Re: Essay on PGP as it is used today
On 7/22/2019 at 7:12 AM, "Robert J. Hansen" wrote: >Mathematicians have come up with different ways to estimate how >many >primes there were under a certain value ... >The first estimate for π(x) was "x divided by the natural >logarithm of x". ... >If we do that same equation for a 2048-bit key, it turns out there >are >10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 >000 000 >000 000 000 000 000 000 000 different prime numbers that could go >into it. = not really, for GnuPG keys, but for the default size GnuPG key of 4096, it's actually bigger than the number you quoted above ;-) For a GnuPG key of 4096, it's only necessary to compute for primes up to 2^2048. But, Since GnuPG uses 2 primes only in the 2^2048 size, for a 4096 bit key, then the amount of primes is actually: [ (2^2048) / ln(2^2048) ] - [ (2^2047) / ln (2^2047) ] = 1.37 x 10^613 So, not to worry about someone creating a 'database' to crack GnuPG ... vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"
Lentes, Bernd: > Hi ML, > > i'm new to GPG, so please excuse asking silly questions. > I managed to create my keys with "gpg2 --gen-key" > I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher > Schlüssel", which is german for "my public key". > Shortly thereafter i got an encrypted response which, i assume, i have to > decrypt with my private key. > I pasted the encrypted stuff into a file and then tried to decrypt: > > gpg2 -d nachricht.txt > > I've been asked for the passphrase for my private key which i entered, but > then i got the following error: > > gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 > "Bernd Lentes (Helmholtz GPG Schluessel) > " > gpg: Fatal: zlib inflate problem: invalid code lengths set > > The file has a size of 68 KB, could that be the culprit ? > > Bernd > The simpe rules are as follows: (1) You encrypt to another persons public key (2) You decrypt with your private key That's it! You can sign your emails - this means no one can tamper with them whilst in transit - if it was tampered with then there's an eror in the check sum of the message. Be happy! David -- People Should Not Be Afraid Of Their Government - Their Government Should Be Afraid Of The People - When Injustice Becomes Law, REBELLION Becomes A DUTY! Join the Rebellion Today! https://gbenet.com 0x5C6EE7FBAAD8C47D.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
new to GPG: "gpg: Fatal: zlib inflate problem: invalid code lengths set"
Hi ML, i'm new to GPG, so please excuse asking silly questions. I managed to create my keys with "gpg2 --gen-key" I wrote an e-Mail to ad...@gnupp.de with the subject "Mein öffentlicher Schlüssel", which is german for "my public key". Shortly thereafter i got an encrypted response which, i assume, i have to decrypt with my private key. I pasted the encrypted stuff into a file and then tried to decrypt: gpg2 -d nachricht.txt I've been asked for the passphrase for my private key which i entered, but then i got the following error: gpg: encrypted with 2048-bit RSA key, ID F742DB29, created 2019-07-23 "Bernd Lentes (Helmholtz GPG Schluessel) " gpg: Fatal: zlib inflate problem: invalid code lengths set The file has a size of 68 KB, could that be the culprit ? Bernd -- Bernd Lentes Systemadministration Institut für Entwicklungsgenetik Gebäude 35.34 - Raum 208 HelmholtzZentrum münchen bernd.len...@helmholtz-muenchen.de phone: +49 89 3187 1241 phone: +49 89 3187 3827 fax: +49 89 3187 2294 http://www.helmholtz-muenchen.de/idg Perfekt ist wer keine Fehler macht Also sind Tote perfekt Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Prof. Dr. Veronika von Messling Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Heinrich Bassler, Kerstin Guenther Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Essay on PGP as it is used today
It seems kinda cheeky to find one (fixed) bug in the least secure implementation of the program and act like that disqualifies it. All programs have bugs. Most implementations of GPG have had some pretty bad bugs over the years. No programs are going to be free of security flows - the question is whether the app or platform was built with security as a priority and what happens when those flaws are discovered. I'd argue Signal was built with security it mind and that they're pretty swift at fixing issues as they arise. Also, not that it makes the bug any less impactful, but I know very few people who make regular use of the desktop implementation of Signal; it's mostly meant for mobile devices. -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent with ProtonMail ‐‐‐ Original Message ‐‐‐ On Tuesday, July 23, 2019 3:32 AM, wrote: > Again, Signal is touted as better than PGP. > Why? > Look at this problem with signal. Looks really serious. > > Signal Desktop Leaves Message Decryption Key in Plain Sight > https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/ > > I