Re: secring and dropbox
https://twitter.com/#!/csoghoian/status/98116328677834752 On Fri, Jul 22, 2011 at 9:07 PM, Aaron Toponce wrote: > On Fri, Jul 22, 2011 at 09:37:09PM +0200, Michel Messerschmidt wrote: >> set pgp_auto_decode = yes > > Perfect! That was the variable I was looking for! Thanks! > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On Thu, Jul 21, 2011 at 05:17:27PM -0600, Aaron Toponce wrote: > On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote: > > So, it appears I'm missing some configuration in Mutt then, as it remains > > as the PGP message without any attempt to get to the plain text. Also, how > > do you get the plain text? I can verify the signature, but can't seem to > > get the text out of the signature. > > Nevermind. I can do it manually, but I'm not sure what I'm missing with > Mutt. Any Mutt users here that can help me out? mutt handled the message without error here. In addition to the settings from gpg.rc my .muttrc contains: set pgp_use_gpg_agent = yes set pgp_auto_decode = yes (I use gpg version 2.0.14) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On Thu, Jul 21, 2011 at 05:17:27PM -0600, Aaron Toponce wrote: On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote: So, it appears I'm missing some configuration in Mutt then, as it remains as the PGP message without any attempt to get to the plain text. Also, how do you get the plain text? I can verify the signature, but can't seem to get the text out of the signature. Nevermind. I can do it manually, but I'm not sure what I'm missing with Mutt. Any Mutt users here that can help me out? Hi Aaron, For me, the following does the trick: When viewing the message enter P It will prompt you for a password, just hit enter. These two steps made the message readable for me in mutt. Cheers, Remco signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Re: secring and dropbox
Hi! Am 20:59, schrieb Aaron Toponce: > [snip] > > Am I the only one who can't decrypt this message? Is there something I'm > missing? I *could* decode it, but since I'm reading the list in "digest" and "MIME" mode (i.e., I get one combined email for every 10 postings and each posting is a separate MIME attachment), I would have to specifically open such a particular mail attachment and hit "decrypt/verify" in Enigmail. I don't do that. cu, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On 22/07/11 12:20 AM, Aaron Toponce wrote: > On Wed, Jul 20, 2011 at 06:01:23PM -0600, Jay Litwyn wrote: >> -BEGIN PGP MESSAGE- >> Version: GnuPG v2.0.17 (MingW32) >> Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp >> >> owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp >> vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3 >> 3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7 >> m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3 > [snip] > > Am I the only one who can't decrypt this message? Is there something > I'm missing? It wasn't encrypted, it was signed and base64 encoded (gpg -sa). That said, you're almost certainly not the only one who couldn't read it (for the record, I could). Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
-BEGIN PGP MESSAGE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3 3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7 m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3 fvHJ4NgqPRHMBkGDg49Io1NJK6JI76RYWqLluEGh1kmLDuuB3JCmQcKSiyUB2dTM NKUiK0RSBlsnnLQNajb7MmsakUU6JSNTvSFtGZEbGSpdWJKZMzofUg9laagLQ3Zo nUxbHMd/tFI41BFu0iKFSJKhr5prlbkWdXp8iQYicz7YIlvWp1HJSDjR8Jf9xzIi 1kUSUSw2JMWqH1cIWluFqic+PJMyQp8azYMWj9Li0yCWRqI/Ui3ZanjgZfYt8Ezm KSZB93C3MFYC7WRKmXYkTL9QgOmrKfzabNJ5+rvAYAQaNL7LSIdFCjjCKYw29Mi7 klJtJEcDU55IJxtkizDmgRhpnTZbuSt2Rc9JBkhyMxaF5WwjjEt0ggM7kxH1VBb5 1ARqJWfiPMrSIB5yhz566oQ0mTTTFMbaSjqNmSs3pASS8MOnmVaZMdLcAUL8kcX3 g/68Y2mWekWSVOAgJNQNaA24qCgnd3BEIBMWFsYrRXS1HxAAodGBTJIGkCn0jZEO WFdlz//lradNec8OlEO88sGJCNe5wXKcgsXkaFBR3JWZ7KlQiYSve+og+qHOsFmx psJKWykf4rBS+jwkokhxTb8JFMskJ1YKyK7XjvI2UTokq/qZcAUYpi4kvU6AFXNz eT9vpyqVkEJXhhiUpONxkUXSdJWJeBSpjlRvyLCRx8lNV40WKuK0tnpestqhUEBa