Re: One Key, multiple Smartcards not working anymore
Hello,
Thank you for the fast reply and the solution.
I can confirm, that this works. Also I switched to GPG 2.1 on my
notebook (also Windows) and the bug doesn't exist in that version.
Best regards,
Josef
On 29.07.2015, 06:02 NIIBE Yutaka wrote:
Hello,
I forgot to address some way to recover.
On 07/28/2015 04:09 AM, Josef Schneider wrote:
I insert the other card and do a card-status:
[...]
General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider
jo...@schneider.wf
sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13
Kartennummer:0005
ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals
Kartennummer:0005
ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals
Kartennummer:0005
ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06
ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06
ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24
In this situation, you have a stub for RSA 4096-bit keys.
4096R/9BE45ED0 - Kartennummer:0005
4096R/B641DD11 - Kartennummer:0005
4096R/CA02F8EA - Kartennummer:0005
With GnuPG 2.0, you can export stub (it's not possible for GnuPG 2.1).
$ gpg -a -o 9BE45ED0-stub.asc --export-secret-keys 9BE45ED0
$ gpg -a -o B641DD11-stub.asc --export-secret-subkeys B641DD11
$ gpg -a -o CA02F8EA-stub.asc --export-secret-subkeys CA02F8EA
Then,
General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider
jo...@schneider.wf
sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13
ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals
ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals
ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06
Kartennummer:0006
ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06
Kartennummer:0006
ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24
Kartennummer:0006
When you have this configuration ('#' means no secret key),
import *-stub.asc by gpg --import.
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
One Key, multiple Smartcards not working anymore
Hello, I have a problem with my Key. I have a 4096bit RSA key since 2012 and it is stored on a OpenPGP smartcard. Recently I added three new 2048bit subkeys, because I bought a Yubikey NEO device and want to use PGP on my phone/tablet with Android and NFC. This worked as expected. I created the new subkeys on my PC, saved a backup and then moved them to the card. PGP showed me correctly that the first three keys are on card 1 and the second three are on card 2. If the wrong card was inserted, it asked me to insert the correct one. I then wanted to create one key backup with all six private keys to print using PaperBack and store in a safe place. I was able to merge all the private keys with gpgsplit and moving/renaming files and created that backup. After that, I deleted the whole key, got my public key from the keyservers and tried to use it with the card (after gpg2 --card-status). Here is now my problem: GPG adds the key stub for the smartcard keys only for the first card! If I delete the key, import, use card-status, then I can usse the three keys from that smartcard. If I insert the second smartcard and do a card-status, nothing changes! If I import the full key with all private keys, I can then replace the keys on the card and move all keys to smartcards. Then I get a key working with both smartcards again. But of course I don't want to touch the key backup. It's printed on paper and stored in a safe location for a reason. Am I doing something wrong, or is that a bug? Here are some gpg outputs: At the moment, I have it here on my notebook working with the 4096bit keys: sec 4096R/9BE45ED0 2012-12-10 [verfällt: 2017-04-13] Kartenseriennr. = 0005 uid Josef Schneider jo...