Getting Passphrase From Encrypted and Unencrypted Secret Key
If an attacker got my secret key while it wasn't encrypted (no passphrase) and then I put a passphrase, and then the same attacker gets encrypted key, can he find out my passphrase based on difference between non-encrypted and encrypted key? -- http://markorandjelovic.hopto.org Please make your donation for humanitarian aid for flood victims in Serbia: http://www.floodrelief.gov.rs/eng/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 06 Nov 2013 13:17:16 +0100 Sam Tuke samt...@gnupg.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/11/13 22:01, Marko Randjelovic wrote: I send five variants (but the best is all of them :) ): Thanks Marko! Is it OK if I rephrase two of them like this?: I use GnuPG because I was taught it's a sin to open other people's letters I use GnuPG because ?I won't trade my independence for anything Best, Sam. Of course, no problem. - -- http://mr.flossdaily.org -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJSgsHjAAoJENa1qRkYGfv5KaEP/3MTrsfMpFd8avilV6GJYniD IcsMMUXqKjOC8lrbL4G+y9ugdF+oX/wQmouX5N96HbWWdz2MCqh5gZT60j9/dtGi RxNvVpgGhpVUFUgdWCaXghUQkNfZ9P242wCV+REyz8i6/+W2J4fpIw5H8Qx8JVbz Htlb2Uk3Q8j8FpGTErzN4jZynFTfZeSgTZ63/bcAksL+nzEzMgS+rvpXJ8bPqZoG xb5fetBTj9W02jUFYzc661jhWt+zltlumTfvFmd4GH/SaLl2bK7wA6GDaQChnwJI iUytyBLSHuj+HiemQF5pNMm9gw8HqL+SxMAms/MRowS3IgP1WjP0gb7XvFVdURxF spg8M8w7YAFXhw+/jTDpd3tt/bFGmcs4Qn++6WsFqtfjLJBgYVhyTQGFGQ1GjADN vegE3Dl83oLOWERqXFd6DadU4fsADQ0JRSKAQSLmxlYjzcfLb82D/IOYSofemAga XOT9gjsxU8LUouCIm2DuDJnWpemUMSzu2Jn1OOomdBMyvwCVfAxXuS0VJJg3JvoD 6nro8pvUBKt5DD2HnM57JIqUNOp9MUSZsqYH8TIwlW0fgu77d4+DQuQSHs4JoQuz PbyOpQxFhlpGMQNL6FcuA9zDa7hzptAO82DFuejWV8VEgVTrDfP3ljF0jNKIYNxW BDjuK7okarY4y3OIIYwN =szQu -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Quotes from GPG users
On Wed, 30 Oct 2013 11:58:56 +0100 Sam Tuke samt...@gnupg.org wrote: If you want to help us, send your own statement about why GPG is important to you. Please keep it less than or equal to 130 characters, so it can be used on social networks. I'll collect them and pick the best for use now and in future. I send five variants (but the best is all of them :) ): I use GnuPG because I care and because I was taught it was a sin to open other people's letters. I use GnuPG because there was a country where people used to say OZNA comes to know anything. I use GnuPG because I don't trade with my independence. I use GnuPG because I don't trade with my freedom. I use GnuPG because I take critical attitude towards possibility of abuse of my data. -- http://mr.flossdaily.org signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about a perfect private Key store for today's environment
Of course it is not safe. If you realy need a smartphone, use some of those that are supported by Replicant OS. http://replicant.us/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On Fri, 13 Sep 2013 09:19:10 +0200 NdK ndk.cla...@gmail.com wrote: Il 12/09/2013 23:10, Marko Randjelovic ha scritto: All the time I read suggestions on using USB sticks and I must say people are crazy about USB sticks. It is more convenient to use optical media then USB stick because they are read only. Boot from Live CD, not from USB stick and use USB stick only for data. In a desktop PC you can put two CD devices and boot Live CD from CD1 and write your data to CD2. You can use write-once media or rewritable media so you do not waste to much plastic. It's just a matter of trust (and speed). After all, you need to take the system image from somewhere. That's probably the weakest link. Or, at least, it's the easiest to compromise. WOT PS: I'll tell you a secret: there are USB keys with a write protect switch :) If you write your data to CDROM, then it is much more safer to transfer data to another PC. It is much more complicated to make a virus that will insert itself into a CDROM then into a USB stick. Furthermore, such action would be odd and could be blocked by a security software like SELinux. And maybe there's a buffer overflow in the ISO9660 driver that can be exploited g. Hey, we're talking of the most tested codepaths (unless you use some exotic filesystem)! Bug is a bug. It is not simpler to craft the filesystem than to insert ordinary virus. Maybe technical solutions for a social problem aren't always the right answer? You can *never* be 100% sure. No way. You can be reasonably sure. You can be certifiably sure (given that you define which kind of attacks you think you'll be exposed to and find a standard to certify against). I can be reasonably sure nobody will hack my machine just to read my mail. Obama can be reasonably sure that *many* attackers will try. So my scenario and Obama's one are a bit different, and require *greatly* different solutions. I can't afford the costs and inconveniences of a solution based on Obama's needs (and I'd be indeed quite stupid to try to adopt it), and he can't afford the risk of a solution tailored on mine. The problem is in that more you have better protection, more you become interesting. That way, if you try really protect yourself, you will prevent weak/moderate players to get your data, but instead strong players, like security agencies, who otherwise wouldn't be interested, *will* get your data. That makes all our efforts to protect our privacy absurd. I think NSA and similar organizations are dangerous and even if now they do not abuse to much their information (such as destroying dissidents), it can change in future. They store all data indefinitely and it is enough that only in one moment in future someone can and would abuse it to happen disaster. PPS: at least here in Italy a *completely offline machine* becomes illegal after 6 months. Law dictates that every computer where personal data is handled (and even a name and surname *is* personal data) *must* be updated *at least* every 6 months. And attacking your update medium is probably easier than attacking the USB key. WOT -- Marko Ranđelović, B.Sc. Software Developer Niš, Serbia marko...@eunet.rs http://mr.flossdaily.org Note: If you see a nonsense enclosed between lines BEGIN PGP SIGNATURE END PGP SIGNATURE then this message is digitally signed using OpenPGP compliant software. You need an appropriate plugin for your email client or other OpenPGP compliant software in order to verify the signature. However, the concept of computer insecurity implies digital signature is not absolute proof of identity. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why trust gpg4win?
