From JPClizbe at tx.rr.com Sat Sep 1 01:57:42 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 31 Aug 2007 18:57:42 -0500 Subject: How to use GnuPG to generate sha512sum hash? In-Reply-To: <87bcf3800708310723u16eeefdcmd5a0463407779ffc@mail.gmail.com> References: <87bcf3800708302311o74f7d451y906bf81874daf9d3@mail.gmail.com> <20070831083851.GD29678@psilocybe.teonanacatl.org> <87bcf3800708310422u6ee3d054s5da8b0fae3af73ac@mail.gmail.com> <20070831115532.GA19230@jabberwocky.com> <87bcf3800708310723u16eeefdcmd5a0463407779ffc@mail.gmail.com> Message-ID: <46D8AAF6.7050307@tx.rr.com> Moses wrote: > O...I see. > I've get the correct hash on Linux..., thank you all! :-) > > The problem remains now is how to get the same hashing on Windows, > because echo on windows does not have -n flag: > > echo -n AAA > -n AAA > so, on windows "echo -n AAA | gpg --print-md sha1" is actually hashing > "-n AAA\n" but not "AAA"... :-\ > > Is there a easy way to get rid of the newline on windows system? A) Construct a text file containing your text without the CR-LF Windows likes and use 'TYPE' C:\WINDOWS\Temp>dir aaa.txt Volume in drive C is Ice Chest Volume Serial Number is 3083-4508 Directory of C:\WINDOWS\Temp 2007-08-31 16:02 3 aaa.txt 1 File(s) 3 bytes 0 Dir(s) 24,640,925,696 bytes free C:\WINDOWS\Temp>type aaa.txt | gpg --print-md sha512 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 B) Or use any of the versions of bash or ksh available for Win32 to get a posix environment. There are many available: MSYS, Cygwin, UWIN, SFU/Interix C:\WINDOWS\Temp>bash bash-3.2$ echo -n AAA | gpg --print-md sha512 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 bash-3.2$ -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070831/0bdcc958/attachment.pgp From g_k at gmx.at Sat Sep 1 12:39:54 2007 From: g_k at gmx.at (g_k at gmx.at) Date: Sat, 1 Sep 2007 12:39:54 +0200 Subject: Key Signing, Subkeys Message-ID: <200709011239.55107.g_k@gmx.at> Hi! I'm new to GnuPG and have 2 questions regarding key signing I didn't find answers for in the documentation: 1) Somebody signs my public key, and this "new version" containing that additional signature is uploaded to a keyserver. (Am I right so far?) How do others that already had my public key before that signature get the new version? How do they know there is a new one? 2) When I have a master key, and a subkey for everyday usage, I don't lose all the signatures on the master key if the subkey is revoked or expires, since the new subkey will be signed by the master key. This implies using only the master key for signing. Now, if someone signs my master key, how will this be reflected on the subkey? Do I have to generate a new subkey every time someone signs my master key in order that the new signature affects the subkey? Thanks a lot, georg From dshaw at jabberwocky.com Sat Sep 1 15:16:30 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 1 Sep 2007 09:16:30 -0400 Subject: Key Signing, Subkeys In-Reply-To: <200709011239.55107.g_k@gmx.at> References: <200709011239.55107.g_k@gmx.at> Message-ID: <20070901131630.GA22208@jabberwocky.com> On Sat, Sep 01, 2007 at 12:39:54PM +0200, g_k at gmx.at wrote: > Hi! > > I'm new to GnuPG and have 2 questions regarding key signing I didn't find > answers for in the documentation: > > 1) Somebody signs my public key, and this "new version" containing > that additional signature is uploaded to a keyserver. (Am I right so > far?) How do others that already had my public key before that > signature get the new version? How do they know there is a new one? Most people poll for updates occasionally (e.g. "gpg --refresh"). There is no notification method. > 2) When I have a master key, and a subkey for everyday usage, I > don't lose all the signatures on the master key if the subkey is > revoked or expires, since the new subkey will be signed by the > master key. True. > This implies using only the master key for signing. Not necessarily true. You can use a subkey for signing if you like. In this usage, the master key is only used for signing other keys (whether your own subkeys or other peoples keys). > Now, if someone signs my master key, how will this be reflected on > the subkey? Do I have to generate a new subkey every time someone > signs my master key in order that the new signature affects the > subkey? No. The trust calculations are between master keys and user IDs (people don't sign a master key - they sign a master key and user ID). Subkeys just go along for the ride. David From albert at fsfe.org Sat Sep 1 16:55:03 2007 From: albert at fsfe.org (Albert Dengg) Date: Sat, 1 Sep 2007 16:55:03 +0200 Subject: problems signing keys Message-ID: <20070901145503.GB32167@Mjolnir.lan> hi i have a problem signing keys... while i have no problems signing and en-/decrypting files i have a problem when signing keys, gnupg complains about not finding the private key: gpg: secret key parts are not available gpg: signing failed: general error any hints what's going wrong? tia yours albert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature Url : /pipermail/attachments/20070901/433c94a2/attachment.pgp From zhangweiwu at realss.com Mon Sep 3 13:44:21 2007 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Mon, 03 Sep 2007 19:44:21 +0800 Subject: old question: invalid trustdb (workarounds on the Internet doesn't work for me) Message-ID: <46DBF395.3050203@realss.com> Hello. I created my .gnupg folder 3 years ago when I was using a Sun Sparc workstation + Gentoo Linux. For the years I moved to many different workstations, I always copy this folder to new workstations and it always worked. The last workstation working with this .gnupg directory is running SuSE 10.0 Now I copied this directory to my iBook (with powerpc) runs Ubuntu 7.04 and I am no longer able to send encrypted emails. I try with command line: zhangweiwu at esmeralda:~$ gpg --list-keys gpg: 0: read expected rec type 1, got 42 gpg: fatal: /home/zhangweiwu/.gnupg/trustdb.gpg: invalid trustdb secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 Google around I found multiple posts about this issue and they all suggest version incompatibility. But these posts are several years old (e.g. some say I should try export trustdb using 1.0.4 but actually I have 1.4.6) Some posts also suggested move trustbd elsewhere and let gnupg re-create one, I did but doesn't work: zhangweiwu at esmeralda:~$ mv .gnupg/trustdb.gpg /tmp/ zhangweiwu at esmeralda:~$ gpg --list-keys gpg: /home/zhangweiwu/.gnupg/trustdb.gpg: trustdb created gpg: [don't know]: indeterminate length for invalid packet type 13 gpg: keydb_search_first failed: invalid packet zhangweiwu at esmeralda:~$ gpg --list-keys gpg: [don't know]: indeterminate length for invalid packet type 13 gpg: keydb_search_first failed: invalid packet So what can I do to recover my old keys? I try not to create a new key because then again I have to let each receipt re-trust my new key. Thanks in advance! From wk at gnupg.org Tue Sep 4 09:11:54 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 04 Sep 2007 09:11:54 +0200 Subject: old question: invalid trustdb (workarounds on the Internet doesn't work for me) In-Reply-To: <46DBF395.3050203@realss.com> (Zhang Weiwu's message of "Mon, 03 Sep 2007 19:44:21 +0800") References: <46DBF395.3050203@realss.com> Message-ID: <87ir6q52h1.fsf@wheatstone.g10code.de> On Mon, 3 Sep 2007 13:44, zhangweiwu at realss.com said: > workstation + Gentoo Linux. For the years I moved to many different > workstations, I always copy this folder to new workstations and it > always worked. The last workstation working with this .gnupg directory > is running SuSE 10.0 That is just fine the foramt of all files is architecture independent. > zhangweiwu at esmeralda:~$ gpg --list-keys > gpg: 0: read expected rec type 1, got 42 > gpg: fatal: /home/zhangweiwu/.gnupg/trustdb.gpg: invalid trustdb Well, it is for some reasons corrupted. By deleting the trustdb you will only lose the `ownertrust' values which tell gpg how much you trust keys owners to correctly sign other keys. (--{export,import}-ownerstrust is used for backing up these) > (e.g. some say I should try export trustdb using 1.0.4 but actually I Well we change the internal format of some file with 1.0.7; the script convert-from-106 fixes this. > gpg: [don't know]: indeterminate length for invalid packet type 13 > gpg: keydb_search_first failed: invalid packet Are you sure that you copied the keys correctly. The "13" may be an indication that you forgot to switch the ftp client to binary mode - if you used FTP. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From greg_motter at hotmail.com Wed Sep 5 16:27:46 2007 From: greg_motter at hotmail.com (Greg Motter) Date: Wed, 5 Sep 2007 07:27:46 -0700 (PDT) Subject: gpg: failed to create temporary file Message-ID: <12499226.post@talk.nabble.com> Hello all. I'm having issues again. Now I'm not able to create the temporary files for some reason. gpg: WARNING: unsafe ownership on homedir `xxxxxx' ~gpg: failed to create temporary file `/xxxxxxx/.#lk4000d0d8.universe.1881': Permission denied ~gpg: keyblock resource `/xxxxxxx/xxxx': general error ~gpg: failed to create temporary file `/xxxxxxxxxx/.#lk4000d0d8.universe.1881': Permission denied ~gpg: keyblock resource `/xxxxx/xxxx': general error ~gpg: xxxx at xxxx.com: skipped: public key not found ~gpg: /xxxxxxxxxxx/test1.txt: encryption failed: public key not found~' I guess my first question is, what should the permissions be on all of the files? I'd thought it was supposed to be read for everyone write for only owner and root and no execute, but that seems to be causing issues. Thanks for your responses. Greg -- View this message in context: http://www.nabble.com/gpg%3A-failed-to-create-temporary-file-tf4384440.html#a12499226 Sent from the GnuPG - User mailing list archive at Nabble.com. From JPClizbe at tx.rr.com Wed Sep 5 18:57:24 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 05 Sep 2007 11:57:24 -0500 Subject: gpg: failed to create temporary file In-Reply-To: <12499226.post@talk.nabble.com> References: <12499226.post@talk.nabble.com> Message-ID: <46DEDFF4.3080405@tx.rr.com> Greg Motter wrote: > Hello all. I'm having issues again. Now I'm not able to create the temporary > files for some reason. > > I guess my first question is, what should the permissions be on all of the > files? I'd thought it was supposed to be read for everyone write for only > owner and root and no execute, but that seems to be causing issues. jpclizbe at icechest ~ $ ls -ld .gnupg drwx------+ 2 jpclizbe None 0 Jul 19 17:26 .gnupg jpclizbe at icechest ~ $ ls -l .gnupg total 4 -rwxr-xr-x 1 jpclizbe None 1609 Apr 22 18:12 gpg.conf -rw------- 1 jpclizbe None 0 Apr 22 04:06 pubring.gpg -rw------- 1 jpclizbe None 0 Apr 22 04:06 secring.gpg -rw------- 1 jpclizbe None 40 Apr 22 04:06 trustdb.gpg gpg.conf redirects the keyring files to another mount point for a flash card. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070905/3c331520/attachment.pgp From noiano at x-privat.org Thu Sep 6 11:26:00 2007 From: noiano at x-privat.org (Noiano) Date: Thu, 06 Sep 2007 11:26:00 +0200 Subject: RSA or DSA? That's the question Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everybody as you can see my key is about to expire and I need to create a new one. When I created it I didn't know which algorithm was the best choice and I just chose the first option. Now I still don't know which is the best to choose and why. Is it one more secure than the other? I don't think so but I think there are some difference that make one algorithm suitable for some uses than the other. I was thinking to create one rsa key and one subkey for encryption. What do you think? What do you advise? Thank for you attention Noiano -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG38en6NhvvhGyNWkRApjlAJ0a3lCOaMAFjI+PyePveGI5GNDE/gCcC7hF u0z09ErtdSmnMhc78mA+kus= =M/d1 -----END PGP SIGNATURE----- From wk at gnupg.org Thu Sep 6 12:35:22 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 06 Sep 2007 12:35:22 +0200 Subject: RSA or DSA? That's the question In-Reply-To: (noiano@x-privat.org's message of "Thu, 06 Sep 2007 11:26:00 +0200") References: Message-ID: <87fy1scc9h.fsf@wheatstone.g10code.de> On Thu, 6 Sep 2007 11:26, noiano at x-privat.org said: > I was thinking to create one rsa key and one subkey for encryption. What > do you think? What do you advise? If you want to be standard conform and your goal is best interoperability you need to use DSA and Elgamal. These are the MUST algorithms in OpenPGP. Regarding security, the first question you should ask yourself is what parts of the system are weaker and thus easier to attack than the actual keys. With system I mean: The hardware (house, room, computer), the operating system, the gadgets you use on your box, the desktop environment, the other tools you are using, the mail program, the compiler and last but not least gpg. If you have convinced yourself that breaking 1024 bit DSA is easier[1] than to attack one of the other parts of the system, you should consider to use a longer key; probably RSA but in some cases DSA will be a smarter choice for signatures. What you finally implement depends on your threat model. For example you might ask yourself whether it is really required to keep your data absolutely confidential for 10 and more years. How valuable is this data and much do you want to invest in protecting it? Shalom-Salam, Werner [1] Note that if cryptographers tell you an algorithm is no any longer secure (e.g. SHA-1), that does not mean you or anyone in the world is able to break it now or in the next couple of years. Even if it is finally breakable the cost for attacking one key will be enormous and thus this threat needs to be balanced with the value of the key. -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Thu Sep 6 14:11:10 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 07:11:10 -0500 Subject: RSA or DSA? That's the question In-Reply-To: References: Message-ID: <46DFEE5E.704@sixdemonbag.org> Noiano wrote: > to choose and why. Is it one more secure than the other? I don't think > so but I think there are some difference that make one algorithm > suitable for some uses than the other. Not really. Some places have to conform with regulations or laws which might demand RSA. Some people may want to use smart cards, which have historically been RSA-only. Some people may... etc., etc. If you have a specific need to use RSA, and you can articulate both the need and why it's a need all in a single sentence, then use RSA. Otherwise, you're far better off sticking with the defaults. From rjh at sixdemonbag.org Thu Sep 6 14:26:19 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 07:26:19 -0500 Subject: RSA or DSA? That's the question In-Reply-To: <87fy1scc9h.fsf@wheatstone.g10code.de> References: <87fy1scc9h.fsf@wheatstone.g10code.de> Message-ID: <46DFF1EB.3030301@sixdemonbag.org> Werner Koch wrote: > that does not mean you or anyone in the world is able to break it now > or in the next couple of years. While I agree that a cryppie's definition of "break" is not the same as a practical break, I think it's dangerous to make predictions about how long it takes a cryptographic break to turn into a practical break. E.g., it took MD5 almost a decade to go from a purely academic break to an actual collision, but it took SHA-1 under a year. > Even if it is finally breakable the cost for attacking one key will > be enormous and thus this threat needs to be balanced with the value > of the key. I don't feel comfortable making predictions about how much an unknown future attack will cost. Take the SHA-1 results as an example: using the original Shengdong U. paper it takes a work factor of 2**69 to generate a random collision, but just a few weeks later it was down to 2**63. That's a 98.4% cost savings. From bushfiel at purdue.edu Thu Sep 6 15:55:59 2007 From: bushfiel at purdue.edu (paladino) Date: Thu, 6 Sep 2007 06:55:59 -0700 (PDT) Subject: losing meaningful whitespaces in an encrypted file Message-ID: <12413076.post@talk.nabble.com> Hi, I'm sorry to jump right in with a dumb question, but I've tried doing some research myself and I have to confess to much of this being way over my head. I work for a University that uses GnuPG to encrypt files to send out to various vendors. We're having a very odd situation right now with one of our files. We are sending a file that has a header line that ends with 13 spaces. We are encrypting the file from the command line, on a unix machine, with GnuPG. Here's the actual command our guys are using: /usr/local/bin/gpg -v -r XXXXXXXX -f &filename We are then transmitting the file to a vendor who is unencrypting it with the windows version of PGP. When I look at the file here, immediately before it is encrypted, the 13 white spaces are still there. When I look at the file at the vendor, immediately after decryption, the 13 spaces are gone. I haven't had any luck with getting more information from the vendor about what kind of options they are using. I do know they are using a windows version, and the guy says he basically just double clicks on it, types in a password, and it unencrypts the file. Is there anything obvious that could be causing something like this? Which end is it more likely the problem is at? I've been reading about pgp and gpg all day, and while I've learned alot about both, I'm no closer to a solution for this one than when I started. Thanks for any help at all. -- View this message in context: http://www.nabble.com/losing-meaningful-whitespaces-in-an-encrypted-file-tf4356011.html#a12413076 Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Thu Sep 6 16:41:20 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 09:41:20 -0500 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <12413076.post@talk.nabble.com> References: <12413076.post@talk.nabble.com> Message-ID: <46E01190.30704@sixdemonbag.org> paladino wrote: > When I look at the file here, immediately before it is encrypted, the 13 > white spaces are still there. When I look at the file at the vendor, > immediately after decryption, the 13 spaces are gone. Have you tried a test decryption on your end? E.g., encrypt the file with your own public key and then decrypt that, and see whether the 13 spaces are present? Also, version numbers would be very useful--both GnuPG on your end and PGP on the vendor's end. This may very well be a PGP problem as opposed to a GnuPG problem, in which case you may be better served on a PGP list such as PGP-Basics at Yahoo! Groups. > Is there anything obvious that could be causing something like this? Which > end is it more likely the problem is at? Impossible to say without more information. My inclination is to think it's probably on the vendor's end, especially if you're using a recent version of GnuPG. There are a lot of PGP 5.0 and 6.5.8 installations out there, and both of them substantially predate the OpenPGP standard which GnuPG conforms to. From dshaw at jabberwocky.com Thu Sep 6 16:51:00 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 6 Sep 2007 10:51:00 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <12413076.post@talk.nabble.com> References: <12413076.post@talk.nabble.com> Message-ID: <20070906145100.GC601@jabberwocky.com> On Thu, Sep 06, 2007 at 06:55:59AM -0700, paladino wrote: > > Hi, I'm sorry to jump right in with a dumb question, but I've tried doing > some research myself and I have to confess to much of this being way over my > head. > > I work for a University that uses GnuPG to encrypt files to send out to > various vendors. > > We're having a very odd situation right now with one of our files. > > We are sending a file that has a header line that ends with 13 spaces. We > are encrypting the file from the command line, on a unix machine, with > GnuPG. Here's the actual command our guys are using: > /usr/local/bin/gpg -v -r XXXXXXXX -f &filename Are you sure about that? There is no '-f' option in GPG. > We are then transmitting the file to a vendor who is unencrypting it with > the windows version of PGP. > > When I look at the file here, immediately before it is encrypted, the 13 > white spaces are still there. When I look at the file at the vendor, > immediately after decryption, the 13 spaces are gone. > > I haven't had any luck with getting more information from the vendor about > what kind of options they are using. I do know they are using a windows > version, and the guy says he basically just double clicks on it, types in a > password, and it unencrypts the file. > > Is there anything obvious that could be causing something like this? Which > end is it more likely the problem is at? This is a mini-bug sort of thing, based on historical practice in the OpenPGP community and two different versions of the OpenPGP. Basically, OpenPGP specifies both binary and text transports. Binary is just that - a binary image of the file, with no changes. Text is canonical text, and there are rules for the canonicalization (change line endings to CRLF, etc). When the OpenPGP spec was written, a piece of 'incorrect' language crept in: that whitespace at the end of a line would not be included in canonical text. PGP already worked fine and never changed their code to match the language in the spec. GPG came along later and followed the spec exactly. For various reasons, this mismatch in canonicalization wasn't really a problem in practice, but nevertheless, in the process of writing the updated OpenPGP spec (which is with the RFC editor now, so it'll be out soon), this was resolved. The new canonicalization rule is the historical one: change line endings, and do nothing to trailing whitespace. It is hard for me to give you exact advice on what to do from here without a few piece of information: 1) What version of GPG are you using? (gpg --version) 2) The command line you are using (I'm fairly sure the one above is not correct, as GPG has no '-f' option). David From wk at gnupg.org Thu Sep 6 17:50:46 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 06 Sep 2007 17:50:46 +0200 Subject: RSA or DSA? That's the question In-Reply-To: <46DFF1EB.3030301@sixdemonbag.org> (Robert J. Hansen's message of "Thu, 06 Sep 2007 07:26:19 -0500") References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> Message-ID: <878x7jbxnt.fsf@wheatstone.g10code.de> On Thu, 6 Sep 2007 14:26, rjh at sixdemonbag.org said: > E.g., it took MD5 almost a decade to go from a purely academic break to > an actual collision, but it took SHA-1 under a year. I have not heard of a SHA-1 collision yet. IIRC it still takes something in the range of 2^60. I should not have talked about hash functions as they are a bad example because in the past there has not been much research compared to symmetric and public key encryption. OTOH, the improvement in breaking public key schemes are foreseeable for quite some time now and thus we can estimate how long it will take to break an n-bit key. