Re: ways to ensure that GPG public key belongs to right person in business to business communication

2016-10-26 Thread Daniel Kahn Gillmor 
Hi Martin--

On Wed 2016-10-26 16:21:48 -0400, Martin T wrote:

> let's say that Alice from company A and Bob from company B need to
> exchange some private data with each other. Alice and Bob need to
> encrypt data just that one time, they do not belong to web-of-trust,
> but both company A and company B websites are trusted by certification
> authority, secure and available only over TLS. This gives a first
> option where both Alice and Bob ask their IT departments to publish
> their public keys on the company website so Alice can get Bobs public
> key over TLS from company B website and the other way around. Or when
> for example website of company B is not trusted by CA, then Alice can
> pick up the phone, call the customer-support of the company B and ask
> for Bob and then ask Bob to send her an e-mail with a public key and
> verify the fingerprint of the public key over a phone? Are there
> better(easier to use or more secure) ways to ensure that GPG public
> key belongs to right person in business to business communication?

It depends on how much involvement you want the IT department to have.

There are a few more options:

 * if Alice and Bob can meet in person, they can give each other
   business cards with their fingerprints on them.  If this is how Alice
   finds Bob's e-mail address in the first place, this is a natural
   place to exchange cryptographic details as well.

 * the two companies could use WKD (web key directory), which is in its
   infancy, but is at least supported by GnuPG 2.1.x.

 * Alice and Bob could submit their keys to a third-party notary like
   Symantec's PGP Global Directory (if such a thing still exists)

 * Alice and Bob could publish their public keys in the public
   keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their
   keys.  Then they could look each other up in the public keyservers;
   if Alice finds only one public key associated with Bob's e-mail
   address, she might just decide to assume it's the right one.

These all have slightly different security properties and failure modes,
which might have different value to Alice and Bob, depending on their
threat model and any other economic or logistical pressure they're
under.

  --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ways to ensure that GPG public key belongs to right person in business to business communication

2016-10-26 Thread Martin T 
Hi,

let's say that Alice from company A and Bob from company B need to
exchange some private data with each other. Alice and Bob need to
encrypt data just that one time, they do not belong to web-of-trust,
but both company A and company B websites are trusted by certification
authority, secure and available only over TLS. This gives a first
option where both Alice and Bob ask their IT departments to publish
their public keys on the company website so Alice can get Bobs public
key over TLS from company B website and the other way around. Or when
for example website of company B is not trusted by CA, then Alice can
pick up the phone, call the customer-support of the company B and ask
for Bob and then ask Bob to send her an e-mail with a public key and
verify the fingerprint of the public key over a phone? Are there
better(easier to use or more secure) ways to ensure that GPG public
key belongs to right person in business to business communication?


thanks,
Martin

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pinentry dialog

2016-10-26 Thread Amitesh Mishra 
Thanks Peter for your reply. When i tried adding "--pinentry-mode loopback"
in the argument, i dont get the pinentry dialog but it says:

*gpg: encrypted with 2048-bit RSA key, ID 035A38377BE10CD8, created
2016-09-23*
*  "XXX Inc. "*
*gpg: public key decryption failed: Bad passphrase*
*gpg: decryption failed: No secret key*

If i remove the pinentry parameter, the same password works fine. Any
suggestions on that ?

Regards,
Amitesh

On Wed, Oct 26, 2016 at 12:12 PM, Peter Lebbing 
wrote:

> On 25/10/16 05:06, Amitesh Mishra wrote:
> > 1.  Added the passphrase to the perl script in the following manner
> >
> > system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output
> > $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET");
>
> You need to add "--pinentry-mode loopback" to the arguments.
>
> Also, while this is all fine for testing and debugging, it doesn't appear
> to
> make sense in production. What use is it to encrypt file A with a
> passphrase
> that is in plaintext in file B? Better not to encrypt file A, your private
> key,
> in the first place, since you gain nothing in protection in the general
> case.
> Then you don't need passphrase entry anymore, the key will Just Work(TM).
>
> > 2. preset passphrase as shown below :
> > C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir
> C:\Users\XXX\Ap
> > pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38
> 377BE10CD8
> > -1 53656324537465663123313233" /bye
> > OK
>
> preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the
> keygrip as follows:
>
> $ gpg2 --with-keygrip -K 035A38377BE10CD8
>
> For my test key, it's as follows:
>
> sec   rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02]
>   Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7
> uid err Test extra UID
> uid err Test more extra UID
> uid err Testkey
> ssb   rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02]
>   Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201
>
> If I want to prime the passphrase for decryption, I would use the keygrip
> 815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing,
> I
> would need the other keygrip instead.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>



-- 

Thanks & Regards,
 Amitesh Mishra
Mobile: +1-248 497 4746
Home: +1-248 233 0593
###
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pinentry dialog

2016-10-26 Thread Peter Lebbing 
On 25/10/16 05:06, Amitesh Mishra wrote:
> 1.  Added the passphrase to the perl script in the following manner
> 
> system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output
> $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET");

You need to add "--pinentry-mode loopback" to the arguments.

Also, while this is all fine for testing and debugging, it doesn't appear to
make sense in production. What use is it to encrypt file A with a passphrase
that is in plaintext in file B? Better not to encrypt file A, your private key,
in the first place, since you gain nothing in protection in the general case.
Then you don't need passphrase entry anymore, the key will Just Work(TM).

> 2. preset passphrase as shown below :
> C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir C:\Users\XXX\Ap
> pData\Roaming\gnupg "preset_passphrase 
> B6938993903C4590B75FA651035A38377BE10CD8
> -1 53656324537465663123313233" /bye
> OK

preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the
keygrip as follows:

$ gpg2 --with-keygrip -K 035A38377BE10CD8

For my test key, it's as follows:

sec   rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02]
  Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7
uid err Test extra UID
uid err Test more extra UID
uid err Testkey
ssb   rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02]
  Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201

If I want to prime the passphrase for decryption, I would use the keygrip
815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing, I
would need the other keygrip instead.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cant decrypt in IIS hosted wcf service but works fine in console

2016-10-26 Thread Daniel Kahn Gillmor 
On Tue 2016-10-25 19:18:40 -0400, Bonthu, Janardhan wrote:

> .Net WCF service development issues with GPG.
>
> I am using GPG for Encryption and Decryption of the message, however,
> I could not decrypt the message in WCF service hosted in IIS. But I
> can decrypt using the same code in console application.
>
> Please check the same and do the needful.
>
> Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA 
> key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"}

Is IIS running as the same user account as the console application?  If
they're different user accounts, it seems likely that they'd have access
to different secret keyrings.

   --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Cant decrypt in IIS hosted wcf service but works fine in console

2016-10-26 Thread Bonthu, Janardhan 
Hello Team,

.Net WCF service development issues with GPG.

I am using GPG for Encryption and Decryption of the message, however, I could 
not decrypt the message in WCF service hosted in IIS. But I can decrypt using 
the same code in console application.

Please check the same and do the needful.

Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA 
key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"}

Thanks & Regards,
Janardhan Bonthu
Information Services Department
1555 Berger Drive, Bldg. 2, Floor 2
San Jose, CA 95112
Phone:  408.918.2705

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users