Re: Support for RSA keys > 4096 bits
For those interested, link to the NIST document: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf On Wed, Nov 7, 2018 at 1:50 AM Nicholas Papadonis < nick.papadonis...@gmail.com> wrote: > I read in NIST 800-57 Part 1 Rev. 4 pg 53 that RSA keys length of 15360 > bits is equivalent to a 256 bit AES symmetric key. I also read in other > documentation that NIST recommends such key lengths to protect data beyond > 2030. As email may be retained for many years it would seem appropriate to > secure such communications with a larger key. > > Does this data agree with security experts? Is there a reason why GnuPG > limits RSA key length to 4096 bits? > > Thank you, > Nicholas > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Support for RSA keys > 4096 bits
I read in NIST 800-57 Part 1 Rev. 4 pg 53 that RSA keys length of 15360 bits is equivalent to a 256 bit AES symmetric key. I also read in other documentation that NIST recommends such key lengths to protect data beyond 2030. As email may be retained for many years it would seem appropriate to secure such communications with a larger key. Does this data agree with security experts? Is there a reason why GnuPG limits RSA key length to 4096 bits? Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [openssl-users] OpenSSL vs GPG for encrypting files? Security best practices?
Interesting. How about this for a start? http://nickpapadonis.com/images-share/summerian-ancient-mesopotamia-ancient-lock.jpg http://nickpapadonis.com/images-share/anunnaki1.jpg http://nickpapadonis.com/images-share/summerian-Winged_Human-headed_Bulls.JPG On Sun, Nov 4, 2018 at 7:21 PM open...@foocrypt.net wrote: > Hi Nick > > Have You tried The FooKey Method ? https://foocrypt.net/the-fookey-method > > Also, > > I will be sourcing public addendum's as addendum's to my submission into > the Parliamentary Joint Committee on Intelligence and Security [ > https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/TelcoAmendmentBill2018/Submissions > ] regarding the committee’s review of the 'Telecommunication and Other > Legislation Amendment (Assistance and Access) Bill 2018' after the > Melbourne Cup. It will be similar to the open request for the Defence Trade > Control Act review performed by the former Inspector General of > Intelligence, Dr Vivian Thom. > > > https://foocrypt.net/independent-review-of-the-defence-trade-controls-act-2012-cth-call-for-information-for-submission-as-a-case-study-from-the-openssl-community > > > -- > > Regards, > > Mark A. Lane > > Cryptopocalypse NOW 01 04 2016 > > Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @ > https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11 > > Cryptopocalypse NOW is the story behind the trials and tribulations > encountered in creating "FooCrypt, A Tale of Cynical Cyclical Encryption." > > "FooCrypt, A Tale of Cynical Cyclical Encryption." is aimed at hardening > several commonly used Symmetric Open Source Encryption methods so that they > are hardened to a standard that is commonly termed 'QUANTUM ENCRYPTION'. > > "FooCrypt, A Tale of Cynical Cyclical Encryption." is currently under > export control by the Australian Department of Defence Defence Export > Controls Office due to the listing of Cryptology as a ‘Dual Use’ Technology > as per the ‘Wassenaar Arrangement’ > > A permit from Defence Export Control is expected within the next 2 months > as the Australian Signals Directorate is currently assessing the associated > application(s) for export approval of "FooCrypt, A Tale of Cynical Cyclical > Encryption." > > Early releases of "Cryptopocalypse NOW" will be available in the period > leading up to June, 2016. > > Limited Edition Collectors versions and Hard Back Editions are available > via the store on http://www.foocrypt.net/ > > © Mark A. Lane 1980 - 2016, All Rights Reserved. > © FooCrypt 1980 - 2016, All Rights Reserved. > © FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2016, All Rights > Reserved. > © Cryptopocalypse 1980 - 2016, All Rights Reserved. > > > > On 5 Nov 2018, at 10:35, Nicholas Papadonis > wrote: > > Comments > > On Sat, Nov 3, 2018 at 5:56 PM Bear Giles wrote: > >> > I'm considering encrypting a tar archive and optionally a block file >> system (via FUSE) using either utility >> >> Linux has good support for encrypted filesystems. Google LUKS. >> > > >> BTW a tar file starts with the name of the first entry. The 'magic >> numbers' are at offset 128 or so. However a compressed tar file will start >> with a known value since gzip, b2zip, and 7zip?, all start with their magic >> values. >> > > Does tar placing known data at a certain offset increase the probability > that someone can perform an attack easier? They may already know the data > to decrypt at that offset and if the encrypted block overlaps, then the > attack is easier. > > Thanks > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Most secure GPG combination for Mac OS X