@netpage.dk uid Josef Schneider jo...@schneider.wf ssb 4096R/B641DD11 2012-12-10 ssb 4096R/CA02F8EA 2012-12-10 ssb# 2048R/988E7DDD 2015-07-07 ssb# 2048R/03E021FE 2015-07-07 ssb# 2048R/8B406748 2015-07-07 I insert the other card and do a card-status: C:\Users\Josef Schneidergpg --card-status Application ID ...: DXXX Version ..: 2.0 Manufacturer .: Yubico Serial number : Name of cardholder: Josef Schneider Language prefs ...: de Sex ..: männlich URL of public key : https://j0s.at/gpg.asc Login data ...: [nicht gesetzt] Signature PIN : zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 39 Signature key : 50FD 3663 AB67 A8FD 64BD C208 1272 58BE 988E 7DDD created : 2015-07-07 11:34:08 Encryption key: 88FA 7314 795F 5F19 F258 3B70 E18B C1D9 03E0 21FE created : 2015-07-07 11:38:08 Authentication key: E0E5 13F9 AA97 8C8E 1BF5 27FB B6BF D0F7 8B40 6748 created : 2015-07-07 20:15:08 General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 Kartennummer:0005 ssb 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals Kartennummer:0005 ssb# 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 ssb# 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 I can't use this key. After deleting it and import https://j0s.at/gpg.asc : C:\Users\Josef Schneidergpg --card-status Application ID ...: DXXX Version ..: 2.0 Manufacturer .: Yubico Serial number : Name of cardholder: Josef Schneider Language prefs ...: de Sex ..: männlich URL of public key : https://j0s.at/gpg.asc Login data ...: [nicht gesetzt] Signature PIN : zwingend Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 127 127 127 PIN retry counter : 3 3 3 Signature counter : 40 Signature key : 50FD 3663 AB67 A8FD 64BD C208 1272 58BE 988E 7DDD created : 2015-07-07 11:34:08 Encryption key: 88FA 7314 795F 5F19 F258 3B70 E18B C1D9 03E0 21FE created : 2015-07-07 11:38:08 Authentication key: E0E5 13F9 AA97 8C8E 1BF5 27FB B6BF D0F7 8B40 6748 created : 2015-07-07 20:15:08 General key info..: pub 2048R/988E7DDD 2015-07-07 Josef Schneider jo...@schneider.wf sec# 4096R/9BE45ED0 erzeugt: 2012-12-10 verfällt: 2017-04-13 ssb# 4096R/B641DD11 erzeugt: 2012-12-10 verfällt: niemals ssb# 4096R/CA02F8EA erzeugt: 2012-12-10 verfällt: niemals ssb 2048R/988E7DDD erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/03E021FE erzeugt: 2015-07-07 verfällt: 2017-07-06 Kartennummer:0006 ssb 2048R/8B406748 erzeugt: 2015-07-07 verfällt: 2017-10-24 Kartennummer:0006 I can use the 2048bit keys
Re: a bit OT: pgpdump binaries?
Hi, something strange happened in my mail client so the signature of the last message was invalid! Here is the same message correctly signed: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, compilation is straightforward, if msys and mingw is installed! pgpdump.c is missing a #include getopt.h, after adding that just a ./configure and make to compile it! I compiled a 64 and a 32 bit version for you! The files are digitally signed using the Microsoft Authenticode stuff. The SHA-512 hashes of the files are: pgpdump64.exe: 80F749B4893507502BE0418D022D4ECBE0018BE8F4DDF4B9ECC8C031962965CF 69C3FF5B83553819E3658C17B40E08A2CD536DD8229FCA2EA23DF0F205FEB364 pgpdump.exe: 771572FB6A1B078EF3E2A4E7EBEE3A2E8BA8817099F4B3DF1FA09E1CBECF174C FDD3138E610A6D62087038AABBBAC6E019A1DE55C8BAE9D3D8253EAC700EB799 You can get them here: http://dl.j0s.eu/pgpdump.zip The files are statically linked to winpthreads, so make sure to read the included license. Best regards, Josef -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (MingW32) - GPGshell v3.78 iQIcBAEBAgAGBQJTbJL+AAoJEDFA6HOb5F7Qu7kP/2qqYck7X83/YupDA+xgEg5P