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From vedaal at hush.com Thu Sep 6 18:47:47 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 06 Sep 2007 12:47:47 -0400 Subject: OT Message-ID: <20070906164748.55CA4DA827@mailserver7.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >Message: 9 >Date: Thu, 06 Sep 2007 07:26:19 -0500 >From: "Robert J. Hansen" >Subject: Re: RSA or DSA? That's the question .. >While I agree that a cryppie's definition of "break" >is not the same as a practical break, .. .. a little OT here: .. i have a fair amount of interaction with the disabled, and for those who are not aware, 'CRIP', (less often, 'crippie') is the nickname they use for themselves, especially paraplegics and quadraplegics, and while they use it freely amongst themselves, they are very sensitive about it if it is used by someone out of their own community whom they don't know, .. if the term CRYPPIE is used within the cryptographic community, i'm sure that none of us would mean to inadvertently upset anyone in the disabled community, so, .. just something to bear in mind ... .. .. vedaal -----BEGIN PGP SIGNATURE----- iQIVAwUBRuAun1qiDIZqWJqXAQq3pxAAoSN/jYn2jZVxUNOTKB5keySQiv07OrVT +q2ZlWC25IdhEQJ2p9wz4ISC1e+N2JtyAJh6oYT45VF5TRH6QEyk54VIEE0KwTtI USjsqPwMUKbcfidiUOtzLXs5JiyfqcvGy/hjjyxVRXZxgqkpm/VMtcTNAoj867qU zGCPRJB6YCgFBfyEly5OURrI0oSb9I5JzwmB2PUnBBHyfUrpTTto5HoFD9J1DUFJ yDGyRRhiYuTLOASn5A8T4TTdHSmR/mj0wKvi87gwzqgVoUXdm1GYhY93d1wCWYUS XGsCKMldrFfAJya8mEt8uRKkVnJ9RMPuPYVwqR6mHIDxtsr+2PS0Yyf4Vs9LlIcF o0VH3ozDivOVlWX9hjMeX6MggcV4UG6pfqMLxoxxHCPQY9aIvsgAxVSm2ljGCyfD FCbLcpq42u2KTG7+XyuiMI5G5OkSdMYpfMJbW4gzA3F8e2JsMINveNq2CZ0bb8cz SP090PGU/r+r3Z05JxQiBLsTtH6tFdfUWu0eM4fARXgtauGVRkkOMIBXGgh9YePZ HimX231nqE3TEeEhjfTngXM4di7eHq4AS7NIsAQi3O1wuxGMgTlzBZCqHAq17N08 gr1guYjduNTRbnufnUI9BYw+TOAIRgq93yaM9cmipBcMUyaFEJhmiXI3STg4fw+Y 5ir4Vwi2Y3s= =qLEe -----END PGP SIGNATURE----- -- Need cash?? Click here to get a payday loan. http://tagline.hushmail.com/fc/Ioyw6h4d80kqV3Uu8CLmiZGgch8vB0ZRuwsvNdFVmnofRYXN6bW415/ From vedaal at hush.com Thu Sep 6 18:56:47 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 06 Sep 2007 12:56:47 -0400 Subject: OT // signature verification Message-ID: <20070906165648.E8773DA827@mailserver7.hushmail.com> vedaal wrote: -----BEGIN PGP SIGNED MESSAGE----- ... ... ... ... ... ... ... -----BEGIN PGP SIGNATURE----- sorry, hushmail insisted on duplicating the periods, there should be only one period instead of two on the lines indicated, if the message is copied and the extra period is deleted, the sig will verify vedaal -- Free quote and debt consolidation information. Click Here. http://tagline.hushmail.com/fc/Ioyw6h4d7x4cVjgysHF7cXWbpale0gQeb2jbJep3dHZr7ZYmZvHfUD/ From rjh at sixdemonbag.org Thu Sep 6 20:37:08 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 13:37:08 -0500 Subject: RSA or DSA? That's the question In-Reply-To: <878x7jbxnt.fsf@wheatstone.g10code.de> References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> Message-ID: <46E048D4.3090703@sixdemonbag.org> Werner Koch wrote: > I have not heard of a SHA-1 collision yet. IIRC it still takes > something in the range of 2^60. Rechberger and Canni?re had some interesting things at CRYPTO 2006--I don't recall the details, but it sounded like a partial preimage attack, not just a simple collision. They only demonstrated it against SHA-1 reduced to 64 rounds, but drew a pretty clear roadmap for how to extend it to 80. I'm expecting more results soon. SHA-1 is facing some scary times. > symmetric and public key encryption. OTOH, the improvement in breaking > public key schemes are foreseeable for quite some time now and thus we > can estimate how long it will take to break an n-bit key. I don't know I'd agree with that. In the early '90s when I first started using PGP 2.6, a 1024-bit key was considered to be ridiculous overkill. Most keys of that era were only 512 bits, and were considered of suitable strength for a great many years. A generation prior to that, Ron Rivest's original late-1970s predictions on necessary key lengths turned out to be wildly optimistic. We've got two full generations of crypto prophets who have badly overestimated the long-term security of algorithms and badly underestimated the unpredictable advances in computing power. It seems reasonable to me to ask why the current round of prophecy should be believed, given the failures of the past. When Schneier wrote _Applied Cryptography_ in 1992, the Chinese Lottery Attack was speculative fiction at best. Today, distributed.net is doing them every single day. It makes you think about what William Gibson said--"the future is already here, it's just unevenly distributed." From rjh at sixdemonbag.org Thu Sep 6 20:54:37 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 13:54:37 -0500 Subject: OT In-Reply-To: <46E03FBA.4040507@Mozilla-Enigmail.org> References: <20070906164748.55CA4DA827@mailserver7.hushmail.com> <46E03FBA.4040507@Mozilla-Enigmail.org> Message-ID: <46E04CED.2040002@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John Clizbe wrote: > The *only* way to get the pejorative connotation you refer to is to > conflate cryppy with the homophone you cite, crippie - something that > is a bit difficult to do via written text. Or even in conversational speech. The contexts in which cryppies are talked about tend not to be the contexts in which crippies are talked about. This seems like a non-issue to me. English is full of homophonic collisions. Some people think the phrase "let's call a spade a spade" is racist, based on the word 'spade' being a racist epithet for people of a particular skin hue. This is despite the fact the phrase is a bad translation of a Greek proverb: "call a bowl a bowl". People have lost their jobs for describing their tendency towards parsimony as 'niggardly'. That phrase is of Old Norse origin, "hn?ggr", meaning "stingy". It's in no way connected to an epithet. And so on, and so on, and so on. English takes words and proverbs from many different sources and conflates them all into one bizarre, counterintuitive, contralogical, colliding whole. (Consider that many consider it bad form to split an infinitive, but the word 'to' has as much relation to an infinitive as 'the' has to a nominative; so why is "to boldly go" considered verboten, while "the red car" is acceptable?) While I'm generally all in favor of being mindful of one's environment when selecting words, listeners have an equal obligation to be mindful of the flexibilities of language when deciding whether they ought be offended. So yeah, I'm with John: this is a nonissue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iFYEAREKAAYFAkbgTO0ACgkQf2XByo0Cu7NJrgDfR6WRrbO3ZFJeUxV0mog2f7PC CqiBjPS73vECuADeI+EYUdd4akoiJvMz0jJAX3PHPUhux+zySuJXm4kBHAQBAQoA BgUCRuBM7QAKCRC3APSC/q+BCQKnCADC9gGZ52nAteHwLXEhzcYMCHjn0WVhxkcP IkfnFlGseQt9TaIa3z9DstkKa9CgsUMi/zViFEIdzFTHjJF2XbzsnQyO6vm1D0lO HjNeU/YbGWf7W82IiNffUT9N+65itwiy9FVC0bvI+LXcFKnILN8tDJZ3nlUtZpKf Yq3akMsJbDKyXDu1f/oR8gU/QiGdL/BiDS0Ih6SOzJ1ZmPVSLll3+wjYW0mWRJI0 1fEsWSChdc5KW+l0CRFZdft2Vioj0jgbHAgJUJxYcMD321xD9+OXMeIZunhQeBqA 18WV014qDVQfcxqPts3nhON57Dwm5S26iKp8wfoVqJpFj0emjKl0 =CwiN -----END PGP SIGNATURE----- From noiano at x-privat.org Thu Sep 6 21:17:17 2007 From: noiano at x-privat.org (Noiano) Date: Thu, 06 Sep 2007 21:17:17 +0200 Subject: RSA or DSA? That's the question In-Reply-To: <46E048D4.3090703@sixdemonbag.org> References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> <46E048D4.3090703@sixdemonbag.org> Message-ID: Robert J. Hansen wrote: > Werner Koch wrote: >> I have not heard of a SHA-1 collision yet. IIRC it still takes >> something in the range of 2^60. > > Rechberger and Canni?re had some interesting things at CRYPTO 2006--I > don't recall the details, but it sounded like a partial preimage attack, > not just a simple collision. They only demonstrated it against SHA-1 > reduced to 64 rounds, but drew a pretty clear roadmap for how to extend > it to 80. I'm expecting more results soon. > > SHA-1 is facing some scary times. > >> symmetric and public key encryption. OTOH, the improvement in breaking >> public key schemes are foreseeable for quite some time now and thus we >> can estimate how long it will take to break an n-bit key. > > I don't know I'd agree with that. In the early '90s when I first > started using PGP 2.6, a 1024-bit key was considered to be ridiculous > overkill. Most keys of that era were only 512 bits, and were considered > of suitable strength for a great many years. A generation prior to > that, Ron Rivest's original late-1970s predictions on necessary key > lengths turned out to be wildly optimistic. > > We've got two full generations of crypto prophets who have badly > overestimated the long-term security of algorithms and badly > underestimated the unpredictable advances in computing power. It seems > reasonable to me to ask why the current round of prophecy should be > believed, given the failures of the past. > > When Schneier wrote _Applied Cryptography_ in 1992, the Chinese Lottery > Attack was speculative fiction at best. Today, distributed.net is doing > them every single day. It makes you think about what William Gibson > said--"the future is already here, it's just unevenly distributed." First off all thanks for your answers, I have now clearer ideas :-). For what concerns SHA-1 I read that, thanks to the collisions, an attacker can modify the message but the signature verification well be ok. I think that's really hard to do right? By the way I am thinking on creating a rsa key pair (with rsa subkey) as I am willing to buy a smart card kit. However you told the very standard algorithm is DSA/Elgamail so what should I do? Create two key pair? A rsa one and a dsa/elgamail one? One more thing: the key expiry. Do you think that setting the expiry date after a year or two is a good choice? Or is better not to set a expiry date and revoke the key when necessary? Thanks again Noiano -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070906/b1514f98/attachment-0001.pgp From JPClizbe at tx.rr.com Thu Sep 6 21:34:04 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 06 Sep 2007 14:34:04 -0500 Subject: OT (resend) In-Reply-To: <20070906164748.55CA4DA827@mailserver7.hushmail.com> References: <20070906164748.55CA4DA827@mailserver7.hushmail.com> Message-ID: <46E0562C.6010909@tx.rr.com> vedaal at hush.com wrote: >>Message: 9 >>Date: Thu, 06 Sep 2007 07:26:19 -0500 >>From: "Robert J. Hansen" >>Subject: Re: RSA or DSA? That's the question > .. >>While I agree that a cryppie's definition of "break" >>is not the same as a practical break, > .. > .. > a little OT here: More than, and > .. > i have a fair amount of interaction with the disabled, and for those who are > not aware, 'CRIP', (less often, 'crippie') is the nickname they use for > themselves, especially paraplegics and quadraplegics, and while they use it > freely amongst themselves, they are very sensitive about it if it is used by > someone out of their own community whom they don't know, I call foul. The *only* way to get the pejorative connotation you refer to is to conflate cryppy with the homophone you cite, crippie - something that is a bit difficult to do via written text. I have several "difficulties" of my own that I deal with in daily life. Someone more sensitive than I might take offense at your use of 'dis-abled'. Most folks are not 'dis'-anything, most are 'differently-abled', eg they still hear and see, they just hear and see a bit differently than most. Sorry, but I don't want written discourse to fall down the rabbit hole of rendering the inoffensive as offensive, The next stop is the PC-speak hell of the overly adverbially modified. > .. > if the term CRYPPIE is used within the cryptographic community, i'm sure that > none of us would mean to inadvertently upset anyone in the disabled > community, so, From a wiki of US Navy slang (http://www.mshtawy.com/en-wiki.php?title=U.S._Navy_slang): Cryppy/Cryppy Critter: Cryptographer, also seen on a highway near the Cryptography School (aka Goodfellow Air Force Base) in San Angelo, Texas without vowels, as CRYPPY CRTTR. The US Navy has a long (very long) and honored history of SIGINT and cryptography going back to the beginnings of radio. This early history may be found in public histories of what are now the NSA and the CIA. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070906/35076f4d/attachment.pgp From John at Mozilla-Enigmail.org Thu Sep 6 19:58:18 2007 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 06 Sep 2007 12:58:18 -0500 Subject: OT In-Reply-To: <20070906164748.55CA4DA827@mailserver7.hushmail.com> References: <20070906164748.55CA4DA827@mailserver7.hushmail.com> Message-ID: <46E03FBA.4040507@Mozilla-Enigmail.org> vedaal at hush.com wrote: >>Message: 9 >>Date: Thu, 06 Sep 2007 07:26:19 -0500 >>From: "Robert J. Hansen" >>Subject: Re: RSA or DSA? That's the question > .. >>While I agree that a cryppie's definition of "break" >>is not the same as a practical break, > .. > .. > a little OT here: More than, and > .. > i have a fair amount of interaction with the disabled, and for those who are > not aware, 'CRIP', (less often, 'crippie') is the nickname they use for > themselves, especially paraplegics and quadraplegics, and while they use it > freely amongst themselves, they are very sensitive about it if it is used by > someone out of their own community whom they don't know, I call foul. The *only* way to get the pejorative connotation you refer to is to conflate cryppy with the homophone you cite, crippie - something that is a bit difficult to do via written text. I have several "difficulties" of my own that I deal with in daily life. Someone more sensitive than I might take offense at your use of 'dis-abled'. Most folks are not 'dis'-anything, most are 'differently-abled', eg they still hear and see, they just hear and see a bit differently than most. Sorry, but I don't want written discourse to fall down the rabbit hole of rendering the inoffensive as offensive, The next stop is the PC-speak hell of the overly adverbially modified. > .. > if the term CRYPPIE is used within the cryptographic community, i'm sure that > none of us would mean to inadvertently upset anyone in the disabled > community, so, From a wiki of US Navy slang (http://www.mshtawy.com/en-wiki.php?title=U.S._Navy_slang): Cryppy/Cryppy Critter: Cryptographer, also seen on a highway near the Cryptography School (aka Goodfellow Air Force Base) in San Angelo, Texas without vowels, as CRYPPY CRTTR. The US Navy has a long (very long) and honored history of SIGINT and cryptography going back to the beginnings of radio. This early history may be found in public histories of what are now the NSA and the CIA. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070906/011a3702/attachment.pgp From oskar at rbgi.net Thu Sep 6 22:52:49 2007 From: oskar at rbgi.net (Oskar L.) Date: Thu, 6 Sep 2007 23:52:49 +0300 (EEST) Subject: RSA or DSA? That's the question In-Reply-To: <46DFEE5E.704@sixdemonbag.org> References: <46DFEE5E.704@sixdemonbag.org> Message-ID: <37322.62.142.196.85.1189111969.squirrel@mail.rbgi.net> Noiano wrote: > to choose and why. Is it one more secure than the other? I don't think > so but I think there are some difference that make one algorithm > suitable for some uses than the other. There was a lengthy discussion on this list about the differences between RSA and DSA a few weeks ago. I suggest you read it, it contains a lot of information. The list's archives are located at: http://lists.gnupg.org/pipermail/gnupg-users/ One thing I forgot to mention in that discussion, is that since DSA is the default, there are probably many more DSA keys in use currently than RSA keys. (If anyone has any statistics that would be interesting to see.) Therefore, if a government were to invest serious time and effort in breaking public key crypto, they would probably attack DSA, not RSA, in order to get the most for their money. I'm not saying either one is weak and could not stand such an attack, but if there's less pressure on RSA, then I would consider that to be a benefit. I would recommend to never automatically use the defaults. Thoroughly research the differences between all the options, and then decide what is best for you. The defaults are not always the most secure. For example, Rijndael was not chosen to become the AES because it offered the best security, but because it was easy to implement in hardware, fast, and secure enough. Oskar From grahamtodd2 at googlemail.com Thu Sep 6 22:52:57 2007 From: grahamtodd2 at googlemail.com (Graham Todd) Date: Thu, 6 Sep 2007 21:52:57 +0100 Subject: OT (resend) In-Reply-To: <46E0562C.6010909@tx.rr.com> References: <20070906164748.55CA4DA827@mailserver7.hushmail.com> <46E0562C.6010909@tx.rr.com> Message-ID: <20070906215257.127433a4@graham-desktop> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 06 Sep 2007 14:34:04 -0500 John Clizbe wrote: > From a wiki of US Navy slang > (http://www.mshtawy.com/en-wiki.php?title=U.S._Navy_slang): > > Cryppy/Cryppy Critter: Cryptographer, also seen on a highway near > the Cryptography School (aka Goodfellow Air Force Base) in San > Angelo, Texas without vowels, as CRYPPY CRTTR. > > The US Navy has a long (very long) and honored history of SIGINT and > cryptography going back to the beginnings of radio. This early > history may be found in public histories of what are now the NSA and > the CIA. [snipped] John, I respect your point of view and I shall defend to the death your ability to say it. However, whether the US Navy uses slang of this kind doesn't make it part of the English language, nor whether these things can be found in the histories of the CIA and NSA is irrelevant to me as a Brit (except as an academic exercise). I use the English language (maybe not always the correct Queens English) and