> checking for pkg-config... no

Install the pkg-config package:

  apt-get install pkg-config


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

problems with pinentry-0.9.0

[Rex Kneisley]

Hello group,

 

I'm sorry to keep turning to this group for help with things that may seem
painfully obvious to all of you.

 

I am attempting to install GnuPG modern 2.1.0 on a clean install of Debian
7.7.0 amd64

I installed the development tools using the Debian "add/remove software"
application.

 

 

I have downloaded all of the packages.


GnuPG modern

2.1.0

3039k

download  

download  


Libgpg-error
 

1.17

654k

download 


download
 


Libgcrypt
 

1.6.2

2418k

download  

download  


Libksba  

1.3.1

584k

download  

download  


Libassuan  

2.1.3

504k

download  

download  


Pinentry

0.9.0

453k

download  

download  


GPGME  

1.5.1

943k

download  

download  


GPA  

0.9.5

716k

download  

download  


Dirmngr

1.1.0

543k

download  

download  


 

 

 

 

 

 

I have verified each package signature with the GPG (1.4.12) that came with
Debian using Werner's public key

I have successfully "configured, made and installed" all of the required
libraries in order.

npth (ftp://ftp.gnupg.org/gcrypt/npth/)

libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)

libgcrypt(ftp://ftp.gnupg.org/gcrypt/libgcrypt/)

libksba  (ftp://ftp.gnupg.org/gcrypt/libksba/)

libassuan(ftp://ftp.gnupg.org/gcrypt/libassuan/)

 

 

However, when I try to ./configure pinentry-0.9.0, It never completes
successfully.

I get quite a few no's and yes's

I did install gawk and then tried again.

But at the bottom I get:

Checking pkg-config is at least version 0.9.0 . ./configure: line 8042: no:
command not found

No

Checking for QT4_CORE. configure: error: No pinentry enabled

 

Here is the full log:

checking for a BSD-compatible install... /usr/bin/install -c

checking whether build environment is sane... yes

checking for a thread-safe mkdir -p... /bin/mkdir -p

checking for gawk... gawk

checking whether make sets $(MAKE)... yes

checking for style of include used by make... GNU

checking for gcc... gcc

checking whether the C compiler works... yes

checking for C compiler default output file name... a.out

checking for suffix of executables... 

checking whether we are cross compiling... no

checking for suffix of object files... o

checking whether we are using the GNU C compiler... yes

checking whether gcc accepts -g... yes

checking for gcc option to accept ISO C89... none needed

checking dependency style of gcc... gcc3

checking how to run the C preprocessor... gcc -E

checking for grep that handles long lines and -e... /bin/grep

checking for egrep... /bin/grep -E

checking for ANSI C header files... yes

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking minix/config.h usability... no

checking minix/config.h presence... no

checking for minix/config.h... no

checking whether it is safe to define __EXTENSIONS__... yes

checking whether to enable maintainer-specific portions of Makefiles... no

checking build system type... x86_64-unknown-linux-gnu

checking host system type... x86_64-unknown-linux-gnu

checking whether make sets $(MAKE)... (cached) yes

checking whether build environment is sane... yes

checking for gcc... (cached) gcc

checking whether we are using the GNU C compiler... (cached) yes

checking whether gcc accepts -g... (cached) yes

checking for gcc option to accept ISO