JyHdWUq2vQRXIvDjfqdO0n4e0KxS+cpEx3CitT+X5I666P2ZS+4GVBj4fBKgzA6C qAdzmDIMhqkAat3cdOGDiC7ESSChN711p+90imxQXDoeP95Fg33Gn3HLLzziMtet 1ePO7BVRN1QuWrOPYjp9j1R6LCgfVzoX2YB85ZxD56VlEwokFLql1hmSwsAskpWP j3wXhTpuaBFox6eVWeMunmVXIsDrfBYtY9/GbITvMGkfCCy8jH8N1SA3rwpjkd9B nnXE1Y/m/ytufxDvtLdP10fP85grgilWKQDLPBspYkwGYpB3kpt4NLGbCWnomfRl YGoLowZP90ud5cyUBRkXwmaxuPUGyhE+m8WnV6LouM+CnyNpnhNlTaqjeEVOgxkW 763dY+0pSitp9CVslHpMIVbFexvF7OHlBdBeydONBff8TRAuw+baGAlmejLsXKq/ sRfa29QP5reIsR1jNMnPOxEeWnnbLOmjgmezYgz6gxwtxX3M2Nnw0kYJRCL7CSwa E+Lb1ZWdAteKp6INAxJGDy7SWRaxxEV57C6dTznk5IieB4O/1Sncfs72wmhjXPa7 HUEyw3zXTknJPGJwPGrEkGWnGgfGaUSWUSsk+tKE3DLMcDkEiTIpyXRdsTDDSf/A StGLWwMt2ur4VlryzZvl =StYd -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit OT: pgpdump binaries?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, compilation is straightforward, if msys and mingw is installed! pgpdump.c is missing a #include getopt.h, after adding that just a ./configure and make to compile it! I compiled a 64 and a 32 bit version for you! The files are digitally signed using the Microsoft Authenticode stuff. The SHA-512 hashes of the files are: pgpdump64.exe: 80F749B4893507502BE0418D022D4ECBE0018BE8F4DDF4B9ECC8C031962965CF69C3FF5B83553819E3658C17B40E08A2CD536DD8229FCA2EA23DF0F205FEB364 pgpdump.exe: 771572FB6A1B078EF3E2A4E7EBEE3A2E8BA8817099F4B3DF1FA09E1CBECF174CFDD3138E610A6D62087038AABBBAC6E019A1DE55C8BAE9D3D8253EAC700EB799 You can get them here: http://dl.j0s.eu/pgpdump.zip The files are statically linked to winpthreads, so make sure to read the included license. Best regards, Josef Ben McGinnes Freitag, 9. Mai 2014 07:09 I don't know about a Windows binary, but it appears that someone has ported it to Python, so if you have that language installed you might be able to get it to do what you want. https://pypi.python.org/pypi/pgpdump/1.5 I haven't played with it (yet, I suspect that will change in the not too distant future) because I normally use the C version (and compile the source, but I only have Linux and OS X systems here so I can't roll you one unfortunately). That said, it doesn't look to be too large, you might be able to find someone who can compile a Windows binary for you here or maybe even on PGPNET. I'd do it for you, but I haven't had a Windows system for 15 years. Regards, Ben ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users Faramir Freitag, 9. Mai 2014 05:00 Hello, I hope this is not much off-topic. I was looking for pgpdump binaries, and the one I have is for version 0.20, I downloaded it on september 2011. But in the website, the current version is 0.28, from june 2013. Does somebody know where I can get a binary file for windows? Maybe one day I'll learn to compile stuff, but for now I'd rather use a binary. Best Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJTbJJPAAoJEDFA6HOb5F7Q7+MQAMdWc+XRuLg96xOvVPu2bF3v aEdwt7OVADxGReniv/wVnbEDDnzoL+/3tJspooZVOX6dzH2jReK1Zh9Sj0XLK2gR 9RKQ1cJOmjSB8dO6/n8KES5dro498pYJjPhIoiHGHHwwmBC4ZsK3Z6uWHX0HhRFs 8e4miCEmU9Qu1FE39B9jDD/DVLiBSU1+JTl1Fa+d8pMtfdrrDYbFQKSYwnJ2sDLM 6F8LQWakW1uhiVSu4nYKQt3ZgsDs/SLKXIGgC8+Q5Fl150hSV0Th2H7zNi3b4gWl uQY4+ZXLsaRG7Lt2cknBhkIUfjpS+p7a0Rq5srNkI47VZq37DQc7h0oIGy5NWIze gL9Q30d9o65lRJuBLPUWf2Z2JgE2N3Bj+0063oIcZP5wSzf9tMMuJJ1G+Vb7jtgf Yv11jQD6krXFE5XQtP8619QFwELBfr4nfs0sGAuD1rarjnjqAdz3NuNwKjEXSb+F sBaqnyQMWQiit1e9iZAf1nQe9kR1LxR6webOsfakHrmWPwMKtJe78gxkxWp67JIp DzgeffgVmyuIZiFDJ32qP0dKCtIIN+dEy32QRmMF9MWGVwZ3tUoibhC9QU9B/FB5 rR+PvNPqIplCHQa5ZNk6lPcv0IIDVbXfmk6rLnKrtjmveBUrSh8ks+cpyK6NbVok HZbFV3jhEdyo+vBYW2jv =BK2B -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Any future for the Crypto Stick?
