Re: AW: OpenPGP Smartcard recommendations

2016-08-22 Thread Anthony Papillion 
This looks exactly like what I'm looking for! Thanks for the
recommendation. Definitely going to get one. Many thanks again.

Anthony

On 8/22/2016 10:38 PM, cornelius.koelbel wrote:
> 
> Hi Anthony,
> 
> You may also take a look at the Nitrokey. Kind regards Cornelius
> 
> 
> Cornelius Kölbel +49 151 2960 1417
> 
> NetKnights GmbH Http://NetKnights. It +49 561 3166 797
> 
> 
>  Ursprüngliche Nachricht  Von: Anthony Papillion
>  Datum: 22.08.16 23:22 (GMT+01:00) An:
> gnupg-users@gnupg.org Betreff: OpenPGP Smartcard recommendations
> 
> Hello Everyone,
> 
> I'm wanting to solidify my key security and I'm just not
> comfortable with having my OpenPGP key on my computer all the time.
> So I'd like to move to a smartcard solution.
> 
> I've gone to the kernelconcepts.de page and tried to contact them
> but it looks like the domain simply isn't accepting mail and the
> site might just be a zombie. So I decided to come here and ask as
> well.
> 
> Can anyone recommend a solid OpenPGP smartcard solution that meets
> the following criteria:
> 
> 1) Supports up to 4096 bit RSA keys 2) Generates keys completely on
> the card 3) Can sign, encrypt, decrypt 4) Preferably has some
> tamper resistence 5) Can import an existing RSA key
> 
> Also, since I'm pretty new to smartcard solutions, I'm also in the 
> market for a reader. If you have any suggestions for one of those,
> I'd appreciate it too. If it makes a difference, I'm in the USA.
> 
> Thanks, Anthony
> 
> 
> ___ Gnupg-users mailing
> list Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Smartcard recommendations

2016-08-22 Thread Anthony Papillion 
Thanks for the reply. I have an older Yubikey Classic and still use it
to this day for a lot of things. It's awesome. I'll definitely take a
look at the newer keys you mentioned and see if they are something I
could use. Thanks for the recommendation.

I might also join the FSFE. Does it matter that I am not in Europe (I'm
in the USA)?

Thanks,
Anthony

On 8/22/2016 7:54 PM, Karol Babioch wrote:
> Hi,
> 
> Am 22.08.2016 um 23:22 schrieb Anthony Papillion:
>> I've gone to the kernelconcepts.de page and tried to contact them but
>> it looks like the domain simply isn't accepting mail and the site
>> might just be a zombie.
> 
> I'm pretty sure you've done something wrong here. I just placed and
> received an order last week.
> 
>> Can anyone recommend a solid OpenPGP smartcard solution that meets the
>> following criteria:
> 
> Besides the smartcards from kernelconcepts, you can also become an FSFE
> member to get such a card [1].
> 
> Personally I absolutely love the YubiKey (4 Nano) [2]. It meets all of
> your criteria and can do a lot more (U2F, PIV, token, HOTP, TOTP, etc.).
> It is also a lot smaller than a real smartcard and can be left in the
> USB port all of the time. The Gemalto USB token (and/or real smartcards)
> are rather unhandy - at least for me.
> 
> Best regards,
> Karol Babioch
> 
> P.S.: I should also mention that there is some debate about the open
> source nature of the YubiKey 4, since its firmware is not open to review
> any longer. Should this be a criterion for you, you have to go with
> another solution. You'll find details on the story at [3].
> 
> [1]: https://fsfe.org/fellowship/card.html
> [2]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
> [3]: https://www.yubico.com/2016/05/secure-hardware-vs-open-source/
> 
> 
> 
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: OpenPGP Smartcard recommendations

2016-08-22 Thread cornelius.koelbel 

Hi Anthony,
You may also take a look at the Nitrokey. Kind regards Cornelius 

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

 Ursprüngliche Nachricht Von: Anthony Papillion 
 Datum: 22.08.16  23:22  (GMT+01:00) An: 
gnupg-users@gnupg.org Betreff: OpenPGP Smartcard recommendations 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello Everyone,

I'm wanting to solidify my key security and I'm just not comfortable
with having my OpenPGP key on my computer all the time. So I'd like to
move to a smartcard solution.

