Re: Question about symmetric AES cipher in GnuPG

[Brian Minton]

On 10/27/19 3:25 PM, Stefan Claas via Gnupg-users wrote:
> gpg --symmetric --cipher-algo AES256 hw.txt gives me a file
> size of 87 Bytes.
>
> Doing the same with openssl, for example:
>
> openssl enc -aes-256-cbc -pbkdf2 -in hw.txt -out hw.enc
>
> results in 32 Bytes.
>
> Can you please, or somebody else, explain in laymen terms why this is so?

My guess is, the gpg one also is doing MDC, so you'd have to add the
equivalent HMAC code to openssl, but that's just a complete guess.  




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Should gpg try to connect to TCP/993?

[Jay Sulzberger]

On Mon, 28 Oct 2019, Werner Koch  wrote:


On Fri, 25 Oct 2019 12:23, Jay Sulzberger said:


Is the following correct:

  When I use gpg to just encrypt or decrypt a file already on my
  computer/OS's file system, then gpg does not open any formal
  channels of communication going outside my computer/OS.


No.  By default gpg may go out for key discovery, CRLs, version checks
etc.  If you do not want this you can use the gpg option
--disable-dirmngr or, to be 100%, do not install dirmngr.


Salam-Shalom,

  Werner


Dear Werner, thank you for answer!  And for work on GNUpg!

oo--JS.



--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to improve our GUIs (was: We have GOT TO make things simpler)

[Ryan McGinnis via Gnupg-users]

I might be missing something really obvious here but... what is this
trying to protect against?  It's not protecting against interception in
transit, since the message already transits the internet either in
cleartext or encrypted via TLS that your email service provider can
definitely read.  So if your goal is to protect the privacy of your
email in transit, then this doesn't seem to do anything; if your goal is
to protect the privacy of your email from your service provider snooping
it, then this doesn't seem to do anything.  Your service provider can
certainly (and probably does certainly) retain archive or backup copies
of all emails that enter into and exit your account, so encrypting them
after reception only means that the copy you are accessing is encrypted
and non-accessible to the provider, but the copy that they archived or
backed up is just as plaintext as always (or is, more likely, encrypted
with a key that only they know). 

The only time encrypting your email storage with a key only you have
makes sense is if your provider pinkie promises to not store or archive
anything on their servers other than what you see live in your email
inbox.  Or, for example, if it's something like Protonmail does, which
is never store anything on their servers that isn't encrypted with the
user's private key that they don't have, so even their backups are
something they can't access the plaintext from.  And even then you are
relying on their pinke-promise that they are doing this, it is not E2E
unless you are sending messages to and from Protonmail users or you are
PGP encrypting messages before they leave or arrive at the service.  
And E2E is really the only solution that keeps your email provably
private from all parties concerned other than the recipients. 

On 10/29/2019 7:33 PM, raf via Gnupg-users wrote:
> Hi,
>
> Sorry if this was mentioned before but I've just come
> across a novel approach to email encryption that
> doesn't do end-to-end encryption, but rather it
> encrypts email upon receipt so that an individual can
> encrypt the email that is stored in their IMAP account
> as it arrives without the need for every sender to
> encrypt and without the need for any service provider's
> involvement (you just need an IMAP account), and it
> supports reading email from multiple devices, each with
> their own local private key. Most importantly, it
> doesn't require the user to know anything about
> encryption except that they want some.
>
> It might not address all threats but it certainly seems
> to solve some very real threats, mainly the threat of
> someone hacking into your IMAP account and accessing
> every email you ever received.
>
>   Making It Easier to Encrypt Your Emails
>   Authors: John S. Koh, Steven M. Bellovin, and Jason Nieh
>   https://www.usenix.org/publications/login/fall2019/koh [paywall, usenix]
>
>   Why Joanie Can Encrypt: Easy Email Encryption with Easy Key Management
>   EuroSys '19 Proceedings of the Fourteenth EuroSys Conference 2019
>   Authors: John S. Koh, Steven M. Bellovin, Jason Nieh
>   https://doi.org/10.1145/3302424.3303980 [paywall, acm]
>   http://nieh.net/pubs/eurosys2019_e3.pdf [free]
>
>   Easy Email Encryption with Easy Key Management
>   Authors: John S. Koh, Steven M. Bellovin, Jason Nieh
>   https://mice.cs.columbia.edu/getTechreport.php?techreportID=1639 [free]
>
>   Automatically and invisibly encrypt email as soon as it is received on any 
> trusted device
>   https://www.helpnetsecurity.com/2019/04/01/easy-email-encryption/ [free]
>
> I know this doesn't help with the discussion of
> improving GUIs to make it easier to encrypt emails that
> you want to send, but it looks like a promising
> improvement in privacy that could help many more people
> than just those that want to encrypt emails that they
> send. And it's still relevant. I expect that those that
> want to encrypt any emails that they send might also
> like all the emails that they receive to be encrypted
> as well.
>
> cheers,
> raf
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
-Ryan McGinnis
https://bigstormpicture.com
Sent via ProtonMail



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users