PGP Anonymous Board Idea
Hi all, I had an idea for an anonymous PGP messaging board system and wanted to get feedback on it or know if this idea has already been done. In short, this would be an anonymous messaging system where you can post encrypted messages. Anyone can access the encrypted message but obviously only the one with the private key can decrypt it. Receiving users can filter for messages by their key ID to see if they have received anything. The system also replicates data across multiple servers so you can post a message on server A and a user can view the message on server B. Problems this solves: * Increase anonyminity of the *sender*. No attributable data is stored for the sender, such as email headers or IP addresses. The receiver can take steps to be anonymous, such as using a different key than a primary, but ultimately the receiver will require some form of a unique identifier. * While you can already do this on a message board or Usenet, those systems are not designed for this. They are not easily searchable or centralized. For example, I cannot filter for all messages sent to 0x0123456789ABCDEF on an online forum without a manual effort. The general process of the server would be to receive a message via HTTPS, determine its key ID, store it in a binary format to reduce the size and make it searchable by the limited metadata in all encrypted messages. Finally, two or more servers can replicate data on a periodic or in-real-time basis. And there are obviously standard problems, such as spam, the size of the database or a rogue server storing sender IP address data. But these are standard problems in all such systems. Obviously this would not be the next big method of communication, but an interesting niche idea and it seems easy to produce a proof-of-concept. Thoughts? I full anticipate being torn down :) --- Farhan Khan PGP Fingerprint: 1312 89CE 663E 1EB2 179C 1C83 C41D 2281 F8DA C0DE signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Invalid IPC Response requiring gpg-agent restart
Hi all, I am ssh'ing into a FreeBSD box with my PGP key. I noticed that when I try to decrypt or sign something, I get this error: --- $ echo test | gpg -a --sign gpg: signing failed: Invalid IPC response -BEGIN PGP MESSAGE- gpg: signing failed: Invalid IPC response --- When I check the running processes, I see this: gpg-agent --homedir /usr/home/user/.gnupg --use-standard-socket --daemon My ~/.gpg-agent.conf is: enable-ssh-support default-cache-ttl 300 max-cache-ttl 1200 If I kill this process and restart using "gpg-agent --daemon', everything works fine. Is there a long-term solution to fix whatever settings is broken? Thanks! --- Farhan Khan PGP Fingerprint: 1312 89CE 663E 1EB2 179C 1C83 C41D 2281 F8DA C0DE signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why Signing key part of Master key
February 24, 2019 2:39 PM, "Kristian Fiskerstrand" wrote: > On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote: > >> Hi all, >> >> I am still working on setting up the "perfect" setup. When I created the >> master, it was [SC]. I >> question, why is the signing key part of the master key? Why not have it be >> a subkey? Almost >> everywhere I looked, the two were a single key except this site >> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own >> tests the signing >> functionality worked the same when they the signing key was a subkey versus >> a part of the master. >> >> Are there any advantages of disadvantages either way? >> >> Thank you, > > its mostly a sensible default as people tend to keep key material on > disk on online computers to begin with.. the benefits of a separate > primary normally comes out in scenarios with stronger security > requirement, at which point the manual interaction required to set it > up isn't the biggest hurdle anyways, but actually keeping up with > operational security is. > > (note, its not the SC capable primary that is the issue to begin with, > but actually keeping it isolated, the primary will always be able to > become signing-capable anyways by updating the flags on its self-signature) > > -- > > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > > Public OpenPGP keyblock at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > > Corruptissima re publica plurimæ leges > The greater the degeneration of the republic, the more of its laws I was under the impression that best practice was to keep the master key offline in cold storage. If so, wouldn't that make having the signing key impossible to use? And if so, is it possible to remove the Signing functionality from my Certificate key that I already generated? --- Farhan Khan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Why Signing key part of Master key
Hi all, I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I question, why is the signing key part of the master key? Why not have it be a subkey? Almost everywhere I looked, the two were a single key except this site (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing functionality worked the same when they the signing key was a subkey versus a part of the master. Are there any advantages of disadvantages either way? Thank you, --- Farhan Khan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using Yubikey only to encrypt/sign
February 18, 2019 3:51 PM, "Andrew Gallagher" wrote: >> On 18 Feb 2019, at 20:35, Farhan Khan wrote: >> Hey Andrew, >> I was given the message "gpg: decryption failed: No secret key". I ran this: >> >> mv .gnupg .gnupg.bak >> gpg --card-status >> cat encrypted_message | gpg --decrypt >> >> This gave me the warning message: >> gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428, created 2019-02-18 >> "Farhan Khan " >> gpg: public key decryption failed: Invalid ID >> gpg: decryption failed: No secret key >> >> When I run gpg --list-secret-keys, I see the serial number listed for my >> card. >> I suspect this is a gpg-agent issue? > > Would you mind posting the results of `gpg --list-secret-keys`? With the > yubikey plugged in. It > shouldn’t contain anything too sensitive. You may have the decryption key in > the wrong slot. > > A Sure! So, I have two tracks I'm taking at once, and perhaps you can provide some clarity on usage. My intention was to have the key on both my disk for use locally and on card for use while away from my computer. A. I have a