I've gone to the kernelconcepts.de page and tried to contact them but
it looks like the domain simply isn't accepting mail and the site
might just be a zombie. So I decided to come here and ask as well.

Can anyone recommend a solid OpenPGP smartcard solution that meets the
following criteria:

1) Supports up to 4096 bit RSA keys
2) Generates keys completely on the card
3) Can sign, encrypt, decrypt
4) Preferably has some tamper resistence
5) Can import an existing RSA key

Also, since I'm pretty new to smartcard solutions, I'm also in the
market for a reader. If you have any suggestions for one of those, I'd
appreciate it too. If it makes a difference, I'm in the USA.

Thanks,
Anthony

- -- 
OpenPGP Key:    4096R/0x028ADF7453B04B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP?Jabber:    cajunt...@dukgo.com
VoIP/SIP:   17772471988...@in.callcentric.com



-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXu20kAAoJEAKK33RTsEsV5FcP/1+O1wvaEe7kRk1g2Am1J4X1
stQj8cf+wfWNuSO1Q1lOhEPbnAQGr1Kyq/BjLzO9nI9ViiIudlw1CTT6GnVBpkma
+vXGNe0+SB99YszS/JQ0eMd1jk1IDGi1CdE52SYbtbooqSDDt3WgveiQZnGKz5Qm
2U/AZHP5rtyiEI1pOkc+i1Pwc0CZ99X9+PsPGffM+ijIgcZwm+UCitKlOfK3oERt
dorXuvTkutRy8iSa4tBjGCBcDWdyNgbLQ6u8pV28KndLxXRr+D6JWw7euWpDLgp5
JK+5fQGoPnyRRy0sMkrBZ14WempgtRu7Ta6SjluxrTCg+/JfQ3tVIRB/CYe1cImr
FfkjBBX6KCbokupFw1q10Dcf4y34vM8gRkxwRQAMNGW+9nq4KHAUhUhEFbPyfZFF
kF7MSq1o1nZ1u1CA46+VP6pdVh7aCZJqjAwigfWeDRdFrk7mT0u53v/orvR8uXVj
S/BrpYETkcQoyiWI4ToUD6AtfM6U9vl4nmodqYol0LZ36uXxkJBQnuoXc0eWLM61
83mCt8iHW3e7OydiWbH1Y+l9ZzjhEnVQyRhN4UjBtI+iDhjCfPfXRpwSf/bBwISy
BF1/dD1Pu/sJQv1se9J+wet3bl3xyrpYv2Mdlj/xM7uczD14C7w+miCUmncvniEd
xdH8nuXs2/uSZEaXu2W8
=4KIj
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP Smartcard recommendations

2016-08-22 Thread Karol Babioch 
Hi,

Am 22.08.2016 um 23:22 schrieb Anthony Papillion:
> I've gone to the kernelconcepts.de page and tried to contact them but
> it looks like the domain simply isn't accepting mail and the site
> might just be a zombie.

I'm pretty sure you've done something wrong here. I just placed and
received an order last week.

> Can anyone recommend a solid OpenPGP smartcard solution that meets the
> following criteria:

Besides the smartcards from kernelconcepts, you can also become an FSFE
member to get such a card [1].

Personally I absolutely love the YubiKey (4 Nano) [2]. It meets all of
your criteria and can do a lot more (U2F, PIV, token, HOTP, TOTP, etc.).
It is also a lot smaller than a real smartcard and can be left in the
USB port all of the time. The Gemalto USB token (and/or real smartcards)
are rather unhandy - at least for me.

Best regards,
Karol Babioch

P.S.: I should also mention that there is some debate about the open
source nature of the YubiKey 4, since its firmware is not open to review
any longer. Should this be a criterion for you, you have to go with
another solution. You'll find details on the story at [3].

