Henry Hertz Hobbit
hhhobbit at securemecca.net
Fri May 3 22:43:34 CEST 2013
First, a restriction on who can access folder restricted to
just a group on 'nix should probably be:
drwxrwx--- (chmod 770 dir - all group members can write)
drwxr-x--- (chmod 750 dir - only owner can write)
On OpenVMS you can and the military does just turn off the
world permiesions leaving only SOG (System, Owner, Groupm
originally it was SOGW). But OpenVMS has theirs done via a
DACL. Windows has DACLs but really not for files / folders
in the same way that OpenVMS / Unix / Linux do it. Unix / Linux
file permission flags for the files is hard-wired (done deep
within the bowels of the OS).
Symmetric ciphers via GnuPG:
You can use either a symmetric or public key cipher with
GnuPG, but you really sort of need keys to even do symmetric
ciphers via GnuPG or PGP from Symantec. This script is what
I use if I want to make a file encrypted with a ymmetric
cipher via GnuPG:
(folder - I used decrypt for decrypting encrypted files)
Pros: Can't think of any other than it saves all that typing.
It MAY help you understand it. Maybe it will confuse you.
Cons: Anybody who knows the password can decrypt it.
Some times that is a positive. For top security it
is a negative if the public key used to encipher a
file is not yours (belongs to somebody else and
you don't have the private keys).
Symmetric cipher with AES-128 using 7-Zip:
You don't need keys. Just supply the password and let the other
people know what the password is. on Unix / Linux you just use:
this for a file:
$ 7za a -p filename.7z filename
and this for a directory (folder)
$ 7za a -[ dirname.7z ./dirname
Pros: provides symmetric encryption without keys!
Blissfully dumps the UID:GID so it comes out right
when root unzips it (owned by root in group root)
no matter who it belonged to on the other system..
for 'nix. That is why I like it. Would love to
have ClamAV source code in 7z format.
It is great for sending lists of bad URLs / hosts
to others since email scanner doesn't know what to
do with it.
Cons: Same as for GPG symmetric but no choice of CIPHER
(uses AES-128) which may be unsatisfactory for some
uses. Must build it yourself for 'nix. Do NOT use
7-zip for backups of system stuff or you wull have
a chicken versus egg problem, encrypted or not.
(APOLOGIES TO GNUPG ADVOCATES)
Public / Private key implementation:
In reality there is a symmetric cipher hidden down in there.
GnuPG pseudo-randomly (hopefully closer to randomly than to
pseudo) creates a password for the symmetrically enciphered
file and encrypts the password for the symmetric cipher using
the other person's (people's) public key(s) with the ElGamal
or similar public-key cipher. Each recipient gets their own
copy (in the past the whole thing with Thunderbird plus
Enitmail). But you do NOT encrypt the whole file with the
public key. You use the public key to encipher only
the password used to create the symmetric cipher.
The way public / private key is normally used:
On Windows, GPG4WIN supplies an Outlook look-alike called Claws
Mail that just looks at the recipients when you select encrypt
and magically encrypts a message that the entire list of users
can decrypt as long as you have the public key for each of the
recipients on your key-ring. The enigmail plugin for the mail
client program called Thunderbird does much the same thing.
SEE! Public key encryption doesn't have to be all that
Pros: When encrypted for JoeGoodGuy in Denver with the
encryption being done in Syria (war-torn) nobody but
JoeGoodGuy can decipher it. Be sure to wipe the
original unenciphered file(s). Wikileaks Julian
Assange knew this and encrypted all of those files
with a symmetriic cipher anyway so everybody could
decrypt the zip of all those files some time in the
future no matter how long the password was. But
if the journalist had their own public / private key
pair it could have been encrypted with the journalist's
public key and then only the journalist could have
decrypted it. Pubic key encryption is used successfully
for this purpose by civil rights activists world-wide.
Cons: Initial confusion on how it works. Don't feel bad
because even PhD engineers may need some time to
finally understand how it works (which is why I
recommended that book).
Don't be afraid of using OpenPGP public key encryption. It
really is superior when you have two people that semi-trust
each other. "Spies take time to warm up to each other" said
one of the people that broke the Enigma cipher machine.
"Even if they are British and American spies they are
hesitant to share secrets."
If I encrypt a message to you using your public key, even I
cannpt decipher it any more. Somehow that makes me feel
SAFER. Don't give up on it - you can do it. GnuPG public
key encryption is even used to make backups shipped over
public networks because nobody but the person (hopefully
not PEOPLE but maybe for companies) who has the private key
and knows the pass-phrase can decipher it. public key
encryption is superior for people in more than one geographic
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 553 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users