Re: "--for-your-eyes-only"
On Mon, 27 Jun 2005 23:18:26 -0400, David Shaw said: > However, GnuPG can call other programs to do other tasks (keyserver > access programs, JPEG viewers for photo IDs), so it's not impossible > that GnuPG could call an external secure viewer program. I don't know > of one offhand though. Nor do I know. We planned to add such a viewer to the GPA utility and the CVS carries Marcus Kuhn's fonts for a long time - however nobody has yet found time to write a GTK+ widget to make use of this font. If there is someone with GTK+ experience and some spare time I would really appreciate to see such a feature. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinpad cardreader; imported smart-card keys
On Mon, 27 Jun 2005 16:30:15 -0500, Alex Mauer said: > I purchased an SCM SPR332 card reader, based on the Smartcard Howto's > statement (about the SPR532) "The pinpad may be used to securely enter > the PIN". I have found that I cannot use the pinpad, at least not with As of now the "may be" means with software supporting it but not with GnuPG :-(. The longer answer is that I have worked on it and added code to the CCID driver to check this out. It works fine but there is one party missing: We need to have a mechanism t tell the upper layers that a pinpad reader is available and that the pinentry shall not be used for entering the PIN but to display a note saying: Please enter the PIN on the reader keypad. Given the demand of support for the keypad, I will start to work on it soon. >> From what I can google, I should be able to (re)generate the stub keys > by using 'gpg --card-status'. But, this seems not to work. I need to see what happens; will get back to you later. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
David Shaw wrote the following on 6/27/05 11:18 PM: [...] > If I understand your question, > no, there is no secure viewer built > into GnuPG. There are many reasons, but two good ones are that GnuPG > is a command line application, and you can't really make a secure > viewer on the command line, and by its nature a secure viewer would > not be nearly portable enough. I may not understand what you mean by "portable". I suppose that a secure viewer (software program) could not be nearly ported to GnuPG? > > However, GnuPG can call other programs to do other tasks (keyserver > access programs, JPEG viewers for photo IDs), so it's not impossible > that GnuPG could call an external secure viewer program. I don't know > of one offhand though. As far as I can remember the evolution of PGP, I think (but I am not sure) that the concept of a secure viewer is a PGP proprietary function built-in in their software. I shall not discuss whether TEMPEST attacks, when targeted to CRT or LCD displays pose a real threat to encryption users (who is the targeting agent? who are the targeted/chosen users?) because I have no expertise or even reasonable knowledge of the technological aspects of that issue. But if it is, in fact, a viable way to breach confidentiality, it is possible that GnuPG could consider to include an external secure viewer program in future developments. As a matter of fact, according to Werner's email, some work has already been done, and is included in the CVS. Thanks, Charly ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shaw wrote: > On Mon, Jun 27, 2005 at 11:16:47AM +, Charly Avital wrote: > > >> when a message processed ... is decrypted using GnuPG (e.g. by command >> line) the verbose gpg output contains a line reading: gpg: NOTE: sender >> requested "for-your-eyes-only" >> >> Is this line intended for the recipient's information only, or is there >> a way the recipient can actually view the decrypted/verified text in a >> secure viewer mode? I apologize if this a repetition of my previous >> question. > I am a newbie at this, but I do not see how it is possible to impliment this. While I suppose it might be possible to make an e-mail user agent (such as mutt) decrypt GPG | PGP e-mail and display it on a user's screen, and disable any ability to save the decrypted mail with the mail user agent, I do not see how it would be possible to stop the reader (i.e., the person, not the program) from copying and pasting that decrypted email; e.g., by pressing a save-screen button, or by simply copying and pasting with the mouse. In other words, even if the software were trustworthy, you are still at the mercy of the wisdom and intelligence and trustworthyness of the person receiving it. So you really must trust, in addition to the GPG programs, the user, and that is pretty difficult, IMAO, except in certain situations. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jerseyhttp://counter.li.org ^^-^^ 07:20:00 up 13 days, 1:10, 3 users, load average: 4.33, 4.28, 4.13 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwTPbPtu2XpovyZoRAvSfAKDVu+LOOAQrbV26odgAzSkDFYaqWACePBcf d1erwCgMVlLXFyzrg+HsCaU= =MJv/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
David Shaw wrote: >is a command line application, and you can't really make a secure >viewer on the command line, and by its nature a secure viewer would >not be nearly portable enough. [...] >However, GnuPG can call other programs to do other tasks (keyserver >access programs, JPEG viewers for photo IDs), so it's not impossible >that GnuPG could call an external secure viewer program. I don't know >of one offhand though. Which makes me think... outputting the text to a .jpg (or .gif or .png) with secure fonts shown in the picture. The picture could then be looked at in an external vieuwer. That would be completely portable. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
Jean-David Beyer wrote: >I do not see how it would be possible to stop the reader (i.e., the person, >not the program) from copying and pasting that decrypted email; It isn't. And if all else fails he can still write it down by hand. It's considerd more like a hint, not as a 100% secure thing. And it might prevent that decryptd files are on the computer by accident. After all, if you mail something secret and the receiver will tell it further, no encryption protocol is going to protect you against that. -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