[1]: https://fsfe.org/fellowship/card.html
[2]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
[3]: https://www.yubico.com/2016/05/secure-hardware-vs-open-source/




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: File Encrypted with Primary key

2016-08-22 Thread David Shaw 
On Aug 19, 2016, at 11:56 AM, Scott Linnebur  wrote:
> 
> I have an issue that I just cannot figure out.  What I’m trying to do is move 
> a file between two organizations using two different transports while 
> encrypting the file.  On one side they use ipswitch movit to encrypt the file 
> and post it to a sftp site.  Then from my end I use camel to pick up the 
> file, decrypt it and place it where it needs to go internally.  What I have 
> done is generate a key pair with GPG and have given the other company my 
> public key to encrypt with as well as imported the key rings into Camel.
>  
> Testing…
> They post the encrypted file and when my camel process pull is down I get the 
> error “exception creating cipher”.
> If I manually pull down the file I can decrypt it fine with GPG.
> If I encrypt a test file with my own public key and feed it to Camel it 
> decrypts fine.
>  
> This is where I think the problem is but I can’t figure out a way to prove 
> it.  When I generated the key pair with GPG, it created a primary and 
> secondary keys.  Primary has usage set to SC and secondary set to E.  When I 
> look at the file they sent me, it’s encrypted with the primary key.  That 
> file fails in the camel process but is successful in a manual GPG decyption 
> process.  When I encrypt a file with GPG it uses the secondary key and I can 
> decrypt it with Camel or manually with GPG.  I have a suspicion that is the 
> cause but I can’t test it.  I can’t find anyway to force the primary key to 
> encrypt and I can’t figure out how to generate a key pair without secondary 
> keys in it.  Any ideas how to troubleshoot this?  The secondary party is not 
> helpful and they are using their standard process with moveit to encrypt it 
> and aren’t likely to change that, especially if I can’t prove that’s what’s 
> wrong.

I have seen this before - basically the Moveit code is using a buggy/older 
OpenPGP engine that does the wrong thing and ignores key flags.  Your key has 
an RSA primary key, and their engine sees that and concludes that since it's 
RSA, it can encrypt to it.  GPG properly respects key flags so uses the subkey.

There is only one fix for this, but two workarounds:

1 (the true fix): Get Moveit to fix their OpenPGP engine.  That's likely not an 
easy task since Moveit most likely purchased it from an upstream vendor (I'm 
going to guess Symantec - I have a vague recollection the previous time I saw 
this was with the Symantec code), so the actual fix would need to be from the 
upstream vendor, then Moveit would have to integrate it, and then whoever 
you're communicating with would have to update Moveit.  Given that this problem 
still exists in 2016, I'm going to guess that a fix here is not going to happen 
any time soon!

2 (workaround A): You can generate a key that explicitly permits encrypting to 
the primary key.  Then both GPG and Moveit will encrypt to the primary and 
everyone can interoperate.  This is not ideal as it is best practice to split 
the signing and encryption capabilities, but should solve your immediate 
problem.

3 (workaround B): Don't use an RSA primary key.  Instead of generating a RSA 
primary key with an RSA subkey, generate a DSA primary key with an Elgamal 
subkey (or for that matter, an RSA subkey - what matters here is the primary is 
DSA).  This pretty much forces the Moveit code to encrypt to the subkey since 
there is no way to encrypt to a DSA primary key (it's a signature-only 
algorithm).

My advice would be to try workaround B first.  If they're using the same engine 
that I saw before, it was smart enough to handle that case and would properly 
use the subkey.

David


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OpenPGP Smartcard recommendations

2016-08-22 Thread Anthony Papillion 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello Everyone,

I'm wanting to solidify my key security and I'm just not comfortable
with having my OpenPGP key on my computer all the time. So I'd like to
move to a smartcard solution.

I've gone to the kernelconcepts.de page and tried to contact them but
it looks like the domain simply isn't accepting mail and the site
might just be a zombie. So I decided to come here and ask as well.