DPfu5FbjRKR4zJnQBjWtYIixc/liuy3DrCW6rVC0XwZAkBOLNqLaOU+nlWd9ju3Q GjiCWGVEM7R3b0BBEFB3iM2nqfkg2NyHr88fWpn27cFGfJ1mppvCQGX3mgN8DBk4 wVJZxIgBlxAJsEYq4i3hNIQBYFCe8ExjgSH3vhFpvQZeemCarU9lJJXfIRzlkAj2 gzvmPFi/ei3XkJqoTr0+RnlHIRCQp9SXdAPdoGoe3MSAnQ/682PAInrZdSpnkZno JpCgsuuUS4PksMYQYVhf3ivrZYuIAfYNwv1XOi9ibufe61TdhnlIPsBTCDyBS5UF I98G/JGgUwsJQlwSeo3g90HgBbiMQxcbUAdPAj8pQXSjGtSO5Ea7nEa95jVHq/hm xDpqKxMKzjOH+YK4hD0W7bJn5UZ3UX+4xdDWrYFQbgQLu5M5WyoPtIrQFd7JR8Ul r5xDd6R6INIIZWVUr51sVhRFxcjTmIfqbXEP4nptRWNWo5GyP4CmImOHxJ5ZBYYa YFdkitXrJ5az9qUDo2QTvAlgl5u5yJg77HS9xqKeoZm5hUrU1ZoyjC3lTXtqDxkx tKFI7joYYegl7PEZdQGvXhsR36LlO4F86gFVejSyl8jQwaX8C6ry2CJTTBZogzic UXhXgLiKgKxIuxh8OWh4Ab8ZKLeyiHS1ZGVItbbsaiPl+hc9VuB/DWBVR3yNXx2x Q8FYnAFzbIpcTSXC3GkJKF4a/TCaWDMxghUp2Y4hL25aABG3ApNKc8glSXDvmE4U 5M4qT7T2Do3XEcum9drl+8bGt43t2L6N/w0aq+18sPof6avDE7dPvv0L3fz6ypV3 j37b7l/9bWHHR53Tv168tkffHF794OlTV9yF+asPv3jrr9sT1y5ef+zjYwdWvnv/ 1YXXW3tunNt57o0vz17/7Kzb9fPC9gfOvPdQ8db57Tcmxi/c+t1+Ee66dmD3/P7u peHx+cf3b6698meSP/PpJx8+f+GdP3ZP3X7hm+8vPfpc54cf/wE= =f4bV -END PGP MESSAGE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
-BEGIN PGP SIGNED MESSAGE- On 2011-07-20 9:39 AM, Aaron Toponce wrote: > On Wed, Jul 20, 2011 at 11:23:12AM +0200, Werner Koch wrote: >> On Wed, 20 Jul 2011 03:25, r...@sixdemonbag.org said: >>> I'm presenting the script here in case someone else finds >>> it useful, but really, it's embarrassingly simple. Never let simple embarass you. For me, it is key. For someone else, it might be poetry. For someone simpler than you, it might be obfuscation. :) >> gpg --gen-random --armor 1 16 >> >> Might even be a bit simpler ;-) > > Ah, cool. However, as the gpg(1) manual states, > --gen-random removes precious entropy from your system. I took that for a joke. Someone should put a ;-) in the doc. > It might be worth adding to that note, > that regenerating entropy isn't that big of a deal. > Something along the > lines of: > > $ du / > /dev/null > > Should be sufficient, by causing a lot of disk interrupts. > Just a thought. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o Discarded Acronyms: Wake On Packet: WOP. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTidU5h47apzXdID2AQEDSQP+NnCN5QjVC67P3Z/H+BnWSO57bHkx9zCn YM8fTJ7walAQAZ0ESfw/fxpKL+9WFertddO6YXOyWMnODIRX8bRf1pvIyFBnJc6C /vGcVEP4WPZJF+Gf9C16zD4MgT1pp0o94UQgsLcSvISB0KFFv9vQZ/RgEDwzSftg 7aVa6y3Hsu8= =UwN+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/20/2011 09:55, Aaron Toponce wrote: > Yes, of course. I'm not arguing that it isn't, but rather the documentation > could be more complete, such as restoring that entropy after exhaustion. Some of us run systems that don't have that issue. :) - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBCAAGBQJOJ00TAAoJEFzGhvEaGryEqkIIAIuxOZvcvfmULN2Svk1HzAU/ NvpW19TV6lAG8UA2opdYXK+2EGOiaqiL9o1I/xN/vsKXoXi9qDlr+X9fHH/3oPUw BCJ7xuzcnVuXzrBqxVhl7j9/SWJhjfat5jNt1fMTtnijzKR2oR/d9E/t/ABs/t0e v6FhQI6BAXFLEvZ3zStwMW4E03ciBOi0SKA1z8l41YbBeTRI8ChCLICg9crdeVH8 Xx4gUubW5z0n/GCgoucIleK0lHs9V08V1NUWhVBplvbTO2G+7SkGo2Y3uZOW83hU 4w/KpvsstF5fLHqYKqbTJpuVuJJKJ37kRNEn0GCqLH31Mne1mOJVenatCH5phLg= =AHMx -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
> Ah, cool. However, as the gpg(1) manual states, --gen-random removes > precious entropy from your system. But that's really the point. If you want strong random data, that data should have high entropy. But that entropy needs to come from somewhere -- i.e., your system. What I'd find more interesting is why you (Werner) chose quality level 1. What do these levels do? Is 2 full entropy, and 0 just urandom? -- Jerome Baum Hessenweg 222 48432 Rheine GERMANY tel +49-1578-8434336 email jer...@jeromebaum.com web www.jeromebaum.com -- PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA -- Q: Why is this email five sentences or less? A: http://five.sentenc.es ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