if I might be so bold as to say, not a version of it for American usage. But both our versions of English have to be understandable to people in other countries who use the internet without it being their first tongue, and its well not to muddy the waters with cultural and linguistic allusions that might not be generally accepted nor understood in the same way by those people. I think this is what Vedaal meant in his OP. Its not a matter of "political correctness", but of using the English language in a way that's not misunderstood or which causes offence. In speaking to people in the US I have found that the phrase "political correctness" means different things to those of us in the UK, and in any case "politics" by itself often means different things and conjures up different images. So its best not to use the phrase. Can I ask that people think before they write and realise that the internet has lots of different people, from differing cultures and backgrounds, and which can be easily offended by things which you find innocuous in your culture. - -- Graham Todd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQFG4GipthMHx1h/UZYRAsX4AJ4twJGCJI2JKj4aKPNak7ObkD8CMACeMArp Gjm1F4Z8fsBJJYtHju/RQtw= =EB7H -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Sep 7 02:24:17 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 06 Sep 2007 19:24:17 -0500 Subject: OT (resend) In-Reply-To: <20070906215257.127433a4@graham-desktop> References: <20070906164748.55CA4DA827@mailserver7.hushmail.com> <46E0562C.6010909@tx.rr.com> <20070906215257.127433a4@graham-desktop> Message-ID: <46E09A31.7040504@sixdemonbag.org> Graham Todd wrote: > John, I respect your point of view and I shall defend to the death your > ability to say it. However, whether the US Navy uses slang of this > kind doesn't make it part of the English language, nor whether these > things can be found in the histories of the CIA and NSA is irrelevant > to me as a Brit (except as an academic exercise). Thus, Americans should simply dismiss all the words in cryptography which come to us courtesy of Bletchley Park or GCHQ simply because they're utterly irrelevant to us except as an academic exercise? > I think this is what Vedaal meant in his OP. Its not a matter of > "political correctness", but of using the English language in a way > that's not misunderstood or which causes offence. "Cryppie" is in the Jargon File [1], in the Free Online Dictionary of Computing [2], in USN slang, USAF slang, and even GCHQ slang. I've never met a cryptographer or cryptographic engineer, regardless of where they're from, who does not understand the term "cryppie". At some point, people have to take the responsibility for looking up a word they do not know. If a good definition cannot be found in under thirty seconds of searching, then I think a strong complaint can be made. That is not the case here. [1] http://catb.org/jargon/html/C/cryppie.html [2] http://foldoc.org/?cryppie From john at johncheetham.com Fri Sep 7 06:13:13 2007 From: john at johncheetham.com (John Cheetham) Date: Fri, 07 Sep 2007 05:13:13 +0100 Subject: How to use GnuPG to generate sha512sum hash? In-Reply-To: <1189138102.3322.0.camel@stealth.localdomain> References: <1189138102.3322.0.camel@stealth.localdomain> Message-ID: <1189138393.3322.6.camel@stealth.localdomain> > Moses wrote: > > O...I see. > > I've get the correct hash on Linux..., thank you all! :-) > > > > The problem remains now is how to get the same hashing on Windows, > > because echo on windows does not have -n flag: > > > echo -n AAA > > -n AAA > > so, on windows "echo -n AAA | gpg --print-md sha1" is actually hashing > > "-n AAA\n" but not "AAA"... :-\ > > > > Is there a easy way to get rid of the newline on windows system? > > A) Construct a text file containing your text without the CR-LF Windows likes > and use 'TYPE' > > > C:\WINDOWS\Temp>dir aaa.txt > Volume in drive C is Ice Chest > Volume Serial Number is 3083-4508 > > Directory of C:\WINDOWS\Temp > > 2007-08-31 16:02 3 aaa.txt > 1 File(s) 3 bytes > 0 Dir(s) 24,640,925,696 bytes free > > C:\WINDOWS\Temp>type aaa.txt | gpg --print-md sha512 > 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 > B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 > > B) Or use any of the versions of bash or ksh available for Win32 to get a posix > environment. There are many available: MSYS, Cygwin, UWIN, SFU/Interix > > C:\WINDOWS\Temp>bash > bash-3.2$ echo -n AAA | gpg --print-md sha512 > 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 > B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 > bash-3.2$ > Alternatively you could use "echo.exe" which allows use of the "-n" flag to get rid of the newline and is good for putting in scripts. It's in UnxUtils which you can download from http://sourceforge.net/projects/unxutils. From zhangweiwu at realss.com Fri Sep 7 10:30:32 2007 From: zhangweiwu at realss.com (Zhang Weiwu) Date: Fri, 7 Sep 2007 16:30:32 +0800 (CST) Subject: old question: invalid trustdb (workarounds on the Internet doesn't work for me) In-Reply-To: <87ir6q52h1.fsf@wheatstone.g10code.de> References: <46DBF395.3050203@realss.com> <87ir6q52h1.fsf@wheatstone.g10code.de> Message-ID: On Tue, 4 Sep 2007, Werner Koch wrote: >> gpg: [don't know]: indeterminate length for invalid packet type 13 >> gpg: keydb_search_first failed: invalid packet > > Are you sure that you copied the keys correctly. The "13" may be an > indication that you forgot to switch the ftp client to binary mode - if > you used FTP. It turns you are right! The files are corrupted and re-copy from the sparc workstation instanatly solves the problem! Thank you very much! From r.post at sara.nl Fri Sep 7 08:33:44 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 07 Sep 2007 08:33:44 +0200 Subject: OT // signature verification In-Reply-To: <20070906165648.E8773DA827@mailserver7.hushmail.com> References: <20070906165648.E8773DA827@mailserver7.hushmail.com> Message-ID: <46E0F0C8.8020204@sara.nl> vedaal at hush.com wrote: > > sorry, > hushmail insisted on duplicating the periods, > there should be only one period instead of two on the lines > indicated, That is because in the smtp protocol, a period on a line by itself (.) signifies the end of a mail message, so _every_ e-mail client _must_ take care to avoid this. Now, since it's more customary to end a sentence with the period directly after the last word in most languages (all that I know, but maybe...) this shouldn't be a problem in most cases. (so if you want a period on a line by itself, append a space, nobody will see, but it won't be the end of your message either). -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From malayter at gmail.com Fri Sep 7 15:15:13 2007 From: malayter at gmail.com (Ryan Malayter) Date: Fri, 7 Sep 2007 08:15:13 -0500 Subject: RSA or DSA? That's the question In-Reply-To: <37322.62.142.196.85.1189111969.squirrel@mail.rbgi.net> References: <46DFEE5E.704@sixdemonbag.org> <37322.62.142.196.85.1189111969.squirrel@mail.rbgi.net> Message-ID: <5d7f07420709070615p7caa1a7ew5bd473a0b208927f@mail.gmail.com> On 9/6/07, Oskar L. wrote: > One thing I forgot to mention in that discussion, is that since DSA is the > default, there are probably many more DSA keys in use currently than RSA > keys. (If anyone has any statistics that would be interesting to see.) > Therefore, if a government were to invest serious time and effort in > breaking public key crypto, they would probably attack DSA, not RSA, in > order to get the most for their money. I'm not saying either one is weak > and could not stand such an attack, but if there's less pressure on RSA, > then I would consider that to be a benefit. I disagree. DSA is more popular - perhaps - for the narrow use case of OpenPGP keys. But RSA is the *far* more popular public-key algorithm, used in everything from SSL/TLS to secure military communications devices. A general technique which allows RSA to be broken is far more valuable than a general break in DSA or ElGamal. If you were a government spending money to crack crypto, wouldn't you like to be able to impersonate and read the traffic from every "secure" website on the planet? Oh, and read the mail of foreign militaries and diplomats as a bonus? Or would you want to read Werner Koch's mail and that of a few other crypto enthusiasts? Despite its standardization and patent-free nature, DSA isn't really that popular in my experience. -- RPM From wk at gnupg.org Fri Sep 7 18:26:41 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 07 Sep 2007 18:26:41 +0200 Subject: RSA or DSA? That's the question In-Reply-To: <5d7f07420709070615p7caa1a7ew5bd473a0b208927f@mail.gmail.com> (Ryan Malayter's message of "Fri, 7 Sep 2007 08:15:13 -0500") References: <46DFEE5E.704@sixdemonbag.org> <37322.62.142.196.85.1189111969.squirrel@mail.rbgi.net> <5d7f07420709070615p7caa1a7ew5bd473a0b208927f@mail.gmail.com> Message-ID: <87y7fi5tmm.fsf@wheatstone.g10code.de> On Fri, 7 Sep 2007 15:15, malayter at gmail.com said: > Or would you want to read Werner Koch's mail and that of a few other > crypto enthusiasts? Despite its standardization and patent-free This requires support for Elgamal because DSA is used only for signing. Actually DSS (DSA + SHA*) is an national US standard and it is suggested to use it for digital signatures. A variant of DSA, ECDSA gains more and more importance and without the patent problems/FUD you would very soon see it included and used in all Internet standards. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Fri Sep 7 20:09:30 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 07 Sep 2007 13:09:30 -0500 Subject: RSA or DSA? That's the question In-Reply-To: <5d7f07420709070615p7caa1a7ew5bd473a0b208927f@mail.gmail.com> References: <46DFEE5E.704@sixdemonbag.org> <37322.62.142.196.85.1189111969.squirrel@mail.rbgi.net> <5d7f07420709070615p7caa1a7ew5bd473a0b208927f@mail.gmail.com> Message-ID: <46E193DA.9000207@sixdemonbag.org> Ryan Malayter wrote: > A general technique which allows RSA to be broken is far more > valuable than a general break in DSA or ElGamal. Breaking the discrete log problem also breaks the integer factorization problem. IFP can be seen as a special case of the DLP. Breaking DLP breaks every asymmetric algo in OpenPGP. Breaking IFP may only break RSA. From rjh at sixdemonbag.org Fri Sep 7 20:29:25 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 07 Sep 2007 13:29:25 -0500 Subject: RSA or DSA? That's the question In-Reply-To: References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> <46E048D4.3090703@sixdemonbag.org> Message-ID: <46E19885.2010201@sixdemonbag.org> Noiano wrote: > First off all thanks for your answers, I have now clearer ideas :-). > For what concerns SHA-1 I read that, thanks to the collisions, an > attacker can modify the message but the signature verification well > be ok. That's not possible today. Today, it would be extraordinarily difficult to forge the message. However, that's no guarantee it will be extraordinarily difficult in six months or a year. It is best to migrate away from SHA-1 right now. > By the way I am thinking on creating a rsa key pair (with rsa subkey) > as I am willing to buy a smart card kit. However you told the very > standard algorithm is DSA/Elgamail so what should I do? Create two > key pair? A rsa one and a dsa/elgamail one? Don't buy a smart card unless you need a smart card. Most smart cards limit themselves to RSA-1024. Distributed key cracking plus the constant forward march of mathematical progress means it's possible RSA-1024 will fall in the next five years. If you need a smart card, by all means, get one. If you don't, you're probably better off without one, because it gives you more possibilities. Insofar as what I think you should do, my advice is unchanged. Stick with the defaults. I genuinely do not understand why people spend hours upon hours laboriously deciding whether to use a DSA or an RSA key. Drop "enable-dsa2" in your gpg.conf, set your personal hash preferences to use SHA256, and create a default key. > One more thing: the key expiry. Do you think that setting the expiry > date after a year or two is a good choice? Or is better not to set a > expiry date and revoke the key when necessary? For most personal/home users, expiration is not necessary. From noiano at x-privat.org Fri Sep 7 22:09:26 2007 From: noiano at x-privat.org (Noiano) Date: Fri, 07 Sep 2007 22:09:26 +0200 Subject: RSA or DSA? That's the question In-Reply-To: <46E19885.2010201@sixdemonbag.org> References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> <46E048D4.3090703@sixdemonbag.org> <46E19885.2010201@sixdemonbag.org> Message-ID: Robert J. Hansen wrote: > Noiano wrote: >> First off all thanks for your answers, I have now clearer ideas :-). >> For what concerns SHA-1 I read that, thanks to the collisions, an >> attacker can modify the message but the signature verification well >> be ok. > > That's not possible today. Today, it would be extraordinarily difficult > to forge the message. However, that's no guarantee it will be > extraordinarily difficult in six months or a year. > > It is best to migrate away from SHA-1 right now. In my openpgp preferences in thunderbird I've tried to set sha-256 but I got an error saying it was only possible to use sha-128. What went wrong? > >> By the way I am thinking on creating a rsa key pair (with rsa subkey) >> as I am willing to buy a smart card kit. However you told the very >> standard algorithm is DSA/Elgamail so what should I do? Create two >> key pair? A rsa one and a dsa/elgamail one? > > Don't buy a smart card unless you need a smart card. Most smart cards > limit themselves to RSA-1024. 0_0 I didn't know that....what a bad news! Distributed key cracking plus the > constant forward march of mathematical progress means it's possible > RSA-1024 will fall in the next five years. DSA keysize is 1024 and cannot be changed. Does the considerations above apply to a dsa key? > > If you need a smart card, by all means, get one. If you don't, you're > probably better off without one, because it gives you more possibilities. > > Insofar as what I think you should do, my advice is unchanged. Stick > with the defaults. I genuinely do not understand why people spend hours > upon hours laboriously deciding whether to use a DSA or an RSA key. > Drop "enable-dsa2" in your gpg.conf, set your personal hash preferences > to use SHA256, and create a default key. Done! > >> One more thing: the key expiry. Do you think that setting the expiry >> date after a year or two is a good choice? Or is better not to set a >> expiry date and revoke the key when necessary? > > For most personal/home users, expiration is not necessary. Thanks again -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070907/faedd81f/attachment.pgp From rjh at sixdemonbag.org Fri Sep 7 22:54:03 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 07 Sep 2007 15:54:03 -0500 Subject: RSA or DSA? That's the question In-Reply-To: References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> <46E048D4.3090703@sixdemonbag.org> <46E19885.2010201@sixdemonbag.org> Message-ID: <46E1BA6B.9090708@sixdemonbag.org> Noiano wrote: > In my openpgp preferences in thunderbird I've tried to set sha-256 but I > got an error saying it was only possible to use sha-128. What went wrong? Beats me, but I'm sure the other Enigmail users on-list will chime in with helpful advice. > 0_0 I didn't know that....what a bad news! It's not catastrophic news. Just because it may be feasible to break _one_ key that way in five years doesn't mean _all_ keys will need to be retired. As an example, I would feel fairly safe using 64-bit symmetric encryption for my email today, despite the fact distributed.net has cracked RC5/64. I don't think people who want to read my email are willing to invest the thousands of computers and the 18 months that it took distributed.net, after all. However, for people who have very, very high security needs, RSA-1024 needs to be considered to be living on borrowed time. > DSA keysize is 1024 and cannot be changed. Does the considerations above > apply to a dsa key? Yes. No. You can get a Ph.D. for studying this question. The current best way to attack the integer factorization problem (the mathematical heart of RSA) is the general number field sieve (GNFS). GNFS can also be used against the discrete logarithm problem (the mathematical heart of DSA and Elgamal), but the memory requirements become... weird. Currently we think the memory requirements become enormous, far far exceeding that required for attacking the IFP, but I'm aware of no proof that the memory requirement _must_ be that large. Best advice: don't panic and don't overreact. If RSA-1024 won't do for your needs, then DSA-1024 needs to be considered suspect, too. If RSA-1024 will do for your needs, DSA-1024 probably will, too. From moses.mason at gmail.com Sat Sep 8 06:33:48 2007 From: moses.mason at gmail.com (Moses) Date: Sat, 8 Sep 2007 12:33:48 +0800 Subject: How to use GnuPG to generate sha512sum hash? In-Reply-To: <46D8AAF6.7050307@tx.rr.com> References: <87bcf3800708302311o74f7d451y906bf81874daf9d3@mail.gmail.com> <20070831083851.GD29678@psilocybe.teonanacatl.org> <87bcf3800708310422u6ee3d054s5da8b0fae3af73ac@mail.gmail.com> <20070831115532.GA19230@jabberwocky.com> <87bcf3800708310723u16eeefdcmd5a0463407779ffc@mail.gmail.com> <46D8AAF6.7050307@tx.rr.com> Message-ID: <87bcf3800709072133w42742a88u3f1aa1c6c7da887c@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you very much, I'm using Cygwin now.. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: http://firegpg.tuxfamily.org iD8DBQFG4iYmHuqxyCZQdwkRAniwAJwO5bpGZ/TpYL3mRBcmobSHT82m8gCcDexc W+M7K0EIVEX/GgQu8xkWv78= =RJnh -----END PGP SIGNATURE----- On 9/1/07, John Clizbe wrote: > Moses wrote: > > O...I see. > > I've get the correct hash on Linux..., thank you all! :-) > > > > The problem remains now is how to get the same hashing on Windows, > > because echo on windows does not have -n flag: > > > echo -n AAA > > -n AAA > > so, on windows "echo -n AAA | gpg --print-md sha1" is actually hashing > > "-n AAA\n" but not "AAA"... :-\ > > > > Is there a easy way to get rid of the newline on windows system? > > A) Construct a text file containing your text without the CR-LF Windows likes > and use 'TYPE' > > > C:\WINDOWS\Temp>dir aaa.txt > Volume in drive C is Ice Chest > Volume Serial Number is 3083-4508 > > Directory of C:\WINDOWS\Temp > > 2007-08-31 16:02 3 aaa.txt > 1 File(s) 3 bytes > 0 Dir(s) 24,640,925,696 bytes free > > C:\WINDOWS\Temp>type aaa.txt | gpg --print-md sha512 > 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 > B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 > > B) Or use any of the versions of bash or ksh available for Win32 to get a posix > environment. There are many available: MSYS, Cygwin, UWIN, SFU/Interix > > C:\WINDOWS\Temp>bash > bash-3.2$ echo -n AAA | gpg --print-md sha512 > 8D708D18 B54DF396 2D696F06 9AD42DAD 7762B5D4 D3C97EE5 FA2DAE06 73ED4654 5164C078 > B8DB3D59 C4B96020 E4316F17 BB3D91BF 1F6BC089 6BBE7541 6EB8C385 > bash-3.2$ > > -- > John P. Clizbe Inet: John (a) Mozilla-Enigmail.org > You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A > "what's the key to success?" / "two words: good decisions." > "what's the key to good decisions?" / "one word: experience." > "how do i get experience?" / "two words: bad decisions." > > "Just how do the residents of Haiku, Hawai'i hold conversations?" > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From wk at gnupg.org Mon Sep 10 18:46:14 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 10 Sep 2007 18:46:14 +0200 Subject: [Announce] GnuPG 2.0.7 released Message-ID: <87tzq2qxih.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.7 This is maintenance release with a few minor enhancements. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.6) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New =========== * Fixed encryption problem if duplicate certificates are in the keybox. * Made it work on Windows Vista [1]. Note that the entire Windows port is still considered Beta. * Add new options min-passphrase-nonalpha, check-passphrase-pattern, enforce-passphrase-constraints and max-passphrase-days to gpg-agent. * Add command --check-components to gpgconf. Gpgconf now uses the installed versions of the programs and does not anymore search via PATH for them. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.7 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and ist mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.7.tar.bz2 (3525k) gnupg-2.0.7.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.6-2.0.7.diff.bz2 (53k) A patch file to upgrade a 2.0.6 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.7.tar.bz2 you would use this command: gpg --verify gnupg-2.0.7.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.7.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.7.tar.bz2 and check that the output matches the first line from the following list: f7d9ae7695bd9b849475b482bb7b027ec6fadbae gnupg-2.0.7.tar.bz2 77ab84d4128dfc745f7e8d20b23a6842e84287fc gnupg-2.0.6-2.0.7.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. The Swedish, Turkish, German and Russian translations close to be complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG. In fact it has been developed along with the Kmail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Marcus, Werner and all other contributors) [1] Although Vista is a good improvement on the quite bad Microsoft Windows' security in the past, there are a lot of problems with proprietary software and in particular with that new version. Please see http://badvista.fsf.org/. -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070910/889178d5/attachment-0001.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From ayush.jha at ge.com Thu Sep 6 21:38:53 2007 From: ayush.jha at ge.com (ayush) Date: Thu, 6 Sep 2007 12:38:53 -0700 (PDT) Subject: Error using wildcards in gnupg Message-ID: <12529932.post@talk.nabble.com> Hi, I am using gnupg version 1.2.1 . I am able to decrypt files in a folder if I specify the file name in the command for eg: gpg -o c:\decryption\spacs.txt --decrypt "c:\decryption\wild card\today.txt.pgp" but if I use gpg -o c:\decryption\spacs.txt --decrypt "c:\decryption\wild card\*.pgp" I get file open error. Point to be noted is that, the wildcard thing works if the file path is continous for eg: gpg -o c:\decryption\spacs.txt --decrypt "c:\decryption\*.pgp" works for me fine! but as soon as there is any included space in the file path, it stops working. I have tried with quotes , without quotes. Any suggestions will be more than welcome. thanks Ayush -- View this message in context: http://www.nabble.com/Error-using-wildcards-in-gnupg-tf4394270.html#a12529932 Sent from the GnuPG - User mailing list archive at Nabble.com. From benrawk at gmail.com Tue Sep 4 22:03:30 2007 From: benrawk at gmail.com (Ben Neuwirth) Date: Tue, 4 Sep 2007 13:03:30 -0700 Subject: Dealing with remaining plain text files Message-ID: Hello, I am new to gpg, and while I feel the following questions may be common, I have not been able to find an answer to it on the web. When you encrypt test.txt with gpg, you get a file names test.txt.gpg. However, test.txt still remains on your hard disk. What is the best way to delete this file from your hard drive? Is there a standard tool that people use. Also, is there a tool available that allows you to save only encrypted text to disk, so that the plan text never even makes it on to disk? Perhaps some simple word processor that converts plain text to encrypted text before it saves to disk. Thank you for your help! - Ben From vbushfield at purdue.edu Thu Sep 6 16:52:18 2007 From: vbushfield at purdue.edu (Paladino, Vanda K) Date: Thu, 6 Sep 2007 10:52:18 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <46E01190.30704@sixdemonbag.org> References: <12413076.post@talk.nabble.com> <46E01190.30704@sixdemonbag.org> Message-ID: <1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl> Thanks for your quick replies. I actually drafted that message last week but just managed to get it to go through today, so I do have some more information. I've gotten someone over here to help me a bit, and we've run some tests. Our file is being encrypted with gpg version 1.2.6 We had them send us an encrypted file and we decrypted it using gpg version 1.4.5 and the spaces were missing. We decrypted it with PGP as well, and the spaces were also missing, not sure what version of PGP that was, I can find out. I did originally go to the PGP people for help, and they, of course, sent me over here :) But it is starting to seem like the problem is on our side, which would be the gpg side of the issue. Vanda -----Original Message----- From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] Sent: Thursday, September 06, 2007 10:41 AM To: Paladino, Vanda K Cc: gnupg-users at gnupg.org Subject: Re: losing meaningful whitespaces in an encrypted file paladino wrote: > When I look at the file here, immediately before it is encrypted, the > 13 white spaces are still there. When I look at the file at the > vendor, immediately after decryption, the 13 spaces are gone. Have you tried a test decryption on your end? E.g., encrypt the file with your own public key and then decrypt that, and see whether the 13 spaces are present? Also, version numbers would be very useful--both GnuPG on your end and PGP on the vendor's end. This may very well be a PGP problem as opposed to a GnuPG problem, in which case you may be better served on a PGP list such as PGP-Basics at Yahoo! Groups. > Is there anything obvious that could be causing something like this? > Which end is it more likely the problem is at? Impossible to say without more information. My inclination is to think it's probably on the vendor's end, especially if you're using a recent version of GnuPG. There are a lot of PGP 5.0 and 6.5.8 installations out there, and both of them substantially predate the OpenPGP standard which GnuPG conforms to. From bushfiel at purdue.edu Thu Sep 6 15:53:10 2007 From: bushfiel at purdue.edu (paladino) Date: Thu, 6 Sep 2007 06:53:10 -0700 (PDT) Subject: losing meaningful whitespaces in an encrypted file Message-ID: <12413076.post@talk.nabble.com> Hi, I'm sorry to jump right in with a dumb question, but I've tried doing some research myself and I have to confess to much of this being way over my head. I work for a University that uses GnuPG to encrypt files to send out to various vendors. We're having a very odd situation right now with one of our files. We are sending a file that has a header line that ends with 13 spaces. We are encrypting the file from the command line, on a unix machine, with GnuPG. Here's the actual command our guys are using: /usr/local/bin/gpg -v -r XXXXXXXX -f &filename We are then transmitting the file to a vendor who is unencrypting it with the windows version of PGP. When I look at the file here, immediately before it is encrypted, the 13 white spaces are still there. When I look at the file at the vendor, immediately after decryption, the 13 spaces are gone. I haven't had any luck with getting more information from the vendor about what kind of options they are using. I do know they are using a windows version, and the guy says he basically just double clicks on it, types in a password, and it unencrypts the file. Is there anything obvious that could be causing something like this? Which end is it more likely the problem is at? I've been reading about pgp and gpg all day, and while I've learned alot about both, I'm no closer to a solution for this one than when I started. Thanks for any help at all. -- View this message in context: http://www.nabble.com/losing-meaningful-whitespaces-in-an-encrypted-file-tf4356011.html#a12413076 Sent from the GnuPG - User mailing list archive at Nabble.com. From vbushfield at purdue.edu Thu Sep 6 17:15:55 2007 From: vbushfield at purdue.edu (Paladino, Vanda K) Date: Thu, 6 Sep 2007 11:15:55 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <20070906145100.GC601@jabberwocky.com> References: <12413076.post@talk.nabble.com> <20070906145100.GC601@jabberwocky.com> Message-ID: <1E3DC2D62305E542B4F9CA6487E8730D0236135A@EXCH04.purdue.lcl> I'm pretty sure it's the correct command line. I asked them twice, and they sent me a line of copy and paste straight out of the UC4 job. I had it in my head that the -f indicated the filename, but now that I look, I'm not sure where I read that. I'm checking with our Production Control guys now on that one. Thanks for all the suggestions and comments so far, any help is good help at this point! Vanda Paladino From kulkarni.atul at inbox.com Fri Sep 7 11:41:20 2007 From: kulkarni.atul at inbox.com (atul kulkarni) Date: Fri, 7 Sep 2007 01:41:20 -0800 Subject: Queries... Message-ID: Hi, I am Atul, I have some queries regarding the gpg encryption algoritm. These are as follows: 1. How to use RSA only for encryption? 2. Is 'expert' command recommended to switch the encryption algorithm from ElGamal to RSA? If not how it is possible? Thanks, Atul. ____________________________________________________________ FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! Check it out at http://www.inbox.com/marineaquarium From sven at radde.name Sat Sep 8 12:58:18 2007 From: sven at radde.name (Sven Radde) Date: Sat, 08 Sep 2007 12:58:18 +0200 Subject: RSA or DSA? That's the question In-Reply-To: <46E19885.2010201@sixdemonbag.org> References: <87fy1scc9h.fsf@wheatstone.g10code.de> <46DFF1EB.3030301@sixdemonbag.org> <878x7jbxnt.fsf@wheatstone.g10code.de> <46E048D4.3090703@sixdemonbag.org> <46E19885.2010201@sixdemonbag.org> Message-ID: <46E2804A.2060307@radde.name> Robert J. Hansen schrieb: >> One more thing: the key expiry. Do you think that setting the expiry >> date after a year or two is a good choice? Or is better not to set a >> expiry date and revoke the key when necessary? > > For most personal/home users, expiration is not necessary. We might want to qualify that statement somewhat: Specifying key expiry if you are concerned with *cryptanalytical advances* is usually not necessary/sensible for a personal user, as said user is normally not concerned with cryptanalysis. Even if s/he was, making predictions whether the optimal key expiry period should be a month, six months, one year or longer is hard/impossible. Key expiry has another valuable function, however, that may serve well for personal users (in fact, IMHO particularly well exactly for those users): It serves as a sort of "automatic revocation" that even works when you have lost access to your secret key / passphrase / revocation certificate. If you have ensured that you can revoke your key under all circumstances, you might go without key expiry. For this purpose, something from six months to one year seems reasonable to me. Note in particular that the expiry date my be modified later on by editing the key. This does not invalidate the key or any signatures by third parties. Therefore, if your key reaches expiry, just add another year and re-distribute it to the keyservers. It is not necessary to create a wholly new key. cu, Sven From dshaw at jabberwocky.com Tue Sep 11 02:55:12 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 10 Sep 2007 20:55:12 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl> References: <12413076.post@talk.nabble.com> <46E01190.30704@sixdemonbag.org> <1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl> Message-ID: <20070911005512.GA29467@jabberwocky.com> Again, this is not a bug, but a documented part of the protocol. There are ways around it, and the details on this will be changing in the future, but at least for today, if you send files as text, you will lose end-of-line whitespace. David On Thu, Sep 06, 2007 at 10:52:18AM -0400, Paladino, Vanda K wrote: > Thanks for your quick replies. I actually drafted that message last > week but just managed to get it to go through today, so I do have some > more information. > > I've gotten someone over here to help me a bit, and we've run some > tests. > > Our file is being encrypted with gpg version 1.2.6 > > We had them send us an encrypted file and we decrypted it using gpg > version 1.4.5 and the spaces were missing. We decrypted it with PGP as > well, and the spaces were also missing, not sure what version of PGP > that was, I can find out. > > I did originally go to the PGP people for help, and they, of course, > sent me over here :) > > But it is starting to seem like the problem is on our side, which would > be the gpg side of the issue. > > Vanda > > > > -----Original Message----- > From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] > Sent: Thursday, September 06, 2007 10:41 AM > To: Paladino, Vanda K > Cc: gnupg-users at gnupg.org > Subject: Re: losing meaningful whitespaces in an encrypted file > > paladino wrote: > > When I look at the file here, immediately before it is encrypted, the > > 13 white spaces are still there. When I look at the file at the > > vendor, immediately after decryption, the 13 spaces are gone. > > Have you tried a test decryption on your end? E.g., encrypt the file > with your own public key and then decrypt that, and see whether the 13 > spaces are present? > > Also, version numbers would be very useful--both GnuPG on your end and > PGP on the vendor's end. > > This may very well be a PGP problem as opposed to a GnuPG problem, in > which case you may be better served on a PGP list such as PGP-Basics at > Yahoo! Groups. > > > Is there anything obvious that could be causing something like this? > > Which end is it more likely the problem is at? > > Impossible to say without more information. My inclination is to think > it's probably on the vendor's end, especially if you're using a recent > version of GnuPG. There are a lot of PGP 5.0 and 6.5.8 installations > out there, and both of them substantially predate the OpenPGP standard > which GnuPG conforms to. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From eocsor at gmail.com Wed Sep 12 14:07:29 2007 From: eocsor at gmail.com (Roscoe) Date: Wed, 12 Sep 2007 21:37:29 +0930 Subject: Possible to pass the private key? In-Reply-To: <12299545.post@talk.nabble.com> References: <12299545.post@talk.nabble.com> Message-ID: If all you're doing is encrypting files you don't need the private key on the server at all. One only needs the private key to decrypt. The private keys are kept in their own keyring, indeed they are encrypted. Any user who has access to gpg on a host will not have access to all other users private keys on that host, unless file permissions are setup as such. You didn't make any mention of automated decryption, but your consultants quote makes more sense if you replace encrypt with decrypt. -- Roscoe On 8/24/07, Greg Motter wrote: > > Hello all, > > I have a couple of questions about how to handle the private key on a > server. The company I'm working with , is working with a consultant who said > the following: > > "GNUPG has a keyring just like PGP. The private keys on that keyring need to > be controlled and not just left in the keyring file. If it's an automated > process to encrypt the flat files then you should compile the program doing > it with the private key. If it's a manual process, the private key needs to > be kept with someone off the server." > > First off, from what i've read, it sounds like private keys are not kept in > the keyring, but rather in their own file that is then encrypted > symetrically using the passphrase? > > Secondly is it possible to do what he is asking? Is it possible to pass in > the private key through gpg command? > > Next, If I could pass in the private key through the program itself, and > then secure the source code. Would the private key likely be more at risk in > the object code since it would not truly be encrypted at that point? > > Basically what we are trying to do is encrypt flat text files that will be > on our server at rest. I'll be creating a subroutine to handle all of the > gpg goodness in the background. But we're still trying to work out the best > way that these files would be secure. > > Obviously if we leave the private key out there, then any user who had > access to gpg would have access to the key, although not to the passphrase. > > Is there some better way? > > Thanks, > > Greg Motter > > -- > View this message in context: http://www.nabble.com/Possible-to-pass-the-private-key--tf4319226.html#a12299545 > Sent from the GnuPG - User mailing list archive at Nabble.com. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From vbushfield at purdue.edu Tue Sep 11 13:20:12 2007 From: vbushfield at purdue.edu (Paladino, Vanda K) Date: Tue, 11 Sep 2007 07:20:12 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <20070911005512.GA29467@jabberwocky.com> References: <12413076.post@talk.nabble.com> <46E01190.30704@sixdemonbag.org> <1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl> <20070911005512.GA29467@jabberwocky.com> Message-ID: <1E3DC2D62305E542B4F9CA6487E8730D0236139D@EXCH04.purdue.lcl> Sorry I don't know why that took so long to get through, and I also apologize for the multiple posts of the same message. I was using a funky web interface to your mailing list and it seems to not like me very much. As clarification on the original issue, we weren't sending it as text, we were sending it as a binary file. However, we did finally at least partially identify our problem. Version 1.2.6 for Linux strips our end of line white spaces. Version 1.2 for Unix does not. We'll be going back to using our Unix machine to do the encrypting until we can upgrade or downgrade as necessary to find a linux version that behaves properly. Thanks to everyone here who helped me out via private email to narrow down the solution. Vanda Paladino -----Original Message----- From: David Shaw [mailto:dshaw at jabberwocky.com] Sent: Monday, September 10, 2007 8:55 PM To: Paladino, Vanda K Cc: Robert J. Hansen; gnupg-users at gnupg.org Subject: Re: losing meaningful whitespaces in an encrypted file Again, this is not a bug, but a documented part of the protocol. There are ways around it, and the details on this will be changing in the future, but at least for today, if you send files as text, you will lose end-of-line whitespace. David On Thu, Sep 06, 2007 at 10:52:18AM -0400, Paladino, Vanda K wrote: > Thanks for your quick replies. I actually drafted that message last > week but just managed to get it to go through today, so I do have some > more information. > > I've gotten someone over here to help me a bit, and we've run some > tests. > > Our file is being encrypted with gpg version 1.2.6 > > We had them send us an encrypted file and we decrypted it using gpg > version 1.4.5 and the spaces were missing. We decrypted it with PGP > as well, and the spaces were also missing, not sure what version of > PGP that was, I can find out. > > I did originally go to the PGP people for help, and they, of course, > sent me over here :) > > But it is starting to seem like the problem is on our side, which > would be the gpg side of the issue. > > Vanda > > > > -----Original Message----- > From: Robert J. Hansen [mailto:rjh at sixdemonbag.org] > Sent: Thursday, September 06, 2007 10:41 AM > To: Paladino, Vanda K > Cc: gnupg-users at gnupg.org > Subject: Re: losing meaningful whitespaces in an encrypted file > > paladino wrote: > > When I look at the file here, immediately before it is encrypted, > > the > > 13 white spaces are still there. When I look at the file at the > > vendor, immediately after decryption, the 13 spaces are gone. > > Have you tried a test decryption on your end? E.g., encrypt the file > with your own public key and then decrypt that, and see whether the 13 > spaces are present? > > Also, version numbers would be very useful--both GnuPG on your end and > PGP on the vendor's end. > > This may very well be a PGP problem as opposed to a GnuPG problem, in > which case you may be better served on a PGP list such as PGP-Basics > at Yahoo! Groups. > > > Is there anything obvious that could be causing something like this? > > Which end is it more likely the problem is at? > > Impossible to say without more information. My inclination is to > think it's probably on the vendor's end, especially if you're using a > recent version of GnuPG. There are a lot of PGP 5.0 and 6.5.8 > installations out there, and both of them substantially predate the > OpenPGP standard which GnuPG conforms to. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From wk at gnupg.org Wed Sep 12 18:45:03 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 12 Sep 2007 18:45:03 +0200 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <1E3DC2D62305E542B4F9CA6487E8730D0236139D@EXCH04.purdue.lcl> (Vanda K. Paladino's message of "Tue, 11 Sep 2007 07:20:12 -0400") References: <12413076.post@talk.nabble.com> <46E01190.30704@sixdemonbag.org> <1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl> <20070911005512.GA29467@jabberwocky.com> <1E3DC2D62305E542B4F9CA6487E8730D0236139D@EXCH04.purdue.lcl> Message-ID: <87642fal4g.fsf@wheatstone.g10code.de> On Tue, 11 Sep 2007 13:20, vbushfield at purdue.edu said: > apologize for the multiple posts of the same message. I was using a > funky web interface to your mailing list and it seems to not like me > very much. If you are not subscribed at this address, modertaor approval is required. That may take some time. BTW, thanks to the volunteers who to this moderating for so many years now. Also make sure that you don't send out HTML mails, or mails withy HTML parts of ZIP files etc. > However, we did finally at least partially identify our problem. > > Version 1.2.6 for Linux strips our end of line white spaces. > Version 1.2 for Unix does not. Hmmm, Linux is as much a Unix as any other Unix. What do you mean by version 1.2? gnupg 1.2.0? All Unix versions are identical in particular in the parts of the code handling the bulk data and doing white space removal. The only problem I recall are those with large files; that is the usual 2 GB problem on some machines. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Wed Sep 12 21:11:31 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 12 Sep 2007 14:11:31 -0500 Subject: personal-*-preferences In-Reply-To: <46D5668F.8050706@thomas-huehn.de> References: <46D5668F.8050706@thomas-huehn.de> Message-ID: <46E839E3.7040904@sixdemonbag.org> Apologies for the late reply to this--was cleaning out my inbox and found this, and couldn't remember whether I ever saw a follow-up explaining the issue. Thomas H?hn wrote: > When I create a new key and enter "pref" at the edit-key menu, I see "S9 > S8 S7 S3 S2 H2 H8 H3 Z2 Z3 Z1 [mdc] [no-ks-modify]", that's exactly the > result without any personal-*-preferences setting in the config file. This is because these are two different kinds of preferences. Personal-*-preferences tells GnuPG what sort of algorithms you prefer to use, and in what order. Preferences on a key tell correspondents what sort of algorithms you prefer to use, and in what order. They are independent things, although you can make a strong argument that they shouldn't be. From vbushfield at purdue.edu Wed Sep 12 19:12:35 2007 From: vbushfield at purdue.edu (Paladino, Vanda K) Date: Wed, 12 Sep 2007 13:12:35 -0400 Subject: losing meaningful whitespaces in an encrypted file In-Reply-To: <87642fal4g.fsf@wheatstone.g10code.de> References: <12413076.post@talk.nabble.com> <46E01190.30704@sixdemonbag.org><1E3DC2D62305E542B4F9CA6487E8730D02361356@EXCH04.purdue.lcl><20070911005512.GA29467@jabberwocky.com><1E3DC2D62305E542B4F9CA6487E8730D0236139D@EXCH04.purdue.lcl> <87642fal4g.fsf@wheatstone.g10code.de> Message-ID: <1E3DC2D62305E542B4F9CA6487E8730D023613BB@EXCH04.purdue.lcl> I only know what my guys tell me :) They say we have 1.2.6 on one machine (the linux machine) and 1.2.0 on the other (the other unix machine). And someone else told me that Unix and Linux had different versions of gpg, I didn't check that out, so apologies if it isn't the case! -----Original Message----- From: Werner Koch [mailto:wk at gnupg.org] Sent: Wednesday, September 12, 2007 12:45 PM To: Paladino, Vanda K Cc: David Shaw; gnupg-users at gnupg.org Subject: Re: losing meaningful whitespaces in an encrypted file On Tue, 11 Sep 2007 13:20, vbushfield at purdue.edu said: > apologize for the multiple posts of the same message. I was using a > funky web interface to your mailing list and it seems to not like me > very much. If you are not subscribed at this address, modertaor approval is required. That may take some time. BTW, thanks to the volunteers who to this moderating for so many years now. Also make sure that you don't send out HTML mails, or mails withy HTML parts of ZIP files etc. > However, we did finally at least partially identify our problem. > > Version 1.2.6 for Linux strips our end of line white spaces. > Version 1.2 for Unix does not. Hmmm, Linux is as much a Unix as any other Unix. What do you mean by version 1.2? gnupg 1.2.0? All Unix versions are identical in particular in the parts of the code handling the bulk data and doing white space removal. The only problem I recall are those with large files; that is the usual 2 GB problem on some machines. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From mailinglists-282114 at thomas-huehn.de Wed Sep 12 23:06:23 2007 From: mailinglists-282114 at thomas-huehn.de (=?ISO-8859-1?Q?Thomas_H=FChn?=) Date: Wed, 12 Sep 2007 23:06:23 +0200 Subject: personal-*-preferences In-Reply-To: <46E839E3.7040904@sixdemonbag.org> References: <46D5668F.8050706@thomas-huehn.de> <46E839E3.7040904@sixdemonbag.org> Message-ID: <46E854CF.6070102@thomas-huehn.de> Robert J. Hansen schrieb: > Apologies for the late reply to this--was cleaning out my inbox and > found this, and couldn't remember whether I ever saw a follow-up > explaining the issue. > > Thomas H?hn wrote: >> When I create a new key and enter "pref" at the edit-key menu, I see "S9 >> S8 S7 S3 S2 H2 H8 H3 Z2 Z3 Z1 [mdc] [no-ks-modify]", that's exactly the >> result without any personal-*-preferences setting in the config file. > > This is because these are two different kinds of preferences. > > Personal-*-preferences tells GnuPG what sort of algorithms you prefer to > use, and in what order. Preferences on a key tell correspondents what > sort of algorithms you prefer to use, and in what order. They are > independent things, although you can make a strong argument that they > shouldn't be. Thanks for your explanation. Thomas From jam at jamux.com Thu Sep 13 19:39:52 2007 From: jam at jamux.com (John A. Martin) Date: Thu, 13 Sep 2007 13:39:52 -0400 Subject: Surprising gnupg-agent action with OpenPGP card Message-ID: <87ir6e31nb.fsf@athene.jamux.com> On Debian lenny/sid with the following Debian packages installed: ,----[ dlocate -l 'gnupg|gpg'|grep '^i' (lines chopped) ] ii gnupg 1.4.6-2 GNU privacy guard - a free PGP replacement ii gnupg-agent 2.0.6-1 GNU privacy guard - password agent ii gnupg2 2.0.6-1 GNU privacy guard - a free PGP replacement ii gpgsm 2.0.6-1 GNU privacy guard - S/MIME version ii gpgv 1.4.6-2 GNU privacy guard - signature verification ii libgpg-error0 1.4-2 library for common error values ii libgpgme11 1.1.5-2 GPGME - GnuPG Made Easy ii python-gnupgin 0.3.2-9 Python interface to GnuPG (GPG) `---- With 'use-agent' in ~/.gnupg/gpg.conf both 'gpg --card-status' and 'gpg2 --card-status' show the same information from when a card is inserted and thereafter even when the card is removed, replaced by another card, and even after the reader is disconnected. Is the above the expected behavior? When 'use-agent' is removed from ~/.gnupg/gpg.conf both commands complain when there is no card reader connected or no card in the reader. Different information is shown by either command when different cards are in the reader. Should the agent prevent this? Does this look like a Debian bug? jam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20070913/ad544f1b/attachment.pgp From wk at gnupg.org Fri Sep 14 13:10:41 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Sep 2007 13:10:41 +0200 Subject: Surprising gnupg-agent action with OpenPGP card In-Reply-To: <87ir6e31nb.fsf@athene.jamux.com> (John A. Martin's message of "Thu, 13 Sep 2007 13:39:52 -0400") References: <87ir6e31nb.fsf@athene.jamux.com> Message-ID: <871wd11ozy.fsf@wheatstone.g10code.de> On Thu, 13 Sep 2007 19:39, jam at jamux.com said: o > With 'use-agent' in ~/.gnupg/gpg.conf both 'gpg --card-status' and > 'gpg2 --card-status' show the same information from when a card is > inserted and thereafter even when the card is removed, replaced by > another card, and even after the reader is disconnected. > > Is the above the expected behavior? No. I justed tested it with 2.0.7 and can't replicate it. I can't remember tha we fixed such a bug since 2.0.6. However I am using the internal card driver. Are you using pcsclite; i.e. is pcscd running? Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jam at jamux.com Fri Sep 14 15:03:51 2007 From: jam at jamux.com (John A. Martin) Date: Fri, 14 Sep 2007 09:03:51 -0400 Subject: Surprising gnupg-agent action with OpenPGP card References: <87ir6e31nb.fsf@athene.jamux.com> <871wd11ozy.fsf__45843.9511749477$1189768788$gmane$org@wheatstone.g10code.de> Message-ID: <87ejh1z9e0.fsf@athene.jamux.com> >>>>> "wk" == Werner Koch >>>>> "Re: Surprising gnupg-agent action with OpenPGP card" >>>>> Fri, 14 Sep 2007 13:10:41 +0200 wk> On Thu, 13 Sep 2007 19:39, jam at jamux.com said: o >> With 'use-agent' in ~/.gnupg/gpg.conf both 'gpg --card-status' >> and 'gpg2 --card-status' show the same information from when a >> card is inserted and thereafter even when the card is removed, >> replaced by another card, and even after the reader is >> disconnected. >> >> Is the above the expected behavior? wk> No. I justed tested it with 2.0.7 and can't replicate it. I wk> can't remember tha we fixed such a bug since 2.0.6. However I wk> am using the internal card driver. Are you using pcsclite; wk> i.e. is pcscd running? I'm using the internal driver. No pcsclite. Experimenting with pcsclite (Debian package libpcsclite1) did not help so I purged it. Just now, running without 'use-agent' in ~/.gnupg/gpg.conf, I noticed that just after 'gpg --card-status' gives the expected result I see the following: ,----[ gpg --use-agent --card-status ] gpg: selecting openpgp failed: unknown command gpg: OpenPGP card not available: general error `---- Then 'gpg --card-status' gives the expected result but then after that I see: ,----[ gpg2 --card-status ] gpg: OpenPGP card not available: Unknown IPC command `---- I get the similar but not identical results on a Dubian etch box with the following: gnupg 1.4.6-2 gnupg-agent 2.0.0-5.2 gnupg2 2.0.0-5.2 gnusm 2.0.0-5.2 gpgv 1.4.6-2 libgpg-error0 1.4-1 python-gnupgin 8.3.2-9 On the etch box, 'gpg2 --card-status' gives something like: gpg: DBG: connection to agent established gpg: OpenPGP card not available: Unsupported operation when the immediately preceding 'gpg --card-status' gave the expected result. Without 'use-agent' in ~/.gnupg/gpg.conf and before doing 'gpg --use-agent --card-status' I did not notice any difference between the two boxen. What can I do to better isolate or characterize this problem? jam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20070914/bf365ace/attachment.pgp From wk at gnupg.org Fri Sep 14 15:53:35 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 14 Sep 2007 15:53:35 +0200 Subject: Surprising gnupg-agent action with OpenPGP card In-Reply-To: <87ejh1z9e0.fsf@athene.jamux.com> (John A. Martin's message of "Fri, 14 Sep 2007 09:03:51 -0400") References: <87ir6e31nb.fsf@athene.jamux.com> <871wd11ozy.fsf__45843.9511749477$1189768788$gmane$org@wheatstone.g10code.de> <87ejh1z9e0.fsf@athene.jamux.com> Message-ID: <87sl5hxsio.fsf@wheatstone.g10code.de> On Fri, 14 Sep 2007 15:03, jam at jamux.com said: > What can I do to better isolate or characterize this problem? If gpg-agent is installed (which is a requirement for gpg2), the card operations are done by scdaemon. To debug it you should add these lines to ~/.gnupg/scdaemon.conf debug-ccid-driver debug 1024 verbose log-file /whereeveryouwantit Then kill scdaemon and make sure that no instances are running. gpg-agent will start one on demand. Not that --use-agent is a dummy option in gpg2. gpg should better use --use-agent because otherwise you would get a conflict if scdaemon is running at the same time. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jam at jamux.com Fri Sep 14 22:47:27 2007 From: jam at jamux.com (John A. Martin) Date: Fri, 14 Sep 2007 16:47:27 -0400 Subject: Surprising gnupg-agent action with OpenPGP card References: <87ir6e31nb.fsf@athene.jamux.com> <871wd11ozy.fsf__45843.9511749477$1189768788$gmane$org@wheatstone.g10code.de> <87ejh1z9e0.fsf@athene.jamux.com> <87sl5hxsio.fsf__49852.9328768656$1189778275$gmane$org@wheatstone.g10code.de> Message-ID: <87d4wl5600.fsf@athene.jamux.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20070914/4a6693ae/attachment-0001.pgp From wk at gnupg.org Sun Sep 16 12:23:35 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 16 Sep 2007 12:23:35 +0200 Subject: Surprising gnupg-agent action with OpenPGP card In-Reply-To: <87d4wl5600.fsf@athene.jamux.com> (John A. Martin's message of "Fri, 14 Sep 2007 16:47:27 -0400") References: <87ir6e31nb.fsf@athene.jamux.com> <871wd11ozy.fsf__45843.9511749477$1189768788$gmane$org@wheatstone.g10code.de> <87ejh1z9e0.fsf@athene.jamux.com> <87sl5hxsio.fsf__49852.9328768656$1189778275$gmane$org@wheatstone.g10code.de> <87d4wl5600.fsf@athene.jamux.com> Message-ID: <871wcyx61k.fsf@wheatstone.g10code.de> On Fri, 14 Sep 2007 22:47, jam at jamux.com said: > gpg: DBG: connection to agent established > gpg: OpenPGP card net availableS No SmartCard daemon Either scdaemon is not instaled or gpg-agent is not abale to start it. Also check that gpg-agent.conf does not have the option --disable-scdaemon active. > and nothing from 'debug-ccid-driver' while 'gpg --card-status' works Well, if gpg can't use scdaemon it falls back to its own code. It needs to use scdaemon via gpg-agent becuase scdaemon would have opened the card reader and it requires exlusive access to it. > Apparently gnome starts '/usr/bin/gpg-agent --daemon --sh' on login to > the new user account. On Debian, /usr/bin/scdaemon is installed by > the gpgsm package which is depended upon by the gnupg-agent package. Add debugging to gpg-agent, using verbose and log-file in gpg-agent.conf could suffice. You might also want to use watchgnupg daemon which is a smarter way of looking at the log files becuase alllog output from the daemons are collected in one stream. I usually have an xterm running with "watchgnupg --force ~/.gnupg/S.log" and a "log-file socket:///home/foo/.gnupg/S.log" in {gpg-agent,gpgsm,scdaemon.dirmngr}.conf. For this. gpg2 you need to have a separate conf file ("gpg.conf-2) if you want to have this log option so that can still use . Use gpg-connect-agent for debugging: "gpg-connect-agent -v" gives aprompt. You may enter tehre "/help" for some advanced commands, but in general you will use: SCD SERIALNO The "SCD" is a prefix which lets gpg-agent pass the rest of the line verbatim to scdaemon; that is, it is the same as starting "scdaemon --server". for a list of the commands available see the gnupg info page. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jam at jamux.com Sun Sep 16 16:32:00 2007 From: jam at jamux.com (John A. Martin) Date: Sun, 16 Sep 2007 10:32:00 -0400 Subject: Surprising gnupg-agent action with OpenPGP card References: <87ir6e31nb.fsf@athene.jamux.com> <871wd11ozy.fsf__45843.9511749477$1189768788$gmane$org@wheatstone.g10code.de> <87ejh1z9e0.fsf@athene.jamux.com> <87sl5hxsio.fsf__49852.9328768656$1189778275$gmane$org@wheatstone.g10code.de> <87d4wl5600.fsf@athene.jamux.com> <871wcyx61k.fsf__3814.18444817445$1189938568$gmane$org@wheatstone.g10code.de> Message-ID: <871wcyznof.fsf@athene.jamux.com> A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20070916/a51ed37a/attachment.pgp From vedaal at hush.com Sun Sep 16 21:08:12 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Sun, 16 Sep 2007 15:08:12 -0400 Subject: Message-ID: <20070916190813.1775E2281F@mailserver9.hushmail.com> >Message: 3 >Date: Wed, 12 Sep 2007 13:12:35 -0400 >From: "Paladino, Vanda K" >Subject: RE: losing meaningful whitespaces in an encrypted file >I only know what my guys tell me :) They say we have 1.2.6 on one >machine (the linux machine) and 1.2.0 on the other (the other unix >machine). And someone else told me that Unix and Linux had >different >versions of gpg, I didn't check that out, so apologies if it isn't >the >case! there is a simple workaround that preserves end-of-line whitespace characters, just armor the file (add '-a' before the '-r' of your encryption command, or before '-u' if you are only signing) i have tested this with an older version of pgp (i don't like or use 9.x) and the blank spaces were preserved i used gnupg 1.4.7 but i believe the same is probably true for any of the earlier versions i have tried, back to 1.0x vedaal -- Need cash? Click to get an emergency loan, bad credit ok http://tagline.hushmail.com/fc/Ioyw6h4dQDLBzgTJcmb4wHVMsQRDiK04LArt9WscSK4IM94tiHYxQb/ From vedaal at hush.com Mon Sep 17 15:57:46 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 17 Sep 2007 09:57:46 -0400 Subject: losing meaningful whitespaces in an encrypted file Message-ID: <20070917135752.D7397C3823@mailserver10.hushmail.com> Paladino, Vanda K ( vbushfield at purdue.edu ) wrote on Tue Sep 11 13:20:12 CEST 2007 >As clarification on the original issue, we weren't sending it as text, >we were sending it as a binary file >However, we did finally at least partially identify our problem >Version 1.2.6 for Linux strips our end of line white spaces. >Version 1.2 for Unix does not while this may be a possible source of the problem, it sounds unlikely try this workaround: armor the file (add '-a' before the '-r' if you are encrypting, or before the '-u' if you are just signing armoring the file preserves the plaintext and all trailing whitespaces (i don't know why this should be, but in my repeated testing with earlier versions of both gnupg and pgp, have found it to be so, i don't like or use pgp9.x, so i can't vouch for that version, but usually, pgp gets 'more accepting' with every version, not less, so i would expect it to work there too) if this workaround 'does work' then try it again with the linux and unix versions you used a simple test would be to use a textfile of one line: 12345 followed by 5 blank spaces check the size of the original textfile, and then the size of 'saved form' of the armored signed text once it is verified and saved as plaintext if the sizes are the same, the blank spaces have been kept (this can then be confirmed by copying test line and pasting it into a new textfile consisting of only one character, making sure to paste it 'in front' of the character, the resulting line will have the same number of blank spaces in front of the single character, as in the original file) vedaal -- Click for a credit repair consultation, raise your FICO score. http://tagline.hushmail.com/fc/Ioyw6h4d7lwT9b30ut4I2EHsT7GVTKJdKW9jIKLl8rgVT7pJOqLxvB/ From gnichols at tpg.com.au Wed Sep 19 07:56:42 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Wed, 19 Sep 2007 15:56:42 +1000 Subject: gpgsm and Kmail and X509 certificates Message-ID: <46F0BA1A.2020705@tpg.com.au> Hello, Please bear with me, I am pretty ignorant on this subject. What I am really trying to achieve is to import my X509 certificate into Kmail and be able to sign and encrypt emails in Kmail. When configuring Kmail I click on Settings --> Configure Kmail then Security and I am presented with 5 tabs, two of which are Crypto Backends and S/MIME Validation. What do I put into these fields? The Crypto Backends --> Configure fields and the S/MIME Validation fields? The other thing is I have a keypair generated with gpg as well as my X509 certificate. Again, clicking on Settings --> Configure Kmail --> Identities I am presented with only the one identity, mine. Highlighting it and then clicking on 'Modify' I am presented with 5 tabs, one of which is Cryptography. Clicking on cryptography I am then presented with 4 fields I can enter data into. two of them are to do with OpenPGP signing and encryption keys. I have my PGP key ID in there. The other two are for S/MIME signing and encrypting certificates. Here is where I run into trouble... I cannot enter my certificates into these fields. If I click on 'change' I get an error 'An error occurred while fetching the keys from the backend: General Error' and 'No backends found for listing keys. Check your installation.' The backends I have installed and checked are OpenPGP (gpg) and S/MIME (gpgsm) I do not have Chiasmus. (listed by clicking the 'scan' button) I have successfully imported my X509 certificate into gpgsm and it is listed when executing gpgsm --list-keys. Could somebody please give me instructions on how to get all this working? Another error I get if I try and send a signed email from Kmail is: 'Signing failed. Bad passphrase' I don't really understand this one as it used to work before I upgraded to F7 from F6. Kmail is 1.9.6 KDE is 3.5.7 gpgsm is 2.0.3 and gpg is 1.4.7 All help appreciated. Ta. -- ---------------------------------------------------------------------- Kind regards, Graeme. ---------------------------------------------------------------------- Download my GnuPG public key from:- http://www.users.tpg.com.au/gnichols/graemenichols.pub ---------------------------------------------------------------------- [Wisdom] is a tree of life to those laying hold of her, making happy each one holding her fast. -- Proverbs 3:18, NSV From wk at gnupg.org Wed Sep 19 13:06:36 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 19 Sep 2007 13:06:36 +0200 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <46F0BA1A.2020705@tpg.com.au> (Graeme Nichols's message of "Wed, 19 Sep 2007 15:56:42 +1000") References: <46F0BA1A.2020705@tpg.com.au> Message-ID: <87y7f2hq2r.fsf@wheatstone.g10code.de> On Wed, 19 Sep 2007 07:56, gnichols at tpg.com.au said: > When configuring Kmail I click on Settings --> Configure Kmail then > Security and I am presented with 5 tabs, two of which are Crypto > Backends and S/MIME Validation. What do I put into these fields? The > Crypto Backends --> Configure fields and the S/MIME Validation fields? The defaults should be fine for now. > trouble... I cannot enter my certificates into these fields. If I click > on 'change' I get an error 'An error occurred while fetching the keys > from the backend: General Error' and 'No backends found for listing > keys. Check your installation.' On the command line enter gpgsm -K this should show you your own certificates gpgsm -k shows all certificates. Are there any error messages? > have successfully imported my X509 certificate into gpgsm and it is > listed when executing gpgsm --list-keys. -k is an alias for --list-keys. However you need to use -K (or --list-secret-keys) > Another error I get if I try and send a signed email from Kmail is: > 'Signing failed. Bad passphrase' I don't really understand this one as > it used to work before I upgraded to F7 from F6. Is the gpg-agent running and a pinentry installed? Check on the command line with gpgsm --passwd Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gnichols at tpg.com.au Thu Sep 20 02:49:36 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Thu, 20 Sep 2007 10:49:36 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87y7f2hq2r.