Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Sep 16, 2008, at 10:08 AM, rlively wrote: Setup: Windows XP gpg (GnuPG) 1.4.7 Windows Privacy Tray Version: 1.2.0 (Sep 17 2007) Copyright (C) 2006 Timo Schulz <[EMAIL PROTECTED]> AIX 5.3.0.0 Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. - At first we generated keys on the AIX server and then exported the keys to Windows, but PGP made RSA/IDEA keys which GnuPG can't decrypt, so I decided to generate the keys on GnuPG on Windows and then export to the AIX server. I've tried it now multiple times with different keys, and each time I try to edit the key or decrypt something I get errors on AIX. I am absolutely sure I am typing the pass phrase correctly, because I can do all of the same things on Windows by typing the same pass phrase, and I even edited the key to change the pass phrase multiple times to simple things (like abc123) and then exported to AIX again and on AIX I still couldn't authenticate. PGP 6 is really, really old. It predates some of the OpenPGP standard, so I suspect a passphrase encoding problem between the two programs. I suggest removing the passphrase completely (just hit enter when asked for the new passprase), then copying the key over to PGP, and changing the passphrase to what you want it to be. Key for user ID: 1024-bit DSS key, Key ID 0xF, created 2008/09/15 Key can sign. You need a pass phrase to unlock your secret key. Enter pass phrase: received signal 11 [no cleartext file is created] That said, a signal 11 is a segfault. If PGP is actually *crashing*, there isn't much you can do. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
rlively 72ceot902 at sneakemail.com wrote on Tue Sep 16 16:08:25 CEST 2008 : >so I decided to generate the keys on GnuPG >on Windows and then export to the AIX server. >I've tried it now multiple times with different keys, >and each time I try to >edit the key or decrypt something I get errors on AIX pgp 6.5.8 is way behind many of the newer features of gnupg the two main problems are: [1] newer algorithms not included in 6.5.8 (AES, TWOFISH) [2] newer secret-key protection [3] insistence of using IDEA to encrypt to ANY RSA key (v3 or v4) (even those generated without IDEA capability) workaround: use the following options in gnupg: --simple-sk-checksum --s2k-cipher-algo 3DES --s2k-digest-algo SHA-1 then generate DH/DSA keypair in gnupg and import it to 6.5.8 then, for all further correspondence from gnupg to 6.5.8 just use the option --pgp6 and 6.5.8 should be able to decrypt and verify anything with that DH/DSA key vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Enhance your home's curb appeal with name brand shutters. Click now. http://tagline.hushmail.com/fc/Ioyw6h4dZri5qidhmJJYq1o89vVMUCNUzpxeFuQvf8IenacjHe183V/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
David Shaw wrote: > >> AIX 5.3.0.0 >> Pretty Good Privacy(tm) Version 6.5.8 > > PGP 6 is really, really old. It predates some of the OpenPGP > standard, so I suspect a passphrase encoding problem between the two > programs. I suggest removing the passphrase completely (just hit > enter when asked for the new passprase), then copying the key over to > PGP, and changing the passphrase to what you want it to be. > I think our AIX administrator installed the highest version available here: http://www.pgpi.org/products/pgp/versions/freeware/unix/ What is the latest PGP version for Unix/AIX if not this one? How old is this version? David Shaw wrote: > >> received signal 11 >> >> [no cleartext file is created] > > That said, a signal 11 is a segfault. If PGP is actually *crashing*, > there isn't much you can do. > Do you think this version of PGP would always just segfault upon using a GnuPG key? I tried blanking out the password, but when exporting to AIX and trying the new password I still got the "Bad Password" when just hitting enter. Is there anything else I can try? If we install the latest Unix GnuPG on AIX, will we run into any issues with our current keys? If someone we communicate with uses RSA/IDEA, will our GnuPG command-line fail to encrypt to their public key? Would we need to install the latest PGP instead and purchase the license for RSA/IDEA? The versions of PGP, the algorithms, patents, license requirements, etc are all extremely confusing, and I haven't found a good site explaining all of the differences. Is it free? Not free? License needed or not? Only if you use IDEA? Is RSA and IDEA the same thing? Is this all correct? 1) PGP (or GPG) is a software package for encrypting and decrypting data. The software can use one of a number of encryption algorithms and usually comes with support for many different algorithms. 