Kara karadenizi at gmail.com wrote on Wed Jul 20 02:18:16 CEST 2011 : >> Is it a bad idea to place your secring in dropbox? >Using a decent password generator and specifying a mix of upper and lower case letters, digits, and special characters, how many total characters -- as a minimum -- would you recommend such a password be? >Any particular password generator program you would recommend? - A simple alternative would be to create a truecrypt container, allowing truecrypt to generate its own keyfile. Store the keyfile in a secure, retrievable place (not in the cloud), and you can leave the password blank. To answer your question; assuming that at some point, the 'cloud' will have resources to brute force passphrases that might be considered safe 'now', but still not enough to brute force a 2^256 or even a 2^128 symmetrical cipher, then, symmetrically encrypt any file using either AES, Twofish, or Camellia, and then decrypt it with the gnupg option of '--show-session-key'. Gnupg will display a random 64 character string. Use the entire string as your passphrase, (or half of it, if you feel comfortable that the combined sources of the cloud will not be able to brute-force a 128 bit keyspace in your lifetime ;-) ) If you find such a string difficult to remember, then consider Diceware. http://world.std.com/~reinhold/diceware.html (afaik, there is no computerized dice generator that will produce acceptably random results, so you'll need 5 dice.) The Diceware keyspace is 7776 (6 possibilities for a die throw, 5 throws, 6^5 = 7776). [ 7776^10 ~= 8.08 x 10^38 ] > [ 2^128 ~= 3.40 x 10^38 ] [ 7776^20 ~= 6.53 x 10^77 ] > [ 2^256 ~= 1.58 x 10^77 ] A 10 word Diceware passphrase should be more than enough. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On Wed, 20 Jul 2011 03:25, r...@sixdemonbag.org said: > I'm presenting the script here in case someone else finds it useful, but > really, it's embarrassingly simple. gpg --gen-random --armor 1 16 Might even be a bit simpler ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
Hey all, I'd like to just point this out. On June 20th Dropbox has a security snafu[1]. Why trust a 3rd party when you could do it yourself? When it comes to security and privacy there isn't much transparency. Maybe postmortem but not upfront. [1] http://blog.dropbox.com/?p=821 [1] http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/ On 4:16:17PM, Len Cooley wrote: > Is it a bad idea to place your secring in dropbox? > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Aaron Kaufman 0BA9 4F79 6949 8CA5 36BD DF11 3A4A 17E9 9681 4D1C ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
I thinks it's a bad idea. If exposure of private keys is acceptable, why not just using AES like methods? To backup private keys, I think printer is better, and more realiable than dropbox like cloud storages. The security of dropbox is far from claimed, don't trust them. see http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/ and http://blog.dropbox.com/?p=821, http://hardware.slashdot.org/story/11/05/15/2157202/Dropbox-Accused-of-Lying-About-Security Changsheng Jiang On Wed, Jul 20, 2011 at 09:28, Aaron Toponce wrote: > On Tue, Jul 19, 2011 at 04:16:17PM -0400, Len Cooley wrote: > > Is it a bad idea to place your secring in dropbox? > > I guess it's all about security versus convenience. So long as your > passphrase contains enough entropy, is strong, and secure, then I don't see > the big deal. > > With that said, I don't see the need either. You have the tools and > hardware available to you, at very cheap prices, to build your own cloud > storage on your own private network. We've had this for years. So why trust > some 3rd party to do it for you? Why risk, even a miniscule amount of > privacy when you don't have to? > > Just my $0.02. > > -- > . o . o . o . . o o . . . o . > . . o . o o o . o . o o . . o > o o o . o . . o o o o . o o o > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On 2011-07-19 6:18 PM, Kara wrote: > > > Reference Robert J. Hansen's 19 Jul 2011, 1504 (-0700), "Re: secring > and dropbox": > >>> Is it a bad idea to place your secring in dropbox? >> Depends entirely on the strength of your passphrase. With a strong >> enough passphrase you could publish your secret certificates