don't think PGP does THIS ! > > Elwin > > Sent using Hushmail > > On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" > wrote: > > > I’m not so sure that it does. I think that’s the point security > > researchers like Schneier have been trying to make: it is easy for all > > people — from grandparents who still think they need AOL to chipheads who > > can install Arch without watching a YouTube tutorial — to screw up > > encrypted email in a way that exposes the cleartext. Encrypted email is > > fundamentally unsafe as it currently exists. It’s really hard to screw up > > some of the new E2E encrypted messengers. Sure, if your method for secure > > communications is dropping stego’d memes with encrypted payloads on imgur, > > then simple tools like Signal and WhatsApp won’t do. But if you’re trying > > to securely communicate like a normal person who is not pretending to be > > Mister Robot, then PGP for email is one of the least adopted, least safe > > ways to do so and Signal/iMessage/WhatsApp are decent solutions. > > > > -Ryan McGinnis > > https://bigstormpicture.com > > PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > Sent with ProtonMail > > > > Sent from ProtonMail Mobile > > > > On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users > > wrote: > > > > > On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users > > > wrote: > > > > [1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html > > > > > > > > 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and > > > > easily encrypting e-mail is an insurmountably hard problem for reasons > > > > having nothing to do with today's announcement. If you need to > > > > communicate securely, use Signal. If having Signal on your phone will > > > > arouse suspicion, use WhatsApp. > > > > > > Depends on your threat model. For mine, reliably and easily > > > encrypting email is almost absurdly simple: > > > > > > 1) Use PGP > > > 2) Don't send secrets to people I don't trust to keep them. > > > > > > Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my > > > emails so that (if you care enough to install PGP) you can be highly > > > assured that they're from me. > > > > > > -- > > > Mark H. Wood > > > Lead Technology Analyst > > > > > > University Library > > > Indiana University - Purdue University Indianapolis > > > 755 W. Michigan Street > > > Indianapolis, IN 46202 > > > 317-274-0749 > > > www.ulib.iupui.edu > > > ___ > > > Gnupg-users mailing list > > > Gnupg-users@gnupg.org > > > http://lists.gnupg.org/mailman/listinfo/gnupg-users publickey - ryan@digicana.com - 0x5C738727.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Essay on PGP as it is used today
Again, Signal is touted as better than PGP.Why?Look at this problem with signal. Looks really serious. Signal Desktop Leaves Message Decryption Key in Plain Sight https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/ I don't think PGP does THIS ! Elwin Sent using Hushmail On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" wrote:I’m not so sure that it does. I think that’s the point security researchers like Schneier have been trying to make: it is easy for all people — from grandparents who still think they need AOL to chipheads who can install Arch without watching a YouTube tutorial — to screw up encrypted email in a way that exposes the cleartext. Encrypted email is fundamentally unsafe as it currently exists. It’s really hard to screw up some of the new E2E encrypted messengers. Sure, if your method for secure communications is dropping stego’d memes with encrypted payloads on imgur, then simple tools like Signal and WhatsApp won’t do. But if you’re trying to securely communicate like a normal person who is not pretending to be Mister Robot, then PGP for email is one of the least adopted, least safe ways to do so and Signal/iMessage/WhatsApp are decent solutions. -Ryan McGinnis https://bigstormpicture.com PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD Sent with ProtonMail Sent from ProtonMail Mobile On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users wrote: On Mon, Jul 22, 2019 at 03:46:18PM +, Ryan McGinnis via Gnupg-users wrote: > [1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html > > 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and >easily encrypting e-mail is an insurmountably hard problem for reasons >having nothing to do with today's announcement. If you need to >communicate securely, use Signal. If having Signal on your phone will >arouse suspicion, use WhatsApp. Depends on your threat model. For mine, reliably and easily encrypting email is almost absurdly simple: 1) Use PGP 2) Don't send secrets to people I don't trust to keep them. Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my emails so that (if you care enough to install PGP) you can be highly assured that they're from me. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users