On Thu, 12 Sep 2013 15:55:24 +0200 Jan takethe...@gmx.de wrote: 2.1 Most people have only one PC and windows as operating system, so the linux/unix distribution should be installed on an USB device. This device must not be plugged into the PC if windows is running, in order to avoid a manipulation. Further I would uninstall the network drivers on the USB device, so it is almost an offline PC. If the user receives an encrypted file via email, he saves it to hard disk. Then he turns off the PC, plugs in the USB drive and boots off it. He copies the file from the hard disk to the USB drive (this should cause no trouble). Only if the file is of a simple file format (jpg, RTF, mp3, PDF(?), etc.(?)) he accepts it and opens it with a secure minimalistic tool. He might even first run a program like an anti virus software(?) in order to check whether the structure of the file agrees with the official definition of the sated file format. All the time I read suggestions on using USB sticks and I must say people are crazy about USB sticks. It is more convenient to use optical media then USB stick because they are read only. Boot from Live CD, not from USB stick and use USB stick only for data. In a desktop PC you can put two CD devices and boot Live CD from CD1 and write your data to CD2. You can use write-once media or rewritable media so you do not waste to much plastic. If you write your data to CDROM, then it is much more safer to transfer data to another PC. It is much more complicated to make a virus that will insert itself into a CDROM then into a USB stick. Furthermore, such action would be odd and could be blocked by a security software like SELinux. -- Marko Ranđelović, B.Sc. Software Developer Niš, Serbia marko...@eunet.rs Note: If you see a nonsense enclosed between lines BEGIN PGP SIGNATURE END PGP SIGNATURE then this message is digitally signed using OpenPGP compliant software. You need an appropriate plugin for your email client or other OpenPGP compliant software in order to verify the signature. However, the concept of computer insecurity implies digital signature is not absolute proof of identity. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Revoke a key 0E84608B
I tried to revoke this key since after changing a passphrase on 2012-01-28 and using it with new passphrase immediately after, after a few hours I could not again be successfull (bad passphrase). But revkey also askes for a passphrase. Is there any way to revoke this key? Best regards 0x0E84608B.asc Description: application/pgp-keys ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Revoke a key 0E84608B
I tried to revoke this key since after changing a passphrase on 2012-01-28 and using it with new passphrase imidiately after, after a few hours I could not again be successfull (bad passphrase). But revkey also askes for a passphrase. Is there any way to revoke this key? Best regards 0x0E84608B.asc Description: application/pgp-keys ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
I am sure I did not forget my passphrase
What I know is simple. I created a key today and tried it signing one file and it worked. Now, few hours later, I cannot do anything, and a message is wrong passphrase. I checked mod.time of secret keyring and it looks like was not modified in meanwhile. I am really confused, sure not have modified my passphrase, nor forget it, but it simply does not work anymore. Is there a way to check if secret key info was modified? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: I am sure I did not forget my passphrase
I made sure, both when creating keys and trying to use it, to be US keyboard and CAPS LOCK off. After failures, I tried to turn on CAPS and change layout with no success. But I found errors in /var/log/messages regarding sda/hda. sda is HDD and hda is DVD. Nov 8 14:12:18 main kernel: [5.798351] sda:hda: packet command error: tatus=0x51 { DriveReady SeekComplete Error } Nov 8 14:44:00 main kernel: [6.384317] sda:hda: packet command error: tatus=0x51 { DriveReady SeekComplete Error } Second error is probably after the key got corrupted. Is there significant probability the key got corrupted since it is only one error? 2009/11/8 Ingo Klöcker kloec...@kde.org On Sunday 08 November 2009, Marko Randjelovic wrote: What I know is simple. I created a key today and tried it signing one file and it worked. Now, few hours later, I cannot do anything, and a message is wrong passphrase. I checked mod.time of secret keyring and it looks like was not modified in meanwhile. I am really confused, sure not have modified my passphrase, nor forget it, but it simply does not work anymore. Is there a way to check if secret key info was modified? Do you use multiple keyboard layouts? If yes, then maybe you used another keyboard layout when you created the key. Regards, Ingo ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users