in the >> newspaper of your choice and still be confident of their safety. > Using a decent password generator and specifying a mix of upper and > lower case letters, digits, and special characters, how many total > characters -- as a minimum -- would you recommend such a password be? > > Any particular password generator program you would recommend? > Your brain. You hav to remember it, so you are better off constructing it in the first place. Remember that you will hav no automated retrieval process, where a friendly program reminds you of your passphrase. It iz almost a shame that the most retrievable things are sentences with non-sensical images in them, like Harry Lorayne's pimple-moose for pomplemouse, the french word for grapefruit: He would hav you imajin a moose with giant grapefruit pimples to remember that french word. You can then insert punctuation and numbers that don't go on facebook, anywhere, cut some of words down to initials or consonants (or out, if it's long enough). Then, add a pattern in your casing. There could be a program like "crack" applied to input passwords, measuring strength. Of course, if you are confident that your private key ring will never go anywhere, and that you can revoke it if it does (JENERATE A REVOKATION CERTIFICATE. Store it on that USB key that is chained into your coat.) It would of course be a nuisance to hav someone publish your revokation certificate, and nothing like losing money at Mark Twain Bank. If your friends are good enough, then you can leave a revokation certificate with them. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
> Using a decent password generator and specifying a mix of upper and
> lower case letters, digits, and special characters, how many total
> characters -- as a minimum -- would you recommend such a password be?
Generate 16 random bytes, base-64 encode them, memorize the output. I use a
Python script to generate high-value keys. Works pretty well wherever there's
a /dev/random device that can be read. I'm sure there's a way to do it for
Windows, but I almost always have a UNIX terminal handy so I haven't bothered.
:)
I'm presenting the script here in case someone else finds it useful, but
really, it's embarrassingly simple.
#!/usr/bin/env python
#coding=UTF-8
#
# genrandkey -- generates high-randomness 128-bit keys
#
# Contributed to the public domain.
#
# Be careful with this script: each time you run it you consume
# sixteen bytes from the system's high-entropy source. Only
# generate random keys when you need them!
#
# If you need to generate a lot of keys, you may want to use
# /dev/urandom instead. The keys won't quite be of as high
# quality, but should be plenty good enough for almost all
# purposes.
#
# Usage example:
#
# proverbs:~ rjh$ ./genrandkey
# EDTnI9Awc6Y19Rysg2+H+g==
from base64 import b64encode
if __name__=='__main__':
with open('/dev/random') as fh:
print b64encode(fh.read(16))
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
Reference Robert J. Hansen's 19 Jul 2011, 1504 (-0700), "Re: secring and dropbox": >> Is it a bad idea to place your secring in dropbox? > Depends entirely on the strength of your passphrase. With a strong > enough passphrase you could publish your secret certificates in the > newspaper of your choice and still be confident of their safety. Using a decent password generator and specifying a mix of upper and lower case letters, digits, and special characters, how many total characters -- as a minimum -- would you recommend such a password be? Any particular password generator program you would recommend? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
> Is it a bad idea to place your secring in dropbox? Depends entirely on the strength of your passphrase. With a strong enough passphrase you could publish your secret certificates in the newspaper of your choice and still be confident of their safety. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
secring and dropbox
Is it a bad idea to place your secring in dropbox? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