2) The software we downloaded and installed on our local Windows workstations (Gnu Privacy Guard - GPG) is free for use even in commercial uses. 3) If our AIX admin installed GPG for Unix, then the software on our GIS servers are also license-free and cost-free for commercial uses. If he installed PGP from http://www.pgpi.org or http://www.pgp.com/ then we need a license. 3) Most of the algorithms in the software are license-free and cose-free for both commercial and non-commercial uses, except for the IDEA algorithm, which is patented and needs a license.So we would need to find out if we are using the IDEA encryption algorithm to find out whether we need to purchase a license for that algorithm or not. If we're not using the IDEA algorithm, we don't need a license. The MediaCrypt website (either www.mediacrypt.com or www.media-crypt.com, I've seen both mentioned) seems to be defunct, so I couldn't find out more information directly from their website. It may be that they're not enforcing the patent any longer. If we purchase a copy of the PGP software from NAI, it comes with a license for IDEA algorithm. See the information below: http://www.mccune.cc/PGPpage2.htm#GPG "GnuPG is a complete and free replacement for PGP." GPG (GNU Privacy Guard) is a PGP compatible alternative based on the OpenPGP standard. It has received funding from the German Federal Ministry of Economics and Technology, and there are two great reasons to consider it: It is completely open source software that can be peer reviewed for any security weaknesses; and it is absolutely free to use for both commercial and noncommercial purposes. Although designed for command line operating systems such as Linux, it has been ported for 32 bit Windows use. http://www.uk.pgp.net/pgpnet/pgp-faq/pgp-faq-general-questions.html Q: How much does PGP cost? A: The PGP 2.x series are freely available as open source software under the GNU General Public License, with no real limits on its use, at no cost (except the IDEA patent should you opt to include support for it, see What's with the patent on IDEA?). A: GNU Privacy Guard is freely available as open source software, with no real limits on its use, at no cost (except the IDEA patent should you opt to include support for it, see What's with the patent on IDEA?). The website of the GNU Privacy Guard Project is the primary distribution point. A: PGP 5.x and higher are commercial products. Network Associates bought PGP Inc., a company founded by Phil Zimmerman, and sells a whole range of products under the brand "PGP". The "original" email and file encryption PGP are called PGPmail and PGPfile respectively. See NAI for pricing and availability. There is a version available at no cost for strictly non-commercial use on http://www.pgp.com/products/freeware/. Note that the free versions of PGP are free only for noncommercial use. If you need to use PGP in a commercial setting you should buy a copy of PGP from NAI. This version of PGP has other advantages as well, most notably its integration with common MS Windows and Mac O
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Tue, Sep 16, 2008 at 09:57:49AM -0700, rlively wrote: > > > David Shaw wrote: > > > >> AIX 5.3.0.0 > >> Pretty Good Privacy(tm) Version 6.5.8 > > > > PGP 6 is really, really old. It predates some of the OpenPGP > > standard, so I suspect a passphrase encoding problem between the two > > programs. I suggest removing the passphrase completely (just hit > > enter when asked for the new passprase), then copying the key over to > > PGP, and changing the passphrase to what you want it to be. > > > > I think our AIX administrator installed the highest version available here: > http://www.pgpi.org/products/pgp/versions/freeware/unix/ > > What is the latest PGP version for Unix/AIX if not this one? How old is this > version? Mid-2000, I think. > David Shaw wrote: > > > >> received signal 11 > >> > >> [no cleartext file is created] > > > > That said, a signal 11 is a segfault. If PGP is actually *crashing*, > > there isn't much you can do. > > > > Do you think this version of PGP would always just segfault upon using a > GnuPG key? No way to guess. It's a segfault, so something is clearly very broken. A sane program would print an error instead of crashing. > If we install the latest Unix GnuPG on AIX, will we run into any issues with > our current keys? Probably not, unless the person you are communicating with is using PGP 2.x from the 1990s (don't laugh - some people still are). Just update your key like this: gpg --edit-key (thekey) setpref save > If someone we communicate with uses RSA/IDEA, will our > GnuPG command-line fail to encrypt to their public key? No. IDEA is an optional part of PGP, and 3DES will be used instead. Whether your recipient will be able to decrypt depends on whether they're stuck with PGP 2.x. > Would we need to > install the latest PGP instead and purchase the license for > RSA/IDEA? No. > 1) PGP (or GPG) is a software package for