Einar Ryeng schrieb: Hi. The GPF Crypto Stick has been unavailable for months now, and I wondered if anyone here has information on its future. Any news on the crypto stick (or similar initiatives) would be appreciated. I just use a OpenPGP Card in a small gemalto stick reader. AFAIK in the Crypto stick they just soldered a OpenPGP card in, so it is basically the same! smime.p7s Description: S/MIME Cryptographic Signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about a perfect private Key store for today's environment
On Mon, Sep 23, 2013 at 7:28 AM, Heinz Diehl h...@fritha.org wrote: Generally, I think you can't have it all. Can't imagine how long it will take to encrypt/decrypt a mail on a smartphone using the 4k key which I have on my smartcard.. The cheapest phones you can get here have at least 800Mhz ARMv6 CPUs! My current one has a Quad-Core 4x1,5Ghz ARMv7. I don't think that will be any problem! On slow phones maybe you have to wait a few seconds, but you probably won't send that many mails on your phone that it matters. Best regards, Josef ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where is ECC in gpg2 (specifically gnupg-2.0.21
On Wed, Sep 18, 2013 at 9:06 AM, Werner Koch w...@gnupg.org wrote: The standard already allows for all kind of curses. They are specified by an OID and I offered DJB to assign OIDs from the GnuPG arc. The original reason why I wanted an OID based design is so that it will be possible to use Brainpool curves which are preferred by some European institutions. I rejected the idea to make them the default in GnuPG to support better interoperability but also told people that we change the default as soon as we see people are using other curves. Meanwhile I don't think that we need a pool to settle on a different default. Is there a way to say someone should under no circumstances send a message to me that is encrypted with a NIST curve? Even if that means, that he can't find a encryption for the message? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The symmetric ciphers
On Tue, Sep 10, 2013 at 3:30 PM, Robert J. Hansen r...@sixdemonbag.orgwrote: Assuming it takes effort a to break cipher A and effort b to break cipher b, this should result in effort at least max(a, b) needed to break A+B. Basically, though, it's this is a naive and unfounded assumption. Why? Assuming the Keys are not related (e.g. by creating random keys and then encrypting them both with RSA) this is safer, assuming the attacker can crack one of the two symmetric ciphers but not RSA. If you use the same/related Keys for both encryptions and/or the ciphers don't interact somehow (like when using ROT-13 two times) it is indeed less secure! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Recommended key size for life long key
I just use 4096 bit because that is the biggest size my OpenPGP Cards can handle. In my opinion using a smart card instead of online keys increase security far more than strange large key sizes! I also see no point using less than 4096 because modern hardware is fast enough. Maybe my keys last longer that way. Am 01.09.2013 02:43 schrieb Robert J. Hansen r...@sixdemonbag.org: On 08/31/2013 05:46 AM, Ole Tange wrote: The FAQ http://www.gnupg.org/faq/GnuPG-FAQ.html#what-is-the-recommended-key-size recommends a key size of 1024 bits. Reading http://www.keylength.com/en/4/ I am puzzled why GnuPG recommends that. It shouldn't; NIST recommends 2048 bits for 20 years of security. NIST notably makes no recommendations past 20 years, as they are deeply skeptical of their ability to forecast out that far. I suspect your ability is no greater than theirs is, so I'd be very careful about declaring a 10K key to be greater than your natural lifespan. Per NIST, a 2048-bit key is of comparable difficulty to breaking 3DES. Given the tremendous level of confidence people have in the long-term suitability of 3DES, I am convinced a 2048-bit key will outlast my ability to remember the passphrase to it. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On Sun, Aug 25, 2013 at 2:33 PM, Jan takethe...@gmx.de wrote: Can you recommend such an operating system? Your idea seems practicable and convenient to me. Would users have to refrain from flash videos? I would suggest OpenBSD for that. If BSD is to exotic, then Debian Stable. Flas is known to have more security holes than one can count, so I would stay very far away from it! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG detection on Windows?