comments On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat < dgouttegat...@incenp.org> wrote: > Hi, > > First, a warning: I am by no means a "security expert" and I have > very little experience with Mac OS X, which I only use at my > workplace (and only because my employer didn't let me use a > GNU/Linux workstation...). > > However and for what it's worth: > > On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote: > > I noticed that there are two OSX packages for GPG: > > > > Mac GPG Installer from the gpgtools project > > GnuPG for OS X Installer for GnuPG > > There's a third possibility, which is the one I use: install the GnuPG > provided by the MacPorts project [1]. > > This raises another question about the security of the ports project itself. I read that Homebrew had some security issues, a majority which come from the installer making /usr/local/bin writable by users other than root. This allows an unprivileged application to inject a malicious binary there, for instance sudo. /usr/local/bin is first in the search path and therefore the administrator password could be captured. I also read Macports may not have this security issue because the installer runs as root and all installations run as root. > Install MacPorts and then simply run: > > $ port install gnupg2 > > MacPorts packagers seem keen to provide the latest versions and to > update their ports quickly when upstream publishes a new release. > For example, Libgcrypt was updated to version 1.8.4 the day after > that version was released. > > Thanks for the suggestion. I'm hoping to clear up my security questions on Macports as well. I suspect there could be many security holes based upon the tool chain to compile the ports and all hands involved in the source trees. Nicholas > > > I'm considering using the Mac Mail.app > > I tried to build the Mail.app plugin from the gpgtools project, > but failed. I don't remember what the problem was, just that I > gave up. > > I am currently using alternatively Neomutt (also installed through > MacPorts), which natively supports GnuPG, and Thunderbird with > Enigmail. Everything is working fine, including smartcard support. > Whether this is a "better integrated" solution than using Mail.app > I cannot tell. > > Hope that helps a bit. > > Damien > > [1] https://www.macports.org/ > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Most secure GPG combination for Mac OSX
Hi Folks, Does anyone have suggestions on the most secure and reviewed combination for bits for sending secure email on OSX? I noticed that there are two OSX packages for GPG: Mac GPG Installer from the gpgtools project GnuPG for OS X Installer for GnuPG Is any one preferred, have more eyes reviewing source, better release management in terms of security concerns? Any details? Am I better off building from source? I'm considering using the Mac Mail.app, however am interested if Thunderbird is better integrated from a security standpoint. At the lowest level, my assumption is that the command line tools can be used to encrypt / decrypt blocks of text, which I will also be interested in using. Appreciate a security experts guidance immersing myself into more secure communication. (ps please reply to my personal email as well, for some reasons my subscription request won't go through. Maybe for accepting that the confirmation is sent through an insecure channel. :| ) Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Most secure GPG combination for Mac OS X
Does anyone have suggestions on the most secure and reviewed combination for bits for sending secure email on OS X? I noticed that there are two OSX packages for GPG: Mac GPG Installer from the gpgtools project GnuPG for OS X Installer for GnuPG Is any one preferred, have more eyes reviewing source, better release management in terms of security concerns? Any details? Am I better off building from source? I'm considering using the Mac Mail.app, however am interested if Thunderbird is better integrated from a security standpoint. At the lowest level, my assumption is that the command line tools can be used to encrypt / decrypt blocks of text, which I will also be interested in using. Appreciate a security experts guidance immersing myself into more secure communication. (ps please reply to my personal email as well, for some reasons my subscription request won't go through. Maybe for accepting that the confirmation is sent through an insecure channel. :| ) Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenSSL vs GPG for encrypting files? Security best practices?
Security Experts, I'm considering encrypting a tar archive and optionally a block file system (via FUSE) using either utility. Does anyone have comments on the best practices and tools for either? I read that the OpenSSL AES-CBC CLI mode is prone to a malleable attack vector and it's CLI interface should not be use directly for production. I have also read that GPG is the suggested alternative to OpenSSL CLI due to this. I have followed through with the OpenSSL CLI AES tests and am curious where the malleable attack is (in the pipe?). I am also curious to why GPG, which is an asymmetric key manager, is used for file based encryption when only a single key is required. How does GPG solve this malleable attack vector. A security expert's guidance here is much appreciated. Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users