encrypting and decrypting data. > The software can use one of a number of encryption algorithms and usually > comes with support for many different algorithms. Yes. > 2) The software we downloaded and installed on our local Windows > workstations (Gnu Privacy Guard - GPG) is free for use even in commercial > uses. Yes. GPG, and every algorithm supplied with GPG is free for use in any way you want to use it. IDEA is a different beast. It is not shipped as part of GPG, and requires a license for commercial use. You can add IDEA to GPG via a plugin or special compilation, but don't. Unless your situation is extremely special, you don't need IDEA. Just ignore it. > 3) If our AIX admin installed GPG for Unix, then the software on our GIS > servers are also license-free and cost-free for commercial uses. If he > installed PGP from http://www.pgpi.org or http://www.pgp.com/ then we need a > license. Yes. > 3) Most of the algorithms in the software are license-free and cose-free for > both commercial and non-commercial uses, except for the IDEA algorithm, > which is patented and needs a license.So we would need to find out if we > are using the IDEA encryption algorithm to find out whether we need to > purchase a license for that algorithm or not. If we're not using the IDEA > algorithm, we don't need a license. The MediaCrypt website (either > www.mediacrypt.com or www.media-crypt.com, I've seen both mentioned) seems > to be defunct, so I couldn't find out more information directly from their > website. It may be that they're not enforcing the patent any longer. If we > purchase a copy of the PGP software from NAI, it comes with a license for > IDEA algorithm. Yes. Bottom line: don't use PGP 6 (you can't use it for commercial use without a license and I'm fairly sure there is nobody who will sell you a PGP 6 license at this point anyway). Use a recent GPG or a recent PGP. Don't even get involved with IDEA unless a specific customer has a problem, and asking that customer to upgrade isn't an option. There is a lot of code in both GPG and PGP to make all these cipher and version questions invisible to the outside world. Let the system do the work for you. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
David Shaw wrote: >> What is the latest PGP version for Unix/AIX if not this one? How old is this >> version? > > Mid-2000, I think. Mid-1998, I think. Mid-2000 is when PGP 7 came out. PGP 6.5.8's date of introduction was mid-to-late '98. Following remarks are meant more for the original poster, rlively: > No way to guess. It's a segfault, so something is clearly very > broken. A sane program would print an error instead of crashing. I'll go one step further and say it's a sign you shouldn't use PGP 6.5.8. AIX has moved on in the last ten years; it's possible the C runtime has moved on, too. The segfault may be a problem with the PGP 6.5.8 code, or it may be a problem with the assumptions the code makes about the C runtime, or it may be... etc., etc. The fact it's segfaulting would cause me to harbor doubts about whether it should be used in a security context. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
David Shaw wrote: > > Bottom line: don't use PGP 6 (you can't use it for commercial use > without a license and I'm fairly sure there is nobody who will sell > you a PGP 6 license at this point anyway). Use a recent GPG or a > recent PGP. Don't even get involved with IDEA unless a specific > customer has a problem, and asking that customer to upgrade isn't an > option. There is a lot of code in both GPG and PGP to make all these > cipher and version questions invisible to the outside world. Let the > system do the work for you. > > ... > >> If someone we communicate with uses RSA/IDEA, will our >> GnuPG command-line fail to encrypt to their public key? > > No. IDEA is an optional part of PGP, and 3DES will be used instead. > Whether your recipient will be able to decrypt depends on whether > they're stuck with PGP 2.x. > > David > One of our contacts uses this key: Type: Public Key Algorithm: RSA Legacy Size: 2048 bits Created: 5/17/1999 Expires: Never Validity: None Cipher: IDEA Even though they key specifies Cipher: IDEA, are you saying that we should be able to encrypt to this public key just fine with the latest veresion of GnuPG, unless that contact is stuck using legacy PGP 2.x? If they use a newer version of PGP or GnuPG we should be fine? So to be safe, what do we need to do before the decision of whether to go PGP or GnuPG -- just contact them and ask what version of PGP or GPG they use? Supported under AIX? http://gnupg.org/download/supported_systems.en.html GnuPG Supported Systems doesn't list AIX 5.3. It does have AIX v4.3 under "Other OSes," though it has this disclaimer: GnuPG compiles and runs on many more systems, but due to the lack of a well tested entropy source, it should be used with some caution. We have positive reports on these systems. Is this anything to be concerned about? Is there a precompiled binary for AIX that someone has done? What is the danger of downloading the latest source and compiling it under AIX? How can I find a group of people that may have done this in the past so we can get some guidance? -- View this message in context: http://www.nabble.com/Export-secret-key-from-WinXP-%28GnuPG%29-1.4.7-to-AIX-PGP-Version-6.5.8-gives-Bad-Pass-Phrase-tp19512637p19520453.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