On Thu, Jul 18, 2013 at 10:23 PM, Henry Hertz Hobbit hhhob...@securemecca.net wrote: You probably just want to test whether either of these files are there since them or one of the others is what you are using: %ProgramFiles%\GNU\GnuPG\pub\gpg.exe %ProgramFiles%\GNU\GnuPG\pub\gpg2.exe Protip: you can change the install location! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Aw: Re: GpgEX for 64 bit Windows test version
I have the same problem on my german 64bit Windows 8 with Version 2.2.0-beta31 Mit freundlichen Grüßen, Josef Schneider On Mon, Jul 15, 2013 at 3:02 PM, Werner Koch w...@gnupg.org wrote: On Fri, 12 Jul 2013 09:46, fisch@gmx.de said: good point and thanks for this hint. Will try to use the gpg4win-light-2.1.2-beta20.exe and let you know when i still have this Actually there is a bug I am currently fixing. We will release a new beta in a few hours. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Gpg4win-devel] GpgEX for 64 bit Windows test version
On Mon, Jun 24, 2013 at 6:14 PM, Werner Koch w...@gnupg.org wrote: I need to check how to access the default browser. It uses the class ID of InternetExplorer.Application to lookup IWebBrowser2. Usually just with ShellExecute and Windows figures out the details! http://support.microsoft.com/kb/224816/en-us Best regards, Josef Schneider ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GpgEX for 64 bit Windows test version
On Tue, Jun 25, 2013 at 9:50 AM, Werner Koch w...@gnupg.org wrote: On Mon, 24 Jun 2013 20:18, old...@oldbob.co.uk said: As I can't run the 32 bit version of GPGex anyway on this system, can I not just overwrite the existing copy of gpgex.dll with the 64 bit one and reboot? Yes, you can. The regsvr32 call is still required. But if you do this, the extension won't be available in 32bit processes! (32bit explorer.exe, file selection dialogues in 32bit programs, 32bit file managers...) Best regards, Josef Schneider ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How do I make the private key on a OpenPGP smartcard non exportable ?
On Mon, Jun 24, 2013 at 2:54 PM, NdK ndk.cla...@gmail.com wrote: Il 24/06/2013 10:15, Werner Koch ha scritto: A smartcard could be useful anyway, at least as a portable keyring (if it didn't need initialization on every machine...). A USB memory stick fulfills the same purpose. Not really secure... Not any less secure than a Smartcard that allows key export! In any case it is a really complex task and not easy to get right - if at all. The card hosts public key of a export-authorizing CA (well, it's not a real CA, since it doesn't do certificates at all... but call it that way for clarity). When I send to the card an export command w/ a public key signed encrypted by the CA's private key, the card answers with the private key encrypted under the signed public key (thinking about requiring a signature w/ private key of the requesting card). Plain old RSA, layered. Then you need a secure way to store the CA key. That is essentially exactly the same problem! I mean you can put it on a card and allow export of the CA key only if the request is signed by a SuperSecureCA key... But how do you control the export of the SuperSecureCA key? If you want a key backup, why not just create the key on a secure offline machine, copy it to a secure location (I print mine out using PaperBak) and then move it to the card on that secure offline machine? Works great! Best regards, Josef ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Gpg4win-devel] GpgEX for 64 bit Windows test version
On Mon, Jun 24, 2013 at 10:01 AM, Werner Koch w...@gnupg.org wrote: Hi! I just uploaded a test version of GpgEX (the GnuPG Explorer Plugin) for Windows 64 bit. This is just the bare standalone DLL without an installer. If you are using a 64 bit Windows system with Gpg4win, you may want to test this DLL: Hi, I tried all of the possible functions work. The only problem I found is, that help asks for Admin rights. And if the rights are granted, it starts Internet Explorer, not the default browser! All of this on Windows 8 Pro 64bit German Best regards, Josef ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key length for smart card key generation
On Thu, Feb 28, 2013 at 10:34 PM, Peter Lebbing pe...@digitalbrains.com wrote: On 27/02/13 22:58, Anonymous wrote: So I should be able to import the key...but not use it unless it is 3072 bits or less? If we're all talking about RSA here, I think so. Using an 4096 bit RSA key _should_ work if you compile the current source from the git repository and then _should_ work with 2.0.20 once that is out! I didn't have the time to test that yet because I use Windows and compiling GnuPG 2 for Windows seems to be quite a difficult task! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Fri, Feb 8, 2013 at 1:17 AM, Robert J. Hansen r...@sixdemonbag.org wrote: Sure. That's theoretically possible. I don't believe it to be true, though. My machine is trusted not because I'm certain that it's immune to being pwn3d, but because I acknowledge that it can break my local security policy and I'm willing to accept what I perceive as the risks. If you don't trust your hardware, then that means you're not willing to accept the risks you perceive. And that's a really big problem. If you're not willing to accept the risks you perceive as associated with your hardware, then why are you using your hardware? Of course you can trust a hardware created for the sole purpose of signing clear text after displaying it more than a general purpose PC that has a lot of software that has absolutely nothing to do with security on it and regularly connects to a very insecure network (the Internet). You argue that there is only one level of trust for all hardware someone owns and either you trust all of it or none, and