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> Message-ID: <46F1C3A0.3070104@tpg.com.au> Hello Werner, Werner Koch wrote: > On Wed, 19 Sep 2007 07:56, gnichols at tpg.com.au said: > >> When configuring Kmail I click on Settings --> Configure Kmail then >> Security and I am presented with 5 tabs, two of which are Crypto >> Backends and S/MIME Validation. What do I put into these fields? The >> Crypto Backends --> Configure fields and the S/MIME Validation fields? > > The defaults should be fine for now. OK. Good. > >> trouble... I cannot enter my certificates into these fields. If I click >> on 'change' I get an error 'An error occurred while fetching the keys >> from the backend: General Error' and 'No backends found for listing >> keys. Check your installation.' > > On the command line enter > > gpgsm -K Output is: [graeme at barney ~]$ gpgsm -K /home/graeme/.gnupg/pubring.kbx ------------------------------- gpgsm: DBG: connection to agent established secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ > > this should show you your own certificates It didn't as you can see. > > gpgsm -k Output follows: [graeme at barney ~]$ gpgsm -k /home/graeme/.gnupg/pubring.kbx ------------------------------- Serial number: 00 Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org Subject: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org validity: 2003-03-30 12:29:49 through 2033-03-29 12:29:49 key type: 4096 bit RSA chain length: unlimited fingerprint: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 Serial number: 32D18D Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation und Post/C=DE Subject: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation und Post/C=DE validity: 2001-02-01 09:52:17 through 2005-06-01 09:52:17 key type: 1024 bit RSA key usage: certSign crlSign fingerprint: EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 Serial number: 2A Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE Subject: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE validity: 2005-08-03 15:30:36 through 2007-12-31 15:09:23 key type: 1024 bit RSA key usage: certSign policies: 1.3.36.8.1.1:N: chain length: unlimited fingerprint: 31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD Serial number: 02 Issuer: /CN=9R-CA 1:PN/O=Regulierungsbeh?rde f?r Telekommunikation und Post/C=DE Subject: /CN=9R-CA 1:PN/O=Regulierungsbeh?rde f?r Telekommunikation und Post/C=DE validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59 key type: 1024 bit RSA key usage: certSign policies: 1.3.36.8.1.1:N: chain length: unlimited fingerprint: 75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 Serial number: 2D Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE Subject: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE validity: 2005-08-03 18:09:49 through 2007-12-31 18:04:28 key type: 1024 bit RSA key usage: certSign policies: 1.3.36.8.1.1:N: chain length: unlimited fingerprint: A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D Serial number: 01 Issuer: /CN=8R-CA 1:PN/O=Regulierungsbeh?rde f?r Telekommunikation und Post/C=DE Subject: /CN=8R-CA 1:PN/O=Regulierungsbeh?rde f?r Telekommunikation und Post/C=DE validity: 2004-11-25 14:10:37 through 2007-12-31 14:04:03 key type: 1024 bit RSA key usage: certSign policies: 1.3.36.8.1.1:N: chain length: unlimited fingerprint: 42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 Serial number: 00C48C8D Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation und Post/C=DE Subject: /CN=7R-CA 1:PN/NameDistinguisher=1/O=Regulierungsbeh?orde f?ur Telekommunikation und Post/C=DE validity: 2001-10-15 11:15:15 through 2006-02-15 11:15:15 key type: 1024 bit RSA key usage: certSign crlSign fingerprint: DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B Serial number: 00B95F Issuer: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE Subject: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE aka: info at d-trust.net aka: (uri http://www.d-trust.net) validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54 key type: 2048 bit RSA key usage: certSign crlSign policies: 1.3.6.1.4.1.4788.2.30.1:N: chain length: unlimited fingerprint: E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C Serial number: 00B960 Issuer: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE Subject: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE aka: info at d-trust.net aka: (uri http://www.d-trust.net) validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54 key type: 2048 bit RSA key usage: certSign crlSign policies: 1.3.6.1.4.1.4788.2.30.1:N: chain length: unlimited fingerprint: 98:2A:75:67:0F:F8:28:4A:94:E0:9D:23:D8:E7:62:C8:BD:A4:54:04 Serial number: 00DF749F80AA51F0EDC0CB1FC183E97EE2 Issuer: /CN=S-TRUST Qualified Root CA 2006-001:PN/O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/ST=Baden-Wuerttemberg (BW)/C=DE Subject: /CN=S-TRUST Qualified Root CA 2006-001:PN/O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/ST=Baden-Wuerttemberg (BW)/C=DE validity: 2006-01-01 00:00:00 through 2010-12-30 23:59:59 key type: 2048 bit RSA key usage: certSign crlSign chain length: 1 fingerprint: 7D:DC:76:1C:FD:AF:4C:E0:3A:B5:3A:DD:C9:FA:13:35:19:A3:DE:C9 Serial number: 03FCBA Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support at cacert.org Subject: /CN=CAcert WoT User/EMail=gnichols at tpg.com.au aka: gnichols at tpg.com.au validity: 2007-09-02 03:15:25 through 2008-02-29 03:15:25 key type: 2048 bit RSA ext key usage: emailProtection (suggested), clientAuth (suggested), 1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested), serverGatedCrypto.ns (suggested) fingerprint: 2D:0D:02:D5:2E:0F:D9:C7:31:48:C8:A2:63:13:6F:AD:C7:21:27:34 secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ > > shows all certificates. Are there any error messages? No. My certificate is the last one. All the others were already there. > >> have successfully imported my X509 certificate into gpgsm and it is >> listed when executing gpgsm --list-keys. > > -k is an alias for --list-keys. However you need to use -K (or > --list-secret-keys) > >> Another error I get if I try and send a signed email from Kmail is: >> 'Signing failed. Bad passphrase' I don't really understand this one as >> it used to work before I upgraded to F7 from F6. > > Is the gpg-agent running and a pinentry installed? Check on the command > line with > > gpgsm --passwd Output follows: [graeme at barney ~]$ gpgsm --passwd gnichols at tpg.com.au gpgsm: DBG: connection to agent established gpgsm: error changing passphrase: No such file or directory secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ Looks like gpg-agent is running but no pinentry. Is that correct? Pinentry-0.7.2-14.fc7 is installed. I have looked through the pinentry --help output but I don't really know what it is I have to do/set/enter or whatever. I'm pretty ignorant in this area. I have looked at the website http://www.gnupg.org/aegypten/ but I am still confused. What should I do now? -- ---------------------------------------------------------------------- Kind regards, Graeme. ---------------------------------------------------------------------- Download my GnuPG public key from:- http://www.users.tpg.com.au/gnichols/graemenichols.pub ---------------------------------------------------------------------- A would-be disciple came to Nasrudin's hut on the mountain-side. Knowing that every action of such an enlightened one is significant, the seeker watched the teacher closely. "Why do you blow on your hands?" "To warm myself in the cold." Later, Nasrudin poured bowls of hot soup for himself and the newcomer, and blew on his own. "Why are you doing that, Master?" "To cool the soup." Unable to trust a man who uses the same process to arrive at two different results -- hot and cold -- the disciple departed. From wk at gnupg.org Thu Sep 20 08:31:31 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 20 Sep 2007 08:31:31 +0200 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <46F1C3A0.3070104@tpg.com.au> (Graeme Nichols's message of "Thu, 20 Sep 2007 10:49:36 +1000") References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> Message-ID: <87y7f1etks.fsf@wheatstone.g10code.de> On Thu, 20 Sep 2007 02:49, gnichols at tpg.com.au said: > [graeme at barney ~]$ gpgsm -K > /home/graeme/.gnupg/pubring.kbx > ------------------------------- > gpgsm: DBG: connection to agent established > secmem usage: 0/16384 bytes in 0 blocks > [graeme at barney ~]$ >> >> this should show you your own certificates > > It didn't as you can see. With own certificates I meant, Your certifciate plus your private key. Did you import the key at all? > [graeme at barney ~]$ gpgsm --passwd gnichols at tpg.com.au > gpgsm: DBG: connection to agent established > gpgsm: error changing passphrase: No such file or directory That means that your private key does not exists. To manually check this do: gpgsm --dump-key 2D:0D:02:D5:2E:0F:D9:C7:31:48:C8:A2:63:13:6F:AD:C7:21:27:34 Youy will notice a line keygrip: <40-hex-digits> then check whether a file ~/.gnupg/private-keys-v1.d/<40-hex-digits>.key exists. It does not and this is the reason you see "No such file or directory" (Well, it should better read "No such secret key"). You need to get your private key as a pkcs#12 file and import it into gpgsm gpgsm --import foo.p12 Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From peter at palfrader.org Fri Sep 21 00:59:00 2007 From: peter at palfrader.org (Peter Palfrader) Date: Fri, 21 Sep 2007 00:59:00 +0200 Subject: Printing Keys and using OCR (was: Proofreadable base64) In-Reply-To: <465B04EB.7080904@psmay.com> References: <464DE297.5020905@caseyljones.net> <4650E370.6000308@caseyljones.net> <465B04EB.7080904@psmay.com> Message-ID: <20070920225900.GN25351@asteria.noreply.org> On Mon, 28 May 2007, Peter S. May wrote: > Not meaning to kick a dead thread This must be a zombie by now :) > I've come up with something which I haven't yet tried to implement but > which I think would be interesting to try. Let's call it "proofreadable > base64". It's not terribly efficient, but we're going for > recoverability more than efficiency. > > It goes something like this: We can assume that each line of our medium > is capable of relaying 76 relatively legible characters. The first 32 > are data in normal base64. Then, there is a space and a CRC-24 as > specified in OpenPGP. Then, there are two spaces. After this, the > first part of the line is repeated, except it is as if it were filtered > through the command: > > tr 'A-Za-z0-9+/=' '0-9A-Z+/=a-z' Nice idea. When trying to find decent backup methods for my new Tor identity key I cam accross this thread. I played all day with ocr and friends. In the course I wrote a small script that does what you suggest. I tried to keep it small enough to print it along with whatever data you have - I clearly failed there. But other than that it works nicely. I used the OCR-A font available from a CTAN[0] mirror near you to print the output of my script. Then I used gocr[1][2] (0.41-1 as shipped in debian etch) to turn a scan back into data. That didn't work out so well at first - gocr had real trouble distinguishing zeroes and the letter D like Delta. Fortunately gocr has an option to disable its internal recognition engine and instead use a mode whereby it asks you about characters it doesn't recognize - initially that's all of them - and writes that to a database. In the end it asked me for about 300 chars out of 8000 - most of them at the beginning of the text - but produced the original text with only a few mishaps, which were caught easily using the encoding described above. [maybe I should also try a more recent version of gocr] If anybody wants to play with this, I uploaded my two scans to http://asteria.noreply.org/~weasel/ocr/ To use gocr with the database learning and its internal recognition engine turned off simply mkdir db; gocr -m 256 -m 130 -i 1.ppm -o 1.txt I guess playing with encodings other than base64 might be the next step. There was a strong point made for simply using base16, maybe with different characters that play nicely with gocr using OCR-A. Optar[2] is another nice tool which I tried today. While it does not provide the "fallback to typing it all in" option it shows promise. Using the default values I still had several bitflips after scanning in the printout tho. Future tests will probably include changing optar's paramters to larger dots (I don't need 200kb per page), and maybe preprocessing the data with par2. Cheers, Peter 0. http://www.ctan.org/ http://www.ctan.org/cgi-bin/search.py?metadataSearch=ocr-a&metadataSearchSubmit=Search 1. http://packages.debian.org/gocr http://packages.debian.org/etch/gocr http://jocr.sourceforge.net/ 2. http://ronja.twibright.com/optar/ 3. http://www.par2.net/ -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -------------- next part -------------- #!/usr/bin/perl use strict; use warnings; use Digest::SHA1 qw(sha1_hex); use MIME::Base64; if (@ARGV != 1 || $ARGV[0] !~ /^-[de]$/) { die "Usage: $0 -d|-e\n"; }; if ($ARGV[0] eq '-e') { # encoding. not needed for decoding undef $/; my ($bytes, $totallength, $totalhash, $line); $bytes = ; $totallength = length($bytes); $totalhash = sha1_hex($bytes); $line = 1; printf(" 'A-Za-z0-9+/=' '0-9A-Z+/=a-z'>\n"); printf("-A-B-C-\n"); while (length($bytes) > 0) { my ($this, $encoded, $tred, $hash); $this = substr($bytes, 0, 18, ''); $encoded = encode_base64($this, ''); ($tred = $encoded) =~ tr#A-Za-z0-9+/=#0-9A-Z+/=a-z#; $hash = substr( sha1_hex($this), 0, 12); printf("%06d %-24s %s %-24s\n", $line++, $encoded, $hash, $tred); }; printf("-A-B-C-\n"); print("XXXXXX total length: $totallength\n"); print("XXXXXX SHA1: $totalhash\n"); } else { # decoding my (@bytes, $line, $found_marker, $exit); $exit = 0; $line = 0; $found_marker = 0; while () { chomp; if ($_ eq '-A-B-C-') { $found_marker = 1; last; }; }; unless ($found_marker) { die ("Did not find start marker '-A-B-C-' in input\n"); }; $found_marker = 0; while () { $line++; chomp; if ($_ eq '-A-B-C-') { $found_marker = 1; last; }; my ($l, $d, $h, $t, $t2, $decoded_d, $decoded_t, $hashd, $hasht, $bytes) = split; $bytes = ''; ($t2 = $t) =~ tr#0-9A-Z+/=a-z#A-Za-z0-9+/=#; $decoded_d = decode_base64($d); $decoded_t = decode_base64($t2); $hashd = substr( sha1_hex($decoded_d), 0, 12); $hasht = substr( sha1_hex($decoded_t), 0, 12); if ($l != $line) { warn ("Line $line: wrong index $l\n"); }; if (length($t2) != length($d)) { warn("Line $line: data copies have different length.\n"); } elsif ($t2 ne $d) { warn("Line $line: data copies do not match.\n"); for (my $i=0; $i # # Permission is hereby granted, free of charge, to any person obtaining # a copy of this software and associated documentation files (the # "Software"), to deal in the Software without restriction, including # without limitation the rights to use, copy, modify, merge, publish, # distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so, subject to # the following conditions: # # The above copyright notice and this permission notice shall be # included in all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. From gnichols at tpg.com.au Fri Sep 21 04:47:17 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Fri, 21 Sep 2007 12:47:17 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87y7f1etks.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> Message-ID: <46F330B5.7000907@tpg.com.au> Hello Werner, Werner Koch wrote: > On Thu, 20 Sep 2007 02:49, gnichols at tpg.com.au said: > >> [graeme at barney ~]$ gpgsm -K >> /home/graeme/.gnupg/pubring.kbx >> ------------------------------- >> gpgsm: DBG: connection to agent established >> secmem usage: 0/16384 bytes in 0 blocks >> [graeme at barney ~]$ >>> this should show you your own certificates >> It didn't as you can see. > > With own certificates I meant, Your certifciate plus your private key. > > Did you import the key at all? Yes, I did. It said that one key was imported, key was good and all that. The key name was gnichols at tpg.com.au.crt. I have never been able to import my key in *.p12 format. I normally renew my key and install it into Firefox automatically then back it up to floppy in *.p12 format. Trying to then import that backup into gpgsm results in the following: [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default gpgsm: gpg-protect-tool: canceled by user gpgsm: gpg-protect-tool: cancelled gpgsm: total number processed: 0 secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ > >> [graeme at barney ~]$ gpgsm --passwd gnichols at tpg.com.au >> gpgsm: DBG: connection to agent established >> gpgsm: error changing passphrase: No such file or directory > > That means that your private key does not exists. To manually check > this do: > > gpgsm --dump-key 2D:0D:02:D5:2E:0F:D9:C7:31:48:C8:A2:63:13:6F:AD:C7:21:27:34 > > Youy will notice a line > > keygrip: <40-hex-digits> Yes. That worked, thank you. > > then check whether a file > > ~/.gnupg/private-keys-v1.d/<40-hex-digits>.key > > exists. It does not and this is the reason you see "No such file or > directory" (Well, it should better read "No such secret key"). No. there are no files in the ~/.gnupg/private-keys-v1.d/ directory. > > You need to get your private key as a pkcs#12 file and import it into > gpgsm > > gpgsm --import foo.p12 Does not work as you can see above. Is the backup of my certificate from Mozilla in *.p12 format the same as getting it from CACert in *.p12 format? Thank you very much for your patience and help. Please bear with me until I get this fixed if you will. -- ---------------------------------------------------------------------- Kind regards, Graeme. ---------------------------------------------------------------------- Download my GnuPG public key from:- http://www.users.tpg.com.au/gnichols/graemenichols.pub ---------------------------------------------------------------------- Each of us bears his own Hell. -- Publius Vergilius Maro (Virgil) From gnichols at tpg.com.au Fri Sep 21 07:19:15 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Fri, 21 Sep 2007 15:19:15 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87y7f1etks.