Fwd: [Full-disclosure] Introducing TGP...

[M.B.Jr.]

Hello,
there's this guy, named Timothy Mullen who recently released this TGP
(Thor’s Godly Privacy) encryption utility for the cloud.

Timothy wrote (note that his complete text goes forwarded below):

"... I designed TGP with “encryption for the cloud” in mind.  That
means that not only does TGP do everything your normal PGP-type
applications do, but it does things a bit differently – differently in
a way that can change the way you work with your encrypted data.  At
the simplest level, this is done by encrypting data into byte arrays,
and then converting those byte arrays into Base64 encoded text wrapped
inside XML tags.  In this way, not only do you get your typical
file-based encrypted representation of your data, but you also get
data that you can copy and paste directly into any email, mailing
list, blog-page, or social networking site..."

Have anyone tested it so far? How different can this XML wrapped byte
array encryption be? Is this cloud oriented difference only about its
XML capabilities?

He continues:

"... What I think is interesting about this is that if we choose to,
we no longer have to be the custodians of our encrypted data – we
don’t have to worry about actually housing the files: we can just post
them to the internet and let someone else assume the burden of storing
the files for us... I can do the same with my keys..."

Is this crazy stuff?

Maybe I'm the one who's getting crazy (and old) for not accepting this
so called "cloud" trendy paradigm driven by "megacorporations" but
that seems weird to me even if I think of combining this guy's
proposal with, say, that Diceware methodology.

Comments are really welcome.


Thank you, regards,





---------- Forwarded message ----------
From: Thor (Hammer of God) <Thor at hammerofgod.com>
Date: Sun, Jun 13, 2010 at 6:44 PM
Subject: [Full-disclosure] Introducing TGP...
To: "full-disclosure at lists.grok.org.uk" <full-disclosure at lists.grok.org.uk>


This is what I’ve been talking about... Here is the first part of the
docs I wrote up - make sure you see that I'm not yet supporting huge
files unless you have huge RAM.  **.Net 4.0 Client profile is required
to run this.**



Right now the install bits are only available on the pilot site at:
http://www.owa.hammerofgod.com in the downloads section.   I have to
wait on Raging Haggis to return from Canada before posting on
www.hammerofgod.com .



Here's a bit from the TGP Overview document included with the install
and on the web site.  Please read through it before asking silly
questions. :)



Also, feel free to hack it up as much as you would like.  I know this
is full disclosure, so feel free to zing them at me, or if you prefer,
I can work with you on any issues you might have.



Remember, this is totally free, so my ability to handle custom
requests will be limited.  For those looking to break it, I would look
at fuzzing the XML documents and the "drag and drop public XML"
parsing feature.



If you have questions or challenges about any of the security, I would
ask to keep it on the list so that everyone can get the full benefit
of productive security development.   The read-me should pretty much
lay everything out for you.  If not, we'll take it up from there.



t





TGP – “Thor’s Godly Privacy”

06/13/10 v1.1.06



TGP is a small yet very powerful encryption utility.  With all eyes on
“the cloud,” I decided to write an encryption application better
suited to an environment where portability and security were, at the
least, challenging.   In cloud computing, not only is the use of file
structures becoming more abstract, but the very concept of a “file
server” is becoming more and more ubiquitous.



As such, I designed TGP with “encryption for the cloud” in mind.  That
means that not only does TGP do everything your normal PGP-type
applications do, but it does things a bit differently – differently in
a way that can change the way you work with your encrypted data.  At
the simplest level, this is done by encrypting data into byte arrays,
and then converting those byte arrays into Base64 encoded text wrapped
inside XML tags.  In this way, not only do you get your typical
file-based encrypted representation of your data, but you also get
data that you can copy and paste directly into any email, mailing
list, blog-page, or social networking site.



What I think is interesting about this is that if we choose to, we no
longer have to be the custodians of our encrypted data – we don’t have
to worry about actually housing the files: we can just post them to
the internet and let someone else assume the burden of storing the
files for us.



If I want to share encrypted files with someone or secure my own
files, all I have to do is TGP encrypt the data I want, and post it to
a mailing list somewhere.  In the case of a list like Bugtraq or Full
Disclosure, the data is actually automatically replicated out to any
number of archive sites, thus distributing my data for me.  I can
literally be anywhere in the world and just do a quick search for my
post to retrieve my data.  And since the TGP public key files are also
text representations of encrypted key data, I can do the same with my
keys.



Normally, you want to keep your private keys as safe as possible.
This is still the case with TGP.  However, it is trivial to build as
many private keys as you wish to use for anything you want to use them
for.  TGP Private Key files are password protected and individually
salted, so with a strong passphrase you have very reasonable assurance
that no one is going to get to your key any time soon.  So, you can
create a private key with a strong password, post that, and then, say,
encrypt a scan of your passport and post that.  Then if you are ever
in a pinch while travelling or something like that, you can simply use
Google or Bing to access your data wherever you are.



Of course, that’s just an example, but I think it illustrates the
power of encrypted file structures like this.  You can literally use
Facebook to post encrypted documents that you don’t have to maintain.



That’s really the main different between TGP and an application like
PGP.  That and of course, TGP is free, and personally, I think PGP is
tardware.  It’s bloated, it’s far too expensive, it’s hard to use, and
if you don’t watch your licensing, you can get screwed hard like I did
when I didn’t want to buy the extended support and one day my
encrypted drives stopped working until I paid them.  That doesn’t fly.
 TGP also doesn’t require that you are an admin to install.  However,
the .NET installer for the 4.0 client profile does – that’s not my
doing.  Regardless, here are the file structures TGP uses:



Things that still suck about TGP

Currently TGP uses a memory stream for the destination of the AES
cryptostream.  This sucks because it makes the maximum file one can
encrypt based on available memory.  It’s not a huge deal, but it does
keep you from encrypting a gigabyte file.  I’ll be changing that soon.



Timothy “Thor” Mullen

Hammer of God

thor at hammerofgod.com

www.hammerofgod.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Marcio Barbado, Jr.