Can anyone recommend a solid OpenPGP smartcard solution that meets the
following criteria:

1) Supports up to 4096 bit RSA keys
2) Generates keys completely on the card
3) Can sign, encrypt, decrypt
4) Preferably has some tamper resistence
5) Can import an existing RSA key

Also, since I'm pretty new to smartcard solutions, I'm also in the
market for a reader. If you have any suggestions for one of those, I'd
appreciate it too. If it makes a difference, I'm in the USA.

Thanks,
Anthony

- -- 
OpenPGP Key:4096R/0x028ADF7453B04B15
Other Key Info: http://www.cajuntechie.org/p/my-pgp-key.html
XMPP?Jabber:cajunt...@dukgo.com
VoIP/SIP:   17772471988...@in.callcentric.com



-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXu20kAAoJEAKK33RTsEsV5FcP/1+O1wvaEe7kRk1g2Am1J4X1
stQj8cf+wfWNuSO1Q1lOhEPbnAQGr1Kyq/BjLzO9nI9ViiIudlw1CTT6GnVBpkma
+vXGNe0+SB99YszS/JQ0eMd1jk1IDGi1CdE52SYbtbooqSDDt3WgveiQZnGKz5Qm
2U/AZHP5rtyiEI1pOkc+i1Pwc0CZ99X9+PsPGffM+ijIgcZwm+UCitKlOfK3oERt
dorXuvTkutRy8iSa4tBjGCBcDWdyNgbLQ6u8pV28KndLxXRr+D6JWw7euWpDLgp5
JK+5fQGoPnyRRy0sMkrBZ14WempgtRu7Ta6SjluxrTCg+/JfQ3tVIRB/CYe1cImr
FfkjBBX6KCbokupFw1q10Dcf4y34vM8gRkxwRQAMNGW+9nq4KHAUhUhEFbPyfZFF
kF7MSq1o1nZ1u1CA46+VP6pdVh7aCZJqjAwigfWeDRdFrk7mT0u53v/orvR8uXVj
S/BrpYETkcQoyiWI4ToUD6AtfM6U9vl4nmodqYol0LZ36uXxkJBQnuoXc0eWLM61
83mCt8iHW3e7OydiWbH1Y+l9ZzjhEnVQyRhN4UjBtI+iDhjCfPfXRpwSf/bBwISy
BF1/dD1Pu/sJQv1se9J+wet3bl3xyrpYv2Mdlj/xM7uczD14C7w+miCUmncvniEd
xdH8nuXs2/uSZEaXu2W8
=4KIj
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: File Encrypted with Primary key

2016-08-22 Thread Scott Linnebur 
Those commands verify what I was talking about.  I would have included them 
originally but my post was already too long.  I don’t work with encryption much 
but it didn’t seem right.  Any idea why MoveIt would be encrypting this way?  I 
tried to find any issues with that product but didn’t come up with much.  Is 
there any hard documentation anywhere that would state this that I could send 
them?  I know they are going to assume their product is working correctly.  I 
would assume they use it with other customers.  And in addition…why does GPG 
decrypt the file correctly?  Thanks for your help on this.


c:\Program Files (x86)\GNU\GnuPG\pub>gpg --edit-key i...@email.com
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/617C9C82  created: 2016-08-10  expires: never   usage: SC
 trust: ultimate  validity: ultimate
sub  2048R/D9D25C9A  created: 2016-08-10  expires: never   usage: E
[ultimate] (1). ID 


c:\Program Files (x86)\GNU\GnuPG\pub>gpg --list-packets 
c:\users\user\desktop\TEST160811100826.txt.pgp
:pubkey enc packet: version 3, algo 1, keyid 855D6DB5617C9C82
data: [2048 bits]

You need a passphrase to unlock the secret key for
user: " ID "
2048-bit RSA key, ID 617C9C82, created 2016-08-10

:encrypted data packet:
length: 68
mdc_method: 2
gpg: encrypted with 2048-bit RSA key, ID 617C9C82, created 2016-08-10
  " ID "
:compressed packet: algo=1
:literal data packet:
mode b (62), created 1470924984, name="TEST.txt",
raw data: 19 bytes