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> Message-ID: <46F35453.1030305@tpg.com.au> Hello again Werner, This info is in addition to my recent email of today. I have been reading the HowTo at http://kontact.kde.org/kmail/kmail-pgpmime-howto.php and I am wondering if the F7 package for KDEPIM has been built without all the prerequisites to enable X509 certificate support in Kmail. e.g. libgpgme is not installed. libpth or libpth-devel is not installed. libcrypt and libcrypt-devel are not installed. libassuan and libassuan-devel are not installed. kwatchgnupg is not installed These are all listed as prerequisites in the HowTo to get it all working. Most of the *.conf files in ~/.gnupg are there but have no entries in them. KDEPIM is kdepim-3.5.6-4.fc7 It seems strange that kdepim is installed *without* all the necessary prerequisites. My system is F7. What is your advice? BTW. I can list my secret keys using gpg --list-secret-keys (or -K) but not gpgsm --list-secret-keys (or -K). Is it possible that only gpgsm is broken? (missing prerequisites)? Werner Koch wrote: > On Thu, 20 Sep 2007 02:49, gnichols at tpg.com.au said: > >> [graeme at barney ~]$ gpgsm -K >> /home/graeme/.gnupg/pubring.kbx >> ------------------------------- >> gpgsm: DBG: connection to agent established >> secmem usage: 0/16384 bytes in 0 blocks >> [graeme at barney ~]$ >>> this should show you your own certificates >> It didn't as you can see. > > With own certificates I meant, Your certifciate plus your private key. > > Did you import the key at all? > >> [graeme at barney ~]$ gpgsm --passwd gnichols at tpg.com.au >> gpgsm: DBG: connection to agent established >> gpgsm: error changing passphrase: No such file or directory > > That means that your private key does not exists. To manually check > this do: > > gpgsm --dump-key 2D:0D:02:D5:2E:0F:D9:C7:31:48:C8:A2:63:13:6F:AD:C7:21:27:34 > > Youy will notice a line > > keygrip: <40-hex-digits> > > then check whether a file > > ~/.gnupg/private-keys-v1.d/<40-hex-digits>.key > > exists. It does not and this is the reason you see "No such file or > directory" (Well, it should better read "No such secret key"). > > You need to get your private key as a pkcs#12 file and import it into > gpgsm > > gpgsm --import foo.p12 > > > > Salam-Shalom, > > Werner > > > -- ---------------------------------------------------------------------- Kind regards, Graeme. ---------------------------------------------------------------------- Download my GnuPG public key from:- http://www.users.tpg.com.au/gnichols/graemenichols.pub ---------------------------------------------------------------------- There is nothing which cannot be answered by means of my doctrine," said a monk, coming into a teahouse where Nasrudin sat. "And yet just a short time ago, I was challenged by a scholar with an unanswerable question," said Nasrudin. "I could have answered it if I had been there." "Very well. He asked, 'Why are you breaking into my house in the middle of the night?'" From wk at gnupg.org Fri Sep 21 08:22:08 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 21 Sep 2007 08:22:08 +0200 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <46F330B5.7000907@tpg.com.au> (Graeme Nichols's message of "Fri, 21 Sep 2007 12:47:17 +1000") References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> <46F330B5.7000907@tpg.com.au> Message-ID: <87fy18a67j.fsf@wheatstone.g10code.de> On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said: > [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 > gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default > gpgsm: gpg-protect-tool: canceled by user You system is not correctly installed. The QT based pinentry might work even without knowing the tty, but I am not sure about this. The GTK and curses based pinentries definitely need to know the tty. Thus you should put this into your .bashrc or whatever sets up the environment for a session (gpg-agent does not need to known GPG_TTY): GPG_TTY=`tty` export GPG_TTY > No. there are no files in the ~/.gnupg/private-keys-v1.d/ directory. Obvious if the p12 file import failed and you didn't create a certificate requests with gpgsm. > Does not work as you can see above. Is the backup of my certificate from > Mozilla in *.p12 format the same as getting it from CACert in *.p12 format? Yes. PKCS#12 is a weird format and it is possible that GnuPG will not be able to parse it. However, currently I have no open bugs on this so it should work. The error message would be different from what the one you got. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Sep 21 08:24:37 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 21 Sep 2007 08:24:37 +0200 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <46F35453.1030305@tpg.com.au> (Graeme Nichols's message of "Fri, 21 Sep 2007 15:19:15 +1000") References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> <46F35453.1030305@tpg.com.au> Message-ID: <87bqbwa63e.fsf@wheatstone.g10code.de> On Fri, 21 Sep 2007 07:19, gnichols at tpg.com.au said: > My system is F7. I don't know what the F7 means. > What is your advice? BTW. I can list my secret keys using gpg > --list-secret-keys (or -K) but not gpgsm --list-secret-keys (or -K). Is > it possible that only gpgsm is broken? (missing prerequisites)? You don't have any secret X.509 (S/MIME) keys, so gpgsm can't show them. I recently installed a new Debian Etch box with Kmail etc and it worked out of the box. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From brian at briansmith.org Fri Sep 21 08:48:02 2007 From: brian at briansmith.org (Brian Smith) Date: Fri, 21 Sep 2007 13:48:02 +0700 Subject: Printing Keys and using OCR (was: Proofreadable base64) In-Reply-To: <20070920225900.GN25351@asteria.noreply.org> References: <464DE297.5020905@caseyljones.net><4650E370.6000308@caseyljones.net> <465B04EB.7080904@psmay.com> <20070920225900.GN25351@asteria.noreply.org> Message-ID: <000601c7fc1b$5c267810$0f00a8c0@Junk> Peter Palfrader wrote: > Nice idea. When trying to find decent backup methods for my > new Tor identity key I cam accross this thread. > > I played all day with ocr and friends. In the course I wrote > a small script that does what you suggest. I tried to keep > it small enough to print it along with whatever data you have > - I clearly failed there. > But other than that it works nicely. > > That didn't work out so well at first > - gocr had real trouble distinguishing zeroes and the > letter D like Delta. Why not use a 2D barcode like a QR code? A QR code will hold most typical keys, is easy for machines to read, is small, and has redundancy features that allow it to work even if you hole-punch or black out part of the code. See http://www.denso-wave.com/qrcode/aboutqr-e.html - Brian From peter at palfrader.org Fri Sep 21 11:18:16 2007 From: peter at palfrader.org (Peter Palfrader) Date: Fri, 21 Sep 2007 11:18:16 +0200 Subject: Printing Keys and using OCR (was: Proofreadable base64) In-Reply-To: <000601c7fc1b$5c267810$0f00a8c0@Junk> References: <465B04EB.7080904@psmay.com> <20070920225900.GN25351@asteria.noreply.org> <000601c7fc1b$5c267810$0f00a8c0@Junk> Message-ID: <20070921091816.GR25351@asteria.noreply.org> On Fri, 21 Sep 2007, Brian Smith wrote: > Peter Palfrader wrote: > > Nice idea. When trying to find decent backup methods for my > > new Tor identity key I cam accross this thread. > > > > I played all day with ocr and friends. In the course I wrote > > a small script that does what you suggest. I tried to keep > > it small enough to print it along with whatever data you have > > - I clearly failed there. > > But other than that it works nicely. > > > > That didn't work out so well at first > > - gocr had real trouble distinguishing zeroes and the > > letter D like Delta. > > Why not use a 2D barcode like a QR code? A QR code will hold most > typical keys, is easy for machines to read, is small, and has redundancy > features that allow it to work even if you hole-punch or black out part > of the code. Because I like to have a fallback to entering the data manually. Who knows how easy it will be to get barcode software for a specific version of barcodes 10 years in the future. And will it even compile? -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ From alex at bofh.net.pl Fri Sep 21 12:54:22 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri, 21 Sep 2007 12:54:22 +0200 Subject: Printing Keys and using OCR (was: Proofreadable base64) In-Reply-To: <000601c7fc1b$5c267810$0f00a8c0@Junk> References: <465B04EB.7080904@psmay.com> <20070920225900.GN25351@asteria.noreply.org> <000601c7fc1b$5c267810$0f00a8c0@Junk> Message-ID: <20070921105422.GA12236@hell.pl> On Fri, Sep 21, 2007 at 01:48:02PM +0700, Brian Smith wrote: > Peter Palfrader wrote: > > Nice idea. When trying to find decent backup methods for my > > new Tor identity key I cam accross this thread. > > > > I played all day with ocr and friends. In the course I wrote > > a small script that does what you suggest. I tried to keep > > it small enough to print it along with whatever data you have > > - I clearly failed there. > > But other than that it works nicely. > > > > That didn't work out so well at first > > - gocr had real trouble distinguishing zeroes and the > > letter D like Delta. > > Why not use a 2D barcode like a QR code? A QR code will hold most > typical keys, is easy for machines to read, is small, and has redundancy > features that allow it to work even if you hole-punch or black out part > of the code. > > See http://www.denso-wave.com/qrcode/aboutqr-e.html There is no Free Software to create or read QR code, and it is patented: Otherwise it is an excellent data format. Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From dshaw at jabberwocky.com Sat Sep 22 04:36:50 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 21 Sep 2007 22:36:50 -0400 Subject: Printing Keys and using OCR (was: Proofreadable base64) In-Reply-To: <20070920225900.GN25351@asteria.noreply.org> References: <464DE297.5020905@caseyljones.net> <4650E370.6000308@caseyljones.net> <465B04EB.7080904@psmay.com> <20070920225900.GN25351@asteria.noreply.org> Message-ID: <20070922023650.GA24858@jabberwocky.com> On Fri, Sep 21, 2007 at 12:59:00AM +0200, Peter Palfrader wrote: > On Mon, 28 May 2007, Peter S. May wrote: > > > Not meaning to kick a dead thread > > This must be a zombie by now :) Indeed. I'm very glad the thread woke up again, though, as it reminded me that I had written some code for this back in May, but unfortunately let it get buried under other work. I've tidied things a bit and packaged it at http://www.jabberwocky.com/software/paperkey/ It implements a secrets-only backup via paper (or bar code, or whatever you like), and then allows you to rebuild the original secret key when you like. README file is attached. David -------------- next part -------------- Paperkey - an OpenPGP key archiver ---------------------------------- David Shaw A reasonable way to achieve a long term backup of OpenPGP (GnuPG, PGP, etc) keys is to print them out on paper. The reasoning behind this is that paper and ink has amazingly long retention qualities - far longer than the magnetic or optical means that are generally used to back up computer data. Paper? Seriously? ------------------ The goal with paper is not secure storage. There are countless ways to store something securely. A paper backup also isn't a replacement for the usual machine readable (tape, CD-R, DVD-R, etc) backups, but rather as an if-all-else-fails method of restoring a key. Most of the storage media in use today do not have particularly good long-term (measured in years to decades) retention of data. If and when the CD-R and/or tape cassette and/or USB key and/or hard drive the secret key is stored on becomes unusable, the paper copy can be used to restore the secret key. What paperkey does ------------------ Due to metadata and redundancy, OpenPGP secret keys are significantly larger than just the "secret bits". In fact, the secret key contains a complete copy of the public key. Since the public key generally doesn't need to be escrowed (most people have many copies of it on various keyservers, web pages, etc), only extracting the secret parts can be a real advantage. Paperkey extracts just those secret bytes and prints them. To reconstruct, you re-enter those bytes (whether by hand or via OCR) and paperkey can use them to transform your existing public key into a secret key. For example, the regular DSA+Elgamal secret key I just tested comes out to 1281 bytes. The secret parts of that (plus some minor packet structure) come to only 149 bytes. It's a lot easier to re-enter 149 bytes correctly. Aren't CD-Rs supposed to last a long time? ------------------------------------------ They're certainly advertised to (I've seen some pretty incredible claims of 100 years or more), but in practice it doesn't really work out that way. The manufacturing of the media, the burn quality, the burner quality, the storage, etc, all have a significant impact on how long an optical disc will last. Some tests show that you're lucky to get 10 years. For paper, on the other hand, to claim it will last for 100 years is not even vaguely impressive. High-quality paper with good ink regularly lasts many hundreds of years even under less than optimal conditions. Another bonus is that ink on paper is readable by humans. Not all backup methods will be readable 50 years later, so even if you have the backup, you can't easily buy a drive to read it. I doubt this will happen anytime soon with CD-R as there are just so many of them out there, but the storage industry is littered with old now-dead ways of storing data. Examples -------- Take the secret key in key.gpg and generate a text file to-be-printed.txt that contains the secret data: $ paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt Take the secret key data in my-key-text-file.txt and combine it with my-public-key.gpg to reconstruct my-secret-key.gpg: $ paperkey --pubring my-public-key.gpg --secrets my-key-text-file.txt --output my-secret-key.gpg If --output is not specified, the output goes to stdout. If --secret-key is not specified, the data is read from stdin. Some other useful options are: --output-type can be "base16" or "raw". "base16" is human-readable, and "raw" is useful if you want to pass the output to another program like a bar code generator. --input-type same as --output-type, but for the restore side of things. By default the input type is inferred automatically from the input data. --output-width sets the width of base16 output --ignore-crc-error allows paperkey to continue when reconstructing even if it detects data corruption in the input. --verbose (or -v) be chatty about what is happening. Repeat this multiple times for more verbosity. Security -------- Note that paperkey does not change the security requirements of storing a secret key. If your key has a passphrase on it (i.e. is encrypted), the paper copy is similarly encrypted. If your key has no passphrase, neither does the paper copy. Whatever the passphrase (or lack thereof) was on the original secret key will be the same on the reconstructed key. Universal Binaries on Apple OS X -------------------------------- You can build a universal ("fat") library that will work on both PPC and Intel Macs with: ./configure CFLAGS="-arch ppc -arch i386" --disable-dependency-tracking Note that if you are doing the build on a OS X 10.4 (Tiger) PPC machine you may need to add the following to those CFLAGS: "-isysroot /Developer/SDKs/MacOSX10.4u.sdk" The additional isysroot is not necessary on Intel Tiger boxes, or any Leopard boxes. RPM --- Paperkey ships with a RPM spec file. You can build the RPM with the usual "rpmbuild -ta /path/to/the/paperkey/tarball.tar.gz". $Id: README 314 2007-09-21 22:52:05Z dshaw $ From dougb at dougbarton.us Sat Sep 22 06:31:21 2007 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 21 Sep 2007 21:31:21 -0700 (PDT) Subject: OT Need pointers for generic smart card help Message-ID: Sorry for the OT post, but I've spent long hours trying to get this to work, and I'm no closer to my goal. I would appreciate it if someone could send me a pointer to some docs that can help me. I've googled myself blind and I've found a lot of stuff that talks about configuring pcsc for serial devices, but ... I've got built in USB smart card readers on my two dell laptops. One says it's a "TI Ultramedia Gemcore Based SC Interface," and the other says it's a "O2 Micro 0Z776 USB CCID Smart Card Reader." I've also got some smart cards that I'd like to read (or even better, write to) but I can't figure out how to get pcsc to recognize either of my usb readers, so I can't even get out of the gate. The other thing I was hoping to get suggestions on is a "generic" smart card program that can tell me what's on the card, and allow me to write to certain locations. Failing that, references to "how to read and write to smart cards for dummies" would be very helpful. Finally, something relatively on topic, is there any way to take a random smart card and turn it into an openpgp card? I am sure the answer is probably no, but I thought I'd ask anyway. I speak FreeBSD fluently, I have an Ubuntu box that I can use if that's the best answer, and I'd even take a windows solution at this point. TIA for any help y'all can provide. Doug -- If you're never wrong, you're not trying hard enough From gnichols at tpg.com.au Sun Sep 23 04:20:21 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Sun, 23 Sep 2007 12:20:21 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87fy18a67j.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> <46F330B5.7000907@tpg.com.au> <87fy18a67j.fsf@wheatstone.g10code.de> Message-ID: <46F5CD65.4010607@tpg.com.au> Werner Koch wrote: > On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said: > Obvious if the p12 file import failed and you didn't create a > certificate requests with gpgsm. I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that I could use my existing x509 cert. I was then asked for Keygrip. I entered that and then asked for Name (DN) and this is where my ignorance really shows. What is the DN? Is it a Domain Name? The script failed with the wrong info for DN (I tried my email address and name) Now this is the strange and confusing part, gnichols at tpg.com.au.crt *did* install OK. It is also listed in Kleopatra's key listing. See following: [graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt gpgsm: certificate is good gpgsm: total number processed: 1 gpgsm: unchanged: 1 secmem usage: 0/16384 bytes in 0 blocks Certificate imported OK. [graeme at barney ~]$ gpgsm --list-secret-keys /home/graeme/.gnupg/pubring.kbx ------------------------------- gpgsm: DBG: connection to agent established secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ No certificate listed :-( > PKCS#12 is a weird format and it is possible that GnuPG will not be able > to parse it. However, currently I have no open bugs on this so it > should work. The error message would be different from what the one you > got. [graeme at barney ~]$ GPG_TTY="tty" [graeme at barney ~]$ export GPG_TTY [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 gpgsm: gpg-protect-tool: canceled by user gpgsm: gpg-protect-tool: cancelled gpgsm: total number processed: 0 secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ I have followed the instructions in the http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg which should open a graphical password dialog two times. First for signing (gpg -ase) and then for decryption (| gpg) gives the following error; [graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored You need a passphrase to unlock the secret key for user: "Graeme Nichols (Graeme) " 1024-bit DSA key, ID DD3AAA7D, created 2002-11-08 gpg: cancelled by user gpg: no default secret key: bad passphrase gpg: [stdin]: sign+encrypt failed: bad passphrase gpg: processing message failed: eof [graeme at barney .gnupg]$ The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all. Also, what config files should I have in ~/.gnupg? There is a whole heap of config files most of which I think are not necessary. Left over from earlier versions of gpg. I am beginning to think that I should remove gpg and kdepim and re-install to ensure that all dependencies are met. If I do this what gpg packages do I need to re-install for X509 support? Another problem that I just thought of that could be causing problems is that my earlier versions fo gpg were built from a tarball. The Fedora 7 gpg files have been installed from an rpm binary package. Maybe there are old gpg files lying about causing problems. If that could be the case where should I look for old gpg files? Thanks again for your patience. -- ---------------------------------------------------------------------- Kind regards, Graeme. From adam at avertech.net Sun Sep 23 18:52:56 2007 From: adam at avertech.net (Adam Richards) Date: Sun, 23 Sep 2007 09:52:56 -0700 Subject: pinentry-curses and gpg-agent ipc write error In-Reply-To: <20070830153027.GK12275@avertech.net> References: <20070827232424.GA12275@avertech.net> <87bqcsksyk.fsf@wheatstone.g10code.de> <20070828171829.GA20869@avertech.net> <20070830153027.GK12275@avertech.net> Message-ID: <20070923165256.GB86500@avertech.net> On Thu, Aug 30, 2007 at 08:30:27AM -0700, Adam Richards wrote: > > > If this works. the problem is due to gpg. To debug this, I > > > suggest to use ktrace to tarce the system calls done by gpg. > > > > Alright, will do. I'll send relevant results of kdump of > > ktrace.out soon. > > Didn't get very exciting output of ktrace: > > -------------------------------------------------------------- > ~> ktrace -dit+ /usr/local/bin/gpg -d mail.gpg > [...] > ~> kdump -f ktrace.out > 70994 ktrace RET ktrace 0 > 70994 ktrace CALL execve(0xbfbfe7a9,0xbfbfe678,0xbfbfe688) > 70994 ktrace NAMI "/usr/local/bin/gpg" > 70994 ktrace NAMI "/libexec/ld-elf.so.1" > -------------------------------------------------------------- > > A ktrace of the same cmdline, but with pinentry->pinentry-gtk, > renders the exact same output (except pid of course) -- and > pinentry-gtk works where pinentry->pinentry-curses does not. > > Any suggestions for deeper inspection? I was wondering if anyone had any further ideas? :) Thanks! -Adam From gnichols at tpg.com.au Sat Sep 22 07:32:05 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Sat, 22 Sep 2007 15:32:05 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87fy18a67j.