keyring with the secret key. I ran --edit-key, then keytocard. When I list --secret-keys, I get this: --- $ gpg --list-secret-keys farhan@farhan.codes sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17] 7BEF02AB89AF9581194D57F1BF0F750DB428 Card serial no. = uid [ultimate] Farhan Khan --- Notice the serial card number. At this point, I cannot decrypt files without the key present. Has the secret key been removed from disk? If so, this means I can only have the key in one place at a time and risk losing it. Ideally I would like to have the secret key on my computer, which I trust, but not on other devices. B. I moved ~/.gnupg and created a new keyring. Then, I imported my public key. This simulates a situation where I can access my public key from the internet, but will not store it on the machine. Here is the output you requested: --- $ gpg --list-secret-keys farhan@farhan.codes sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17] 7BEF02AB89AF9581194D57F1BF0F750DB428 Card serial no. = 0006 04708272 uid [ unknown] Farhan Khan --- I expect to be able to decrypt messages, but cannot: --- $ echo test | gpg --encrypt -r farhan@farhan.codes | gpg --decrypt gpg: BF0F750DB428: There is no assurance this key belongs to the named user pub rsa2048/BF0F750DB428 2019-02-18 Farhan Khan Primary key fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428, created 2019-02-18 "Farhan Khan " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key --- Please advise where my mistakes or incorrect assumptions are. Thanks, --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using Yubikey only to encrypt/sign
February 18, 2019 2:35 AM, "Andrew Gallagher" wrote: >> On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users >> wrote: >> >> How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to >> encrypt, sign, or decrypt? This might be in a scenario where I only have the >> keys on my card but not on disk such as while traveling. I can confirm that >> 'gpg --card-status' lists the keys as present. >> >> I am simulating this scenario by moving ~/.gnupg to another directory, but >> running 'gpg --list-keys' does not list the list the key as present. > > You need to download the public key of the secret keys you are about to use, > and then run `gpg > --card-status` again. After that it Should Just Work. > > A > Hey Andrew, I was given the message "gpg: decryption failed: No secret key". I ran this: mv .gnupg .gnupg.bak gpg --card-status cat encrypted_message | gpg --decrypt This gave me the warning message: gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428, created 2019-02-18 "Farhan Khan " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key When I run gpg --list-secret-keys, I see the serial number listed for my card. I suspect this is a gpg-agent issue? Thanks, --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Yubikey keytocard: "Bad secret key"
February 17, 2019 4:26 AM, "Andrew Gallagher" wrote: >> On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users >> wrote: >> >> Key attributes ...: rsa2048 rsa2048 rsa2048 > > But you’re trying to load an rsa1024 key onto it. Have you tried loading a > 2048 bit key instead? > > A > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users This was it, loading a 2048-bit key works just fine Thanks Andrew! --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using Yubikey only to encrypt/sign
Hi all, How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to encrypt, sign, or decrypt? This might be in a scenario where I only have the keys on my card but not on disk such as while traveling. I can confirm that 'gpg --card-status' lists the keys as present. I am simulating this scenario by moving ~/.gnupg to another directory, but running 'gpg --list-keys' does not list the list the key as present. Please advise. Thanks! --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Yubikey keytocard: "Bad secret key"
Hi all, I am trying to import my existing PGP key to my Yubikey and I keep getting: gpg: KEYTOCARD failed: Bad secret key Even after I reset the pin or set a custom value. I am following the instructions here (https://support.yubico.com/support/solutions/articles/1506421-resetting-the-openpgp-applet-on-your-yubikey) to reset the device, but am told the pin is wrong. This happens both when I set a custom pin and not. Am I doing something wrong? Below is an output of what I did to reset the pin, expecting it to be "1234578". Please advise. --- $ gpg --card-status Reader ...: 1050:0407:X:0 Application ID ...: D276000124010201000604708272 Version ..: 2.1 Manufacturer .: Yubico Serial number : Name of cardholder: [not set] Language prefs ...: [not set] Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] $ gpg-connect-agent --hex > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 83 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 83 i. OK > scd apdu 00 e6 00 00 D[] 90 00 .. OK > scd apdu 00 44 00 00 D[] 90 00 .. OK > --- >From here I killed the running gpg-agent process, removed the device, >re-entered it, and opened a new terminal. I do not have gpg-connect-agent >running. --- $ gpg --card-status Reader ...: 1050:0407:X:0 Application ID ...: D276000124010201000604708272 Version ..: 2.1 Manufacturer .: Yubico Serial number : Name of cardholder: [not set] Language prefs ...: [not set] Sex ..: unspecified URL of public key : [not set] Login data ...: [not set] Signature PIN : not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] $ gpg --list-keys t...@test.com pub rsa1024 2019-02-16 [SC] B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82 uid [ultimate] test test (Test Comment) sub rsa1024 2019-02-16 [E] $ gpg --edit-key B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82 gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1). test test (Test Comment) gpg> toggle sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1). test test (Test Comment) gpg> 1 sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1)* test test (Test Comment) gpg> keytocard Really move the primary key? (y/N) y Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg: KEYTOCARD failed: Bad secret key --- I am prompted to enter the PGP password, which seems to work, but when I enter the admin key of "12345678" I get this error. Any ideas where the problem may lay? Thanks! --- Farhan Khan ___ Gnupg-users mailing