HTTP keyserver creation.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I have installed gnupg-1.4.1 and apache_1.3.3. How can I configure HTTP keyserver? Regards, Victor. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCwS3W4saHoNULrvoRAkO1AJ4t4K9aVac3JJM1YkMOgw4Gd7HuWwCdG9Bs Ymjsly0qKxn9Pvrv1ZGjgfU= =J11b -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
On Tue, 28 Jun 2005 04:58:52 -0400, Charly Avital said: > I may not understand what you mean by "portable". > I suppose that a secure viewer (software program) could not be nearly > ported to GnuPG? GnuPG is a command line tyool which only manges text input and output and as such it is pretty portable. For a viewer you need a graphical user interface to be able to display custom made fonts. Portability is harder to achieve than with text tools but in general not a real problem. However, it is a well known paradigm on Unix to have small specialized tools and not to put every thing into one big application. A secure, or well better tempest resistent, viewer should for sure be done as a separate application or as part of a gpg frontend. > I shall not discuss whether TEMPEST attacks, when targeted to CRT or LCD > displays pose a real threat to encryption users (who is the targeting > agent? who are the targeted/chosen users?) because I have no expertise > or even reasonable knowledge of the technological aspects of that issue. See http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-577.pdf for the theory and examples of tempest attacks. > But if it is, in fact, a viable way to breach confidentiality, it is > possible that GnuPG could consider to include an external secure viewer > program in future developments. As a matter of fact, according to > Werner's email, some work has already been done, and is included in the CVS. Well, there has not been much work done. It was planned for some later GPA releases but development of GPA more or less stopped so we are not quite where we wanted to be a long time ago. A simple text renderer as an alternative to less(1) on X would be useful for quite some applications. IIRC, GNOME has a gless tool which could be enhanced by using filtered fonts. I new text widget for GTK+ is probably the best way to achieve this. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
On Tue, 28 Jun 2005 11:16:00 +0200 (MET DST), Johan Wevers said: > Which makes me think... outputting the text to a .jpg (or .gif or .png) > with secure fonts shown in the picture. The picture could then be looked > at in an external vieuwer. That would be completely portable. Actually a neat idea. It could be implemented as a new conversion to netpbm or ImageMagick. There is just one caveat: | Tempest protection by filtered fonts and related techniques are in the | process of being patented internationally. This demonstration font can | be copied and used freely in products for which the source code is | made freely available (see the GNU General Public License for | details). Contact the author for further information if you want to | use this technology in commercial or military products. | | This package is available from | | http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip Where this - but only this - shouldn't be a problem even if the EU continues to ignore the will of its citizens and national parliaments in next week's parliament reading on software patent. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinpad cardreader; imported smart-card keys
Werner Koch wrote: > As of now the "may be" means with software supporting it but not with > GnuPG :-(. As I was afraid of; perhaps the howto could be updated to clarify that > > The longer answer is that I have worked on it and added code to the > CCID driver to check this out. How about the SC daemon? > We need to have a mechanism t tell the upper layers that a > pinpad reader is available and that the pinentry shall not be used for > entering the PIN but to display a note saying: Please enter the PIN on > the reader keypad. Would it work to have the PIN entry still display, but if the PIN is entered on the keypad accept that and remove the PIN entry box? > Given the demand of support for the keypad, I will start to work on it > soon. Glad to hear it; thanks! -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: HTTP keyserver creation.
On Tue, Jun 28, 2005 at 04:00:54PM +0500, Victor Harutyunyan wrote: > I have installed gnupg-1.4.1 and apache_1.3.3. > How can I configure HTTP keyserver? Try SKS: http://www.nongnu.org/sks/ (Victor appears to be using Debian; can someone point him to a/the packaged version?) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgplFa6qBQhNO.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pinpad cardreader; imported smart-card keys
On Tue, 28 Jun 2005 10:35:58 -0500, Alex Mauer said: > As I was afraid of; perhaps the howto could be updated to clarify that We will do this. >> The longer answer is that I have worked on it and added code to the >> CCID driver to check this out. > How about the SC daemon? Its the same code (source copied). > Would it work to have the PIN entry still display, but if the PIN is > entered on the keypad accept that and remove the PIN entry box? It is not a realy proble, we just need to pass the information to the upper layers. Plain and simple software craft. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Equivalent to option -f ?
Hi, my name is Konrad and I am completely new to this list. I have to adapt a shell script to work with GPG instead of PGP and it contains the -f option for acting like a filter. Actually, the full command is: pgp -f -ea rvsdata How do I make gpg behave exactly the same? Thanks and cheers, Konrad ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
On 2005-06-28 13:44:19 +0200, Johan Wevers wrote: > Jean-David Beyer wrote: > > > I do not see how it would