Scott Linnebur
IT Solutions Architect
(303) 846-6176 Desk
(720) 334-5206 Cell
slinne...@redrobin.com
[RedRobin_Email_Logo_White_NoClearance]

From: Brian Minton [mailto:br...@minton.name]
Sent: Sunday, August 21, 2016 6:59 AM
To: Peter Lebbing ; Scott Linnebur 
; gnupg-users@gnupg.org
Subject: Re: File Encrypted with Primary key


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

You can use gpg --list-packets to see exactly what OpenPGP packets are present 
in the ciphertext. That would show you in great detail exactly what their 
software sent you.
-BEGIN PGP SIGNATURE-

iIAEAREKACghHEJyaWFuIE1pbnRvbiA8YnJpYW5AbWludG9uLm5hbWU+BQJXuaWV
AAoJEGuOs6Blz7qpQUUA+wWcZe2Dod/SfyClhZW99j985S2Raji6R+0si31K7vYo
AP9zynHbX0fmTIRXTelRtkxE1Tp816Dtn5FeZbjUlprzvw==
=hhbz
-END PGP SIGNATURE-

On Sun, Aug 21, 2016, 6:53 AM Peter Lebbing 
mailto:pe...@digitalbrains.com>> wrote:
I have no experience with the software you mention. Keep that in mind
while reading my ramblings.

On 19/08/16 17:56, Scott Linnebur wrote:
> I have a suspicion that is the cause but I can’t test it.

My key looks like this:

$ gpg2 -k de500b3e
pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
uid [ultimate] Peter Lebbing 
mailto:pe...@digitalbrains.com>>
sub   rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19]
sub   rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19]
sub   rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19]

If something is encrypted to this key, gpg2 will mention the following:

$ gpg2 test.gpg
gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
  "Peter Lebbing mailto:pe...@digitalbrains.com>>"

So it explicitly tells me that it was encrypted to the
encryption-capable subkey 73A33BEE. If it tells you that it was
encrypted to the primary key ID instead, I think your analysis is right.

> I can’t find
> anyway to force the primary key to encrypt

I don't think it is possible to force a key to be used in a way that is
not indicated as a capability for that key. If something encrypts to a
key that is not encryption-capable, that seems to me to be a major bug.
Subkeys and key capability flags have been around for practically
forever by now. Software that can't deal with this is not OpenPGP
compatible and probably ancient.

> and I can’t figure out how to
> generate a key pair without secondary keys in it.

It's possible, but first lets take a look if there is a different
solution. Keys that can both sign and encrypt are frowned upon. The
primary key necessarily has the Certify capability, which is a form of
signing. So it shouldn't get the Encrypt capability.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: File Encrypted with Primary key

2016-08-22 Thread Peter Lebbing 
On 22/08/16 16:45, Scott Linnebur wrote:
> Any idea why MoveIt would be encrypting this way?

I thought OpenPGP-compliant implementations were required to respect the key
flags, but on scanning the OpenPGP RFC (I took RFC 4880), it does not seem to be
the case. That is, it is not required that compliant software encrypt to an
encryption-capable key. But perhaps I missed the relevant part where it said it
is a MUST/SHOULD NOT requirement...

I did find this statement:

> * Many security protocol designers think that it is a bad idea to use
>   a single key for both privacy (encryption) and integrity
>   (signatures).  In fact, this was one of the motivating forces
>   behind the V4 key format with separate signature and encryption
>   keys.  If you as an implementer promote dual-use keys, you should
>   at least be aware of this controversy.


> And in addition…why does GPG
> decrypt the file correctly?

I'm surprised that GnuPG will happily decrypt with a key that does not have the
Encrypt capability set. But perhaps it is precisely because OpenPGP-compliant
software is allowed to ignore key usage flags.

I might be a bit out of my league with this particular problem. I have no hard
answers.

But when it is confirmed that it is intended behaviour of GnuPG, perhaps the
problem is that "camel" is too strict. And perhaps they actually want to be; it
could be intended behaviour of "camel". In that case, "camel" and "MoveIt" are
simply incompatible.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users