rlively wrote: > One of our contacts uses this key: This is a PGP 2.6 key, unfortunately. > Even though they key specifies Cipher: IDEA, are you saying that we > should be able to encrypt to this public key just fine with the > latest veresion of GnuPG, unless that contact is stuck using legacy > PGP 2.x? He is not. There are two different internet standards for PGP. The first one, called RFC1991, dates to the early '90s. The second one, called RFC4880, was only officially released a few months ago. The two standards are not interchangeable, and RFC4880 brings many more capabilities to the table. GnuPG is an RFC4880 application. PGP 2.6 is RFC1991. The two are generally incompatible. (I've heard talk of people figuring out how to make them work together, but I've generally been of the opinion they're talking about a lot of baling wire and bubblegum.) > What is the danger of downloading the latest source and compiling it > under AIX? No greater than downloading and compiling any other FOSS project. > How can I find a group of people that may have done this in the past > so we can get some guidance? Ask here. :) I imagine in short order you'll get some answers from people using GnuPG on AIX. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Tue, Sep 16, 2008 at 02:25:17PM -0700, rlively wrote: > One of our contacts uses this key: > > Type: Public Key > Algorithm: RSA Legacy > Size: 2048 bits > Created: 5/17/1999 > Expires: Never > Validity: None > Cipher: IDEA > > Even though they key specifies Cipher: IDEA, are you saying that we should > be able to encrypt to this public key just fine with the latest veresion of > GnuPG, unless that contact is stuck using legacy PGP 2.x? Yes. Even though the key specifies IDEA as a cipher, modern OpenPGP systems (GPG or PGP) will both use 3DES as an alternative if they do not have IDEA. > If they use a > newer version of PGP or GnuPG we should be fine? Yes. > So to be safe, what do we > need to do before the decision of whether to go PGP or GnuPG -- just contact > them and ask what version of PGP or GPG they use? That's one way - even better would be to just send them a sample encrypted message and verify they can decrypt the thing. If it works, it's proven. If it doesn't work, you'll be in a good place to debug. > Supported under AIX? > > http://gnupg.org/download/supported_systems.en.html GnuPG Supported Systems > doesn't list AIX 5.3. It does have AIX v4.3 under "Other OSes," though it > has this disclaimer: GnuPG compiles and runs on many more systems, but due > to the lack of a well tested entropy source, it should be used with some > caution. We have positive reports on these systems. > > Is this anything to be concerned about? Is there a precompiled binary for > AIX that someone has done? What is the danger of downloading the latest > source and compiling it under AIX? How can I find a group of people that > may have done this in the past so we can get some guidance? I think that information is a little out of date. AIX since v5.2 has had a /dev/random that is based on Yarrow. Assuming that there isn't some bug in their implementation (a point on which anyone's guess is as good as mine), AIX should do just fine. Read http://lists.gnupg.org/pipermail/gnupg-devel/2003-April/019954.html for a bit more info about the AIX random number generator. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
I need help reconciling the two responses below. I am still going to get a test file encrypted/decrypted using GPG 1.4.7 with the owner of said key just to see how it goes, but that might take a while, and I need to improve my general understanding of this entire process and all of the software involved anyway. rlively wrote: > > > One of our contacts uses this key: > > Cipher: IDEA > > > > Even though they key specifies Cipher: IDEA, are you saying that we > should > > be able to encrypt to this public key just fine with the latest > veresion of > > GnuPG, unless that contact is stuck using legacy PGP 2.x? > > > > If they use a newer version of PGP or GnuPG we should be fine? > David Shaw wrote: > > > Yes. Even though the key specifies IDEA as a cipher, modern OpenPGP > systems (GPG or PGP) will both use 3DES as an alternative if they do > not have