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> <46F330B5.7000907@tpg.com.au> <87fy18a67j.fsf@wheatstone.g10code.de> Message-ID: <46F4A8D5.3070209@tpg.com.au> Werner Koch wrote: > On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said: > >> [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 >> gpgsm: gpgsm: GPG_TTY has not been set - using maybe bogus default >> gpgsm: gpg-protect-tool: canceled by user > > You system is not correctly installed. The QT based pinentry might work > even without knowing the tty, but I am not sure about this. The GTK and > curses based pinentries definitely need to know the tty. Thus you > should put this into your .bashrc or whatever sets up the environment > for a session (gpg-agent does not need to known GPG_TTY): > > GPG_TTY=`tty` > export GPG_TTY > > >> No. there are no files in the ~/.gnupg/private-keys-v1.d/ directory. > > Obvious if the p12 file import failed and you didn't create a > certificate requests with gpgsm. I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that I could use my existing x509 cert. I was then asked for Keygrip. I entered that and then asked for Name (DN) and this is where my ignorance really shows. What is the DN? Is it a Domain Name? The script failed with the wrong info for DN (I tried my email address and name) Now this is the strange and confusing part, gnichols at tpg.com.au.crt *did* install OK. It is also listed in Kleopatra's key listing. See following: [graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt gpgsm: certificate is good gpgsm: total number processed: 1 gpgsm: unchanged: 1 secmem usage: 0/16384 bytes in 0 blocks Certificate imported OK. [graeme at barney ~]$ gpgsm --list-secret-keys /home/graeme/.gnupg/pubring.kbx ------------------------------- gpgsm: DBG: connection to agent established secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ No certificate listed :-( Kleopatra's key listing is in the attachment. > >> Does not work as you can see above. Is the backup of my certificate from >> Mozilla in *.p12 format the same as getting it from CACert in *.p12 format? > > Yes. > > PKCS#12 is a weird format and it is possible that GnuPG will not be able > to parse it. However, currently I have no open bugs on this so it > should work. The error message would be different from what the one you > got. [graeme at barney ~]$ GPG_TTY="tty" [graeme at barney ~]$ export GPG_TTY [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 gpgsm: gpg-protect-tool: canceled by user gpgsm: gpg-protect-tool: cancelled gpgsm: total number processed: 0 secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ I have followed the instructions in the http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg which should open a graphical password dialog two times. First for signing (gpg -ase) and then for decryption (| gpg) gives the following error; [graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored You need a passphrase to unlock the secret key for user: "Graeme Nichols (Graeme) " 1024-bit DSA key, ID DD3AAA7D, created 2002-11-08 gpg: cancelled by user gpg: no default secret key: bad passphrase gpg: [stdin]: sign+encrypt failed: bad passphrase gpg: processing message failed: eof [graeme at barney .gnupg]$ The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all. Also, what config files should I have in ~/.gnupg? There is a whole heap of config files most of which I think are not necessary. Left over from earlier versions of gpg. I am beginning to think that I should remove gpg and kdepim and re-install to ensure that all dependencies are met. If I do this what gpg packages do I need to re-install for X509 support? Another problem that I just thought of that could be causing problems is that my earlier versions fo gpg were built from a tarball. The Fedora 7 gpg files have been installed from an rpm binary package. Maybe there are old gpg files lying about causing problems. If that could be the case where should I look for old gpg files? Thanks again for your patience. -- ---------------------------------------------------------------------- Kind regards, Graeme. ---------------------------------------------------------------------- Download my GnuPG public key from:- http://www.users.tpg.com.au/gnichols/graemenichols.pub ---------------------------------------------------------------------- One monk said to the other, "The fish has flopped out of the net! How will it live?" The other said, "When you have got out of the net, I'll tell you." -------------- next part -------------- A non-text attachment was scrubbed... Name: Kleopatra-keylisting1.png.gz Type: application/x-gzip Size: 40063 bytes Desc: not available Url : /pipermail/attachments/20070922/bff07661/attachment-0001.bin From gnichols at tpg.com.au Sun Sep 23 04:10:26 2007 From: gnichols at tpg.com.au (Graeme Nichols) Date: Sun, 23 Sep 2007 12:10:26 +1000 Subject: gpgsm and Kmail and X509 certificates In-Reply-To: <87fy18a67j.fsf@wheatstone.g10code.de> References: <46F0BA1A.2020705@tpg.com.au> <87y7f2hq2r.fsf@wheatstone.g10code.de> <46F1C3A0.3070104@tpg.com.au> <87y7f1etks.fsf@wheatstone.g10code.de> <46F330B5.7000907@tpg.com.au> <87fy18a67j.fsf@wheatstone.g10code.de> Message-ID: <46F5CB12.9060909@tpg.com.au> Werner Koch wrote: > On Fri, 21 Sep 2007 04:47, gnichols at tpg.com.au said: > Obvious if the p12 file import failed and you didn't create a > certificate requests with gpgsm. I ran gpgsm-gencert.sh script and selected 2. Existing key thinking that I could use my existing x509 cert. I was then asked for Keygrip. I entered that and then asked for Name (DN) and this is where my ignorance really shows. What is the DN? Is it a Domain Name? The script failed with the wrong info for DN (I tried my email address and name) Now this is the strange and confusing part, gnichols at tpg.com.au.crt *did* install OK. It is also listed in Kleopatra's key listing. See following: [graeme at barney ~]$ gpgsm --import gnichols at tpg.com.au.crt gpgsm: certificate is good gpgsm: total number processed: 1 gpgsm: unchanged: 1 secmem usage: 0/16384 bytes in 0 blocks Certificate imported OK. [graeme at barney ~]$ gpgsm --list-secret-keys /home/graeme/.gnupg/pubring.kbx ------------------------------- gpgsm: DBG: connection to agent established secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ No certificate listed :-( Kleopatra's key listing is in the attachment. > PKCS#12 is a weird format and it is possible that GnuPG will not be able > to parse it. However, currently I have no open bugs on this so it > should work. The error message would be different from what the one you > got. [graeme at barney ~]$ GPG_TTY="tty" [graeme at barney ~]$ export GPG_TTY [graeme at barney ~]$ gpgsm --import My_Certificate120308.p12 gpgsm: gpg-protect-tool: canceled by user gpgsm: gpg-protect-tool: cancelled gpgsm: total number processed: 0 secmem usage: 0/16384 bytes in 0 blocks [graeme at barney ~]$ I have followed the instructions in the http://kontact.kde.org/kmail/kmail-pgpmime-howto.php HowTo and I still get errors. e.g., the command echo "test" | gpg -ase -r 0xDD3AAA7D | gpg which should open a graphical password dialog two times. First for signing (gpg -ase) and then for decryption (| gpg) gives the following error; [graeme at barney .gnupg]$ echo "test" | gpg -ase -r 0xDD3AAA7D | gpg gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored gpg: NOTE: old default options file `/home/graeme/.gnupg/options' ignored You need a passphrase to unlock the secret key for user: "Graeme Nichols (Graeme) " 1024-bit DSA key, ID DD3AAA7D, created 2002-11-08 gpg: cancelled by user gpg: no default secret key: bad passphrase gpg: [stdin]: sign+encrypt failed: bad passphrase gpg: processing message failed: eof [graeme at barney .gnupg]$ The pinentry file is /usr/bin/pinentry. This doesn't seem to work at all. Also, what config files should I have in ~/.gnupg? There is a whole heap of config files most of which I think are not necessary. Left over from earlier versions of gpg. I am beginning to think that I should remove gpg and kdepim and re-install to ensure that all dependencies are met. If I do this what gpg packages do I need to re-install for X509 support? Another problem that I just thought of that could be causing problems is that my earlier versions fo gpg were built from a tarball. The Fedora 7 gpg files have been installed from an rpm binary package. Maybe there are old gpg files lying about causing problems. If that could be the case where should I look for old gpg files? Thanks again for your patience. -- ---------------------------------------------------------------------- Kind regards, Graeme. -------------- next part -------------- A non-text attachment was scrubbed... Name: Kleopatra-keylisting1.png.gz Type: application/x-gzip Size: 40063 bytes Desc: not available Url : /pipermail/attachments/20070923/405762ca/attachment-0001.bin From whyregister at spambog.com Mon Sep 24 15:52:38 2007 From: whyregister at spambog.com (ph.gpg) Date: Mon, 24 Sep 2007 06:52:38 -0700 (PDT) Subject: Outlook/gpgol: encrypted mails in Sent folder Message-ID: <12860386.post@talk.nabble.com> Since saving un-crypted mails in my Inbox is easily done, why can't I automatically save my encrypted sent mails? I'm aware of different safety issues, that say keeping encrypted mails is more secure. But on the one hand it is not consistent handling Inbox and SentMails differently. And on the other hand it makes it more difficult to search through my mailbox for various mails. At least this is my mailapplication on my computer - therefore physically access to it is the only matter that I should care about. Or? Bye, ph.gpg! PS: I know that it's is possible to encrypt every mail with my own public key as well. But by default, the mails are encrypted. -- View this message in context: http://www.nabble.com/Outlook-gpgol%3A-encrypted-mails-in-Sent-folder-tf4509339.html#a12860386 Sent from the GnuPG - User mailing list archive at Nabble.com. From noiano at x-privat.org Wed Sep 26 11:02:39 2007 From: noiano at x-privat.org (Noiano) Date: Wed, 26 Sep 2007 11:02:39 +0200 Subject: [Half-OT] Materials for a GnuPg Talk Message-ID: Hello everybody and sorry for this half-ot message. For the linuxday I want to prepare a talk about gnupg. I am thinking on starting to talk about privacy in general (communications in clear and its problems), then taking a little bit about cryptography (Caesar cipher, symmetric, asymmetric cryptography) and then starting to talk about gnupg from the user point of view. Since I have never had any talk I am collecting materials to prepare a decent presentation using impress. So I need images, animation and also documents because I need to study :-). Any help will be very appreciated. Noiano -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 209 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070926/9318754e/attachment.pgp From mark.wunderlich at gmail.com Fri Sep 28 16:29:31 2007 From: mark.wunderlich at gmail.com (Mark E. Wunderlich) Date: Fri, 28 Sep 2007 10:29:31 -0400 Subject: feature request Message-ID: <46FD0FCB.9040700@gmail.com> I would like gpg to be able, when using symmetric ciphers, to produce `anonymous' output -- that is, output such that one cannot be sure that gpg produced it, or that a given passphrase does not successfully decode it. (That is, if you enter the wrong passphrase, you get garbage instead of an error message.) I would like to be able to do this so that, for example, I could run gpg repeatedly, and someone who was decoding the data would not know whether he was on the right track. I also might want to combine gpg with another approach, e.g., XOR-ing the target file against another file. Again, the idea would be that `anonymizing' gpg's output would make it more difficult for someone to untangle such combined approaches; the general idea is that the ability to produce `anonymous' output would make gpg a more flexible part of a larger toolkit. I am very new to gpg, and I have no idea what would be involved in adding such a feature -- but I was hoping for a command-line switch for `anonymous' mode (and I take it that when deciphering in `anonymous' mode, one would have to specify the desired algorithm). Would this be difficult? --Mark W. From rjh at sixdemonbag.org Fri Sep 28 19:26:53 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 28 Sep 2007 12:26:53 -0500 Subject: feature request In-Reply-To: <46FD0FCB.9040700@gmail.com> References: <46FD0FCB.9040700@gmail.com> Message-ID: <46FD395D.4000009@sixdemonbag.org> I am not a GnuPG developer; they may disagree with me or outright say "hey, sure, we'll support it". That said, I think that what I'm saying here is in rough accordance with their vision of the GnuPG project. If I am wrong, I'm sure they'll correct me. :) Mark E. Wunderlich wrote: > I would like gpg to be able, when using symmetric ciphers, to produce > `anonymous' output -- that is, output such that one cannot be sure > that gpg produced it, or that a given passphrase does not > successfully decode it. This means going beyond the OpenPGP spec. OpenPGP has a very specific format for symmetrically encrypted documents. If you want something that is not OpenPGP-conformant, you probably need to go elsewhere. > I would like to be able to do this so that, for example, I could run > gpg repeatedly, and someone who was decoding the data would not know > whether he was on the right track. Unless you're encrypting large blocks of random noise, I don't see how this is possible. Even if GnuPG itself doesn't tell me "nope, that key didn't decrypt the message successfully," I could figure it out myself from how the output is statistically indistinguishable from random noise. See, e.g.: http://www.schneier.com/crypto-gram-9812.html#plaintext > I also might want to combine gpg with another approach, e.g., XOR-ing > the target file against another file. Unless you have a graduate degree in mathematics and a background in breaking ciphers, this is probably a spectacularly bad idea. Cipher design is a fabulously black art; even the acknowledged geniuses of the field screw it up more often than not. Anyone can make a cipher they themselves cannot break. It requires a great deal of study and trial and error and just blind luck to make a cipher that nobody can break. > Again, the idea would be that `anonymizing' gpg's output would make > it more difficult for someone to untangle such combined approaches Yes, because double ROT-13 is more difficult to read than single ROT-13. There is a very large corpus of knowledge about cipher composition; which ways tend to increase the strength of a system, and which only diminish it. It is far, far, far easier to diminish the strength of a system. The likelihood of an ad-hoc method improving overall security is vanishingly small. Almost zero. > the general idea is that the ability to produce `anonymous' output > would make gpg a more flexible part of a larger toolkit. GnuPG is not 'part of a larger toolkit'. GnuPG and its associated libraries provide an implementation of RFC2440, and is slowly growing to cover a couple of other RFCs (S/MIME, etc.). That's all, nothing else. From jmoore3rd at bellsouth.net Fri Sep 28 22:03:08 2007 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Fri, 28 Sep 2007 16:03:08 -0400 Subject: feature request In-Reply-To: <46FD395D.4000009@sixdemonbag.org> References: <46FD0FCB.9040700@gmail.com> <46FD395D.4000009@sixdemonbag.org> Message-ID: <46FD5DFC.2010000@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > I am not a GnuPG developer; they may disagree with me or outright say > "hey, sure, we'll support it". That said, I think that what I'm saying > here is in rough accordance with their vision of the GnuPG project. If > I am wrong, I'm sure they'll correct me. :) While I also cannot speak for Werner I anticipate His response being: Contact g10 and We'll discuss the cost of developing an Application to fit Your needs. While Werner invests a large part of His 'Heart & Soul' into the 'Free' GnuPG; He also has a successful 'Day Job' that pays the bills. :-D JOHN ;) Timestamp: Friday 28 Sep 2007, 16:02 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8-svn4576: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJG/V37AAoJEBCGy9eAtCsPNQUIAJc98LHLGYRLd+gPFDHczm6f 4+y5GzH85p9mH7Dra/NLZMj/bwZwrifUw4ap/b/LSGwpJpQWXGaXdxbV7lgKMF77 NCMRJITx1nsuJzuzTfTAgXyLRqtgoUBMYxDotS67rQO1e2PhnSsRJWL11fd4Phfy h4bZb2OZWs7N4uWN4oF9OrbtuT2MghvlI1E98+LX+BAOeIBeaduKj2gUIWBusrha XfU7TIE4if8k8wOa9bQrVyVyASLU35q6We/4Ag9zbcNXelOsxMnnw1+VsE7vwUGJ CB6P00liWohT6n3tlJ+KfRJf3mTltj6/UmqzeS7cSxWwhaM2zzQkZMfTb7LLfGo= =bJaP -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Sep 28 23:12:23 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 28 Sep 2007 17:12:23 -0400 Subject: feature request In-Reply-To: <46FD0FCB.9040700@gmail.com> References: <46FD0FCB.9040700@gmail.com> Message-ID: <20070928211223.GA25230@jabberwocky.com> On Fri, Sep 28, 2007 at 10:29:31AM -0400, Mark E. Wunderlich wrote: > I would like gpg to be able, when using symmetric ciphers, to produce > `anonymous' output -- that is, output such that one cannot be sure that > gpg produced it, or that a given passphrase does not successfully decode > it. (That is, if you enter the wrong passphrase, you get garbage > instead of an error message.) > > I would like to be able to do this so that, for example, I could run gpg > repeatedly, and someone who was decoding the data would not know whether > he was on the right track. I also might want to combine gpg with > another approach, e.g., XOR-ing the target file against another file. > Again, the idea would be that `anonymizing' gpg's output would make it > more difficult for someone to untangle such combined approaches; the > general idea is that the ability to produce `anonymous' output would > make gpg a more flexible part of a larger toolkit. This is a bad, or at least unnecessary feature. If GPG is strong, there is no benefit in playing games with the file format to make it look like something else. If GPG is not strong, you shouldn't be using it in the first place. David