that is just not true! Why do you think do Banks use Smart Card readers with own display/keyboard and serial connection or TAN-generators using flicker codes? They do this because on the average PC there is a lot of software, a lot of it closed source which the bank can not control and neither can the owner. I can write some virus a user has to install himself (and we all know a lot will!) which sends signed mails to someone using GnuPG installed on the PC, even if using a smart card, in probably less than a day! Writing a modified firmware that shows wrong amounts/account ids for my Class 3 card reader and finding a way to install it (updates are cryptographically checked) is much much harder. I have no idea how long that would take or if I would ever succeed. I assume for TAN generators which get the transaction data using flicker codes it will be even harder! So even if I get someone to install my malware on his PC, his online banking will stay relatively safe. I have a smart card that has digital certificates on it which can be used to sign documents legally binding in my country. I use that card with a reader with own pin pad. Of course someone can highjack my PC and fake the data I want to sign. There are just a few problems: • He can only sign something whenever I want to sign something, else I won't input my PIN • I expect something to have a valid signature after that, so either he hopes I don't check this signature, or he fakes all the ways I can check that, which is very hard. With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached (which is, to be honest, quite long some times). If I wouldn't have a smart card he could even copy my key and then sign and decrypt whatever he likes, where- and whenever he likes! So given the fact that I maybe sign an average of three documents a day, in case one an attacker could sign up to three documents a day, but I would notice that very quickly because someone of the recipients would call me telling me the signature is invalid or I sent him some things he didn't expect (except if the attacker waits for exactly THE one document he wants to forge, has the right programming logic to detect and change it accordingly, etc..). With GnuPG in its current state he could sign millions of documents without me even noticing. I see a difference there! There is a risk to die when bungee jumping. There is a risk to die when jumping naked from a bridge without bungee rope. This doesn't mean I tell every bungee jumper to jump naked from bridges, because he could die with bungee rope too! I I don't do this because the odds to die are very different! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Paperkey 1.3
On Mon, Jan 7, 2013 at 5:54 PM, Peter Lebbing pe...@digitalbrains.com wrote: Flash memory stores its data as an electrical charge, which can leak away. It does so very slowly, but it still does[1]. We are talking about years. And reading a cell does not refresh it, so read-only use will in principle not do anything to extend the storage time. Still you can't be sure that the controller or flash cells won't just stop working. Yesterday, a new MicroSD card of mine just stopped working. At first one folder was unreadable and fsck didn't work, then after unplugging and re-plugging it all file names where gibberish, the card got hot and I unplugged it. Since then it's detected as unformated and no write access is possible. This is the second MicroSD card where this happens for me. While yesterday this was after less than a day, the other one broke after about a month of heavy usage in my smart phone. And while with a CD or DVD you probably still can read parts of the data (especially if you have e.g. PAR2 files to recover it) if a flash storage of any kind stops working, realistically you can't do anything to rescue even parts of the data. And while most hard disks that broke showed some signs of that (via SMART or increased sound level) all flash memory devices more or less stopped working from one moment to the other. (but then, I don't have very much data) So I wouldn't trust any flash memory for long time storage. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card decryption with 4096bit keys bugfix??
Hello, first thing: I am not subscribed to this list, so please CC me in replies. I recently bought a OpenPGP smart card and want to use 4096bit keys and Windows. This doesn't work for decrypting with any released gpg version! There seems to be a patch to make it work at http://lists.gnupg.org/pipermail/gnupg-users/2012-June/044868.html Is this one line change the only thing that has to be changed to make it work? Compiling gpg2 for Windows is really hard it seems. I haven't got the Gpg4win compilation to work because it needs some packages not available on my debian sid based machine. I am using the Gpg4win 2.1.1 Beta installer and want to change as little as possible. I compiled libgpg-error and libassuan and switched out the libassuan-0.dll If this one line is the only change, this should be enough?! (except if libassuan is also statically linked somewhere) But the problem is still the same after the switch. The only commands getting sent to the card when starting gpg --decrypt are: scdaemon[208]: chan_01BC - SERIALNO openpgp scdaemon[208]: chan_01BC - S SERIALNO D276000124010205 0 scdaemon[208]: chan_01BC - OK scdaemon[208]: chan_01BC - RESTART scdaemon[208]: chan_01BC - OK Even if I have to compile gpg2 as a whole I don't want to use the git working copy, but the 2.0.19 source with only the patch to make decryption with 4096bit Keys work. So can someone tell me if this is the only change (then I probably am doing something wrong) or if something else, and what, has to be changed. Thanks, Josef ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