IDEA. > > > If they use a newer version of PGP or GnuPG we should be fine? > > Yes. > > Robert J. Hansen-3 wrote: > > This is a PGP 2.6 key, unfortunately. > > > If they use a newer version of PGP or GnuPG we should be fine? > > He is not. There are two different internet standards for PGP. The > first one, called RFC1991, dates to the early '90s. The second one, > called RFC4880, was only officially released a few months ago. The two > standards are not interchangeable, and RFC4880 brings many more > capabilities to the table. > > GnuPG is an RFC4880 application. PGP 2.6 is RFC1991. The two are > generally incompatible. > > -- View this message in context: http://www.nabble.com/Export-secret-key-from-WinXP-%28GnuPG%29-1.4.7-to-AIX-PGP-Version-6.5.8-gives-Bad-Pass-Phrase-tp19512637p19532391.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
>Date: Wed, 17 Sep 2008 06:42:10 -0700 (PDT) >From: rlively <[EMAIL PROTECTED]> >Subject: Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP > Version 6.5.8 gives Bad Pass Phrase >I need help reconciling the two responses below. I am still going >to get a >test file encrypted/decrypted using GPG 1.4.7 with the owner of >said key >just to see how it goes, but that might take a while, and I need >to improve my general understanding of this entire process >and all of the software involved anyway. >David Shaw wrote: >> Yes. Even though the key specifies IDEA as a cipher, modern >OpenPGP systems (GPG or PGP) will both use 3DES as an alternative if >they do not have IDEA. >> >> > If they use a newer version of PGP or GnuPG we should be >fine? >> >> Yes. >Robert J. Hansen-3 wrote: >> >> >This is a PGP 2.6 key, unfortunately. >> >> > If they use a newer version of PGP or GnuPG we should be >fine? >> >> He is not. both posts are technically correct but, practically, the problem is that NO newer version of PGP, will use anything besides IDEA to encrypt to a pgp 2.6 key, so, while you can use gnupg to encrypt to that key, using ANY cipher, and PGP can decrypt it (as long as the version of PGP used has that cipher i.e., PGP 6x doesn't have AES, so it can't decrypt an AES message, but PGP 9.x does and can) you will still not be able to use gnupg to decrypt any message done in ANY version of PGP that encrypts to a pgp 2.x key, unless you have IDEA installed in your gnupg to make life simple for you, if you aren't a stickler for the IDEA patent issues, and if you don't get any grief from the legal team at your work, just put IDEA into your gnupg; [1] get the IDEA module: ftp://ftp.gnupg.dk/pub/contrib-dk/ideadll.zip [2] unzip this to your gnupg folder (c:\gnupg) [3] put this line into your gpg.conf file: load-extension c:\gnupg\IDEA.dll now you can decrypt whatever the client sends to you alternatively, as the client uses pgp 6.5.8 just ask the client to generate a new DH/DSA key (REAL 'diehard' pgp 2.x users, don't use anything besides 2.x ;-) so if the client already has 6.5.8 he may be more amenable to making a new key, and then all you have to do, is use the option of --pgp6 and gnupg will automatically make sure that everything you send can be decrypted and verified by 6.5.8) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Enhance your home's curb appeal with name brand shutters. Click now. http://tagline.hushmail.com/fc/Ioyw6h4dZriiv64dIK5kLv7cT4enlUOJKv0jhymfS6YyOIseeni83N/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Wed, Sep 17, 2008 at 06:42:10AM -0700, rlively wrote: > > I need help reconciling the two responses below. I am still going to get a > test file encrypted/decrypted using GPG 1.4.7 with the owner of said key > just to see how it goes, but that might take a while, and I need to improve > my general understanding of this entire process and all of the software > involved anyway. We're both right with regards to the facts of PGP 2.x. With all due respect to Robert, I'm right with regards to whether it'll work. The situation, underneath it all is this: You have a modern OpenPGP program. Your correspondent has, or can be made to have, a modern OpenPGP program. Your correspondent's key is a V3 key (the so-called "PGP 2.x" key). OpenPGP does just fine with V3 keys. The spec says: OpenPGP implementations MUST create keys with version 4 format. V3 keys are deprecated; an implementation MUST NOT generate a V3 key, but MAY accept it. Both GPG and PGP follow that MAY, and happily accept V3 keys. Since you are the one doing the encrypting, and you are running GPG, and your GPG does not have IDEA, you will encrypt using 3DES. Your correspondent, receiving this message will be able to decrypt it as 3DES is required by all OpenPGP programs. As I said before, try it. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Wed, Sep 17, 2008 at 11:51:28AM -0400, David Shaw wrote: > On Wed, Sep 17, 2008 at 06:42:10AM -0700, rlively wrote: > > > > I need help reconciling the two responses below. I am still going to get a > > test file encrypted/decrypted using GPG 1.4.7 with the owner of said key > > just to see how it goes, but that might take a while, and I need to improve > > my general understanding of this entire process and all of the software > > involved anyway. > > We're both right with regards to the facts of PGP 2.x. With all due > respect to Robert, I'm right with regards to whether it'll work. > > The situation, underneath it all is this: You have a modern OpenPGP > program. Your correspondent has, or can be made to have, a modern > OpenPGP program. Your correspondent's key is a V3 key (the so-called > "PGP 2.x" key). > > OpenPGP does just fine with V3 keys. The spec says: > >OpenPGP implementations MUST create keys with version 4 format. V3 >keys are deprecated; an implementation MUST NOT generate a V3 key, >but MAY accept it. > > Both GPG and PGP follow that MAY, and happily accept V3 keys. Since > you are the one doing the encrypting, and you are running GPG, and > your GPG does not have IDEA, you will encrypt using 3DES. Your > correspondent, receiving this message will be able to decrypt it as > 3DES is required by all OpenPGP programs. I should add, though, that unless there is some reason why you need to use that old V3 key, an arguably better solution would be to just ask your correspondent to generate a new key... David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
rlively wrote: > I need help reconciling the two responses below. Sure. Both answers are correct; it's a matter of how David and I are interpreting your question. >> Even though they key specifies Cipher: IDEA, are you saying that we >> should be able to encrypt to this public key just fine with the >> latest veresion of GnuPG, unless that contact is stuck using legacy >> PGP 2.x? >> >> If they use a newer version of PGP or GnuPG we should be fine? > > David Shaw wrote: > > Yes. Even though the key specifies IDEA as a cipher, modern OpenPGP > systems (GPG or PGP) will both use 3DES as an alternative if they do > not have IDEA. David is talking about using classic PGP 2.6-style ClassicPGP keys to encrypt OpenPGP traffic. This answer is correct. You can use ClassicPGP keys in an OpenPGP environment if both parties are using a newer version of GnuPG/PGP. > He is not. There are two different internet standards for PGP. The > first one, called RFC1991, dates to the early '90s. The second one, > called RFC4880, was only officially released a few months ago. The > two standards are not interchangeable, and RFC4880 brings many more > capabilities to the table. > > GnuPG is an RFC4880 application. PGP 2.6 is RFC1991. The two are > generally incompatible. I'm talking about using classic PGP 2.6-style ClassicPGP keys to encrypt ClassicPGP traffic. AFAIK, this answer is correct; GnuPG was never meant to be a conformant ClassicPGP application. (It's possible that things have changed in the GnuPG codebase since the last time I looked at this, though.) The short version is that David read your message as "can GnuPG be used to process OpenPGP traffic while using ClassicPGP keys", and I read it as "can GnuPG be used to process ClassicPGP traffic, using ClassicPGP keys". ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
David Shaw wrote: > > We're both right with regards to the facts of PGP 2.x. With all due > respect to Robert, I'm right with regards to whether it'll work. > > You have a modern OpenPGP program. Your correspondent has, or can be made > to have, a modern > OpenPGP program. Your correspondent's key is a V3 key (the so-called > "PGP 2.x" key). > > OpenPGP does just fine with V3 keys. The spec says: > > Since you are the one doing the encrypting, and you are running GPG, and > your GPG does not have IDEA, you will encrypt using 3DES. Your > correspondent, receiving this message will be able to decrypt it as > 3DES is required by all OpenPGP programs. > I did a test with the contact, and I received this response: contact with legacy v3 key wrote: > Won't be a problem... we use McAfee e-Business Server v7.5 on our OS/390 > mainframe as well as McAfee e-Business v8.x on Windows as well as GnuPG > (gpg) with IDEA support DLL. I was able to decrypt your message > (encrypted with our legacy IDEA key). So it seems to work, but I do have this concern: is it possible that since they tested it on Windows with GnuPG and not on their e-Business server on the mainframe and that the real file will fail when their mainframe attempts to decrypt it? I sent this reply to get that extra test done: rlively wrote: > Is it possible to transfer the file to your mainframe to see if e-Business > server can decrypt it as well? We do not have the IDEA support DLL, which > means that the message was encrypted using 3DES instead of IDEA, but > modern GnuPG and PGP installations are still perfectly capable of > decrypting that. I do have concerns about the e-Business server > installation on the mainframe, though. Is that correct? When I view the encrypted file, it shows this: public key encrypted packet: version 3, algo RSA, keyid encrypted data packet: mdc method 0, length 82. What is mdc method 0? My concern is partially due to this entry on http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Network_Associates_acquisition Wikipedia , which seems to imply that the development for e-Business server stopped in 2001, which means that it may fall under the heading of "legacy PGP program" that is not OpenPGP conformant and therefore can't decrypt the OpenPGP traffic: wikipedia wrote: > In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for > Hush Communications, who provide an OpenPGP-based e-mail service, > Hushmail. He has also worked with Veridis and other companies. In October, > 2001, NAI announced that its PGP assets were for sale and that it was > suspending further development of PGP encryption. The only remaining asset > kept was the PGP E-Business Server (the original PGP Commandline version). > In February 2002, NAI cancelled all support for PGP products, with the > exception of the re-named commandline product. NAI (now McAfee) continues > to sell and support the product under the name McAfee E-Business Server. -- View this message in context: http://www.nabble.com/Export-secret-key-from-WinXP-%28GnuPG%29-1.4.7-to-AIX-PGP-Version-6.5.8-gives-Bad-Pass-Phrase-tp19512637p19558520.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
rlively 72ceot902 at sneakemail.com wrote Thu Sep 18 20:01:00 CEST 2008 on : contact with legacy v3 key wrote: >> we use McAfee e-Business Server v7.5 on our OS/390 >> mainframe as well as McAfee e-Business v8.x on Windows >> as well as GnuPG (gpg) with IDEA support DLL. >> I was able to decrypt your message >> (encrypted with our legacy IDEA key). >So it seems to work, but I do have this concern: >is it possible that since >they tested it on Windows with GnuPG >and not on their e-Business server on >the mainframe and that the real file will fail >when their mainframe attempts >to decrypt it? no, ANY pgp version on any platform will be able to decrypt a 3DES message to any key > I sent this reply to get that extra test done: > Is it possible to transfer the file to your mainframe > to see if e-Business server can decrypt it as well? > We do not have the IDEA support DLL, which > means that the message was encrypted using 3DES instead of IDEA, they will easily be able to decrypt it and, as long as you have a GnuPG generated key, you will be able to decrypt whatever they send to you, on whatever system and pgp program they use >What is mdc method 0? mdc == Modification Detection Code (the plaintext is hashed before being encrypted, and a packet with this hash is added to the pgp message) method 0 means none was used see http://tools.ietf.org/html/rfc4880#section-13.11 section 5.13 it was designed well after pgp 7x and wouldn't be used by pgp not having it, doesn't interefere with encryption or decryption (only having it, and having it with an 'error' means something ;-) ) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Self Storage Options - Click Here. http://tagline.hushmail.com/fc/Ioyw6h4eNgRTiZgxmzJVE4SXshdaeya9MQrSkdLiBsx7RtnfDfiA4f/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
On Thu, Sep 18, 2008 at 11:01:00AM -0700, rlively wrote: > contact with legacy v3 key wrote: > > Won't be a problem... we use McAfee e-Business Server v7.5 on our OS/390 > > mainframe as well as McAfee e-Business v8.x on Windows as well as GnuPG > > (gpg) with IDEA support DLL. I was able to decrypt your message > > (encrypted with our legacy IDEA key). > > So it seems to work, but I do have this concern: is it possible that since > they tested it on Windows with GnuPG and not on their e-Business server on > the mainframe and that the real file will fail when their mainframe attempts > to decrypt it? I sent this reply to get that extra test done: > > > rlively wrote: > > Is it possible to transfer the file to your mainframe to see if e-Business > > server can decrypt it as well? We do not have the IDEA support DLL, which > > means that the message was encrypted using 3DES instead of IDEA, but > > modern GnuPG and PGP installations are still perfectly capable of > > decrypting that. I do have concerns about the e-Business server > > installation on the mainframe, though. > > Is that correct? It's the correct question to ask. They should be fine, but the best way to know that for sure is to do exactly the test you propose. > When I view the encrypted file, it shows this: > > public key encrypted packet: version 3, algo RSA, keyid > encrypted data packet: mdc method 0, length 82. > > What is mdc method 0? It means "there is no MDC here". An MDC is a Modification Detection Code, which is one of the features of OpenPGP. It protects against certain forms of message tampering. This key does not have the flag that indicates MDC support, so GPG isn't turning the protection on. The flag is part of OpenPGP, so that v3 key would naturally not have it. > My concern is partially due to this entry on > http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Network_Associates_acquisition > Wikipedia , which seems to imply that the development for e-Business server > stopped in 2001, which means that it may fall under the heading of "legacy > PGP program" that is not OpenPGP conformant and therefore can't decrypt the > OpenPGP traffic: "Legacy" is just a human term. The question you have is whether it can decrypt 3DES traffic. Run the test you suggest above, and then you'll know for sure. I expect it will work. Given what software they are using, and given the usual relucatance to rip out a working system, I can understand why your customer would not want to change keys, but note that there are a few not-small security benefits in upgrading. First step is to get things working, though. After that there is time to worry about future work. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
vedaal wrote: > > no, ANY pgp version on any platform will be able to decrypt a 3DES > message to any key > > they will easily be able to decrypt it > > and, as long as you have a GnuPG generated key, > you will be able to decrypt whatever they send to you, > on whatever system and pgp program they use > > vedaal > David Shaw wrote: > > I should add, though, that unless there is some reason why you need to > use that old V3 key, an arguably better solution would be to just ask > your correspondent to generate a new key... > > David > Thanks to all (Vedaal, David, and Robert) for helping me through this process. I'm getting a handle on the things that were confusing and concerning me. PGP vs GPG, patent issues with IDEA, Ciphers, algorithms, etc can all be confusing ... I did get a positive response to the question of decrypting the file on the contact's mainframe: contact with legacy v3 key wrote: > I can pretty much guarantee we would be able to decrypt the file on the > mainframe and I was able to decrypt their test message to me (using GnuPG 1.4.7 on Windows). Also, when I mentioned getting a newer key, the contact was surprised that I was given a key from 1999 when they had a newer key that I should've been given instead. So the contact sent me their updated key to use instead of the legacy v3 key anyway: Type: Public Key Algorithm: DSA/ELG Size: 1024/2048 bits Created: 2/10/2000 Expires: Never Cipher: CAST5 I think we're good for changing from PGP 6.5.8 to GnuPG. Any suggestions on what version to get for our AIX install? 1.x or 2.x? GnuPG.org website wrote: > "GnuPG comes in two flavours: 1.4.9 is the well known and portable > standalone version, whereas 2.0.9 is the enhanced and somewhat harder to > build version." > -- View this message in context: http://www.nabble.com/Export-secret-key-from-WinXP-%28GnuPG%29-1.4.7-to-AIX-PGP-Version-6.5.8-gives-Bad-Pass-Phrase-tp19512637p19574853.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Export secret key from WinXP (GnuPG) 1.4.7 to AIX PGP Version 6.5.8 gives Bad Pass Phrase
David Shaw wrote: > > >> If we install the latest Unix GnuPG on AIX, will we run into any issues >> with >> our current keys? > > Probably not, unless the person you are communicating with is using > PGP 2.x from the 1990s (don't laugh - some people still are). > ... > "Legacy" is just a human term. The question you have is whether it > can decrypt 3DES traffic. Run the test you suggest above, and then > you'll know for sure. I expect it will work. > > Robert J. Hansen-3 wrote: > > > GnuPG was never meant to be a conformant ClassicPGP application. > ... > The short version is that David read your message as "can GnuPG be used > to process OpenPGP traffic while using ClassicPGP keys", and I read it > as "can GnuPG be used to process ClassicPGP traffic, using ClassicPGP > keys". > > When I used the term "Legacy" - that's what I was referring to. I thought the implication was that if a PGP implementation is old enough and has not been updated (the PGP version 2.x referred to before), that it would not be able to decrypt my OpenPGP traffic from GPG using 3DES instead of IDEA for a v3 key. That is what I was concerned about. It appears not to be an issue in this case though. Again, thanks to all for helping clarify things. -- View this message in context: http://www.nabble.com/Export-secret-key-from-WinXP-%28GnuPG%29-1.4.7-to-AIX-PGP-Version-6.5.8-gives-Bad-Pass-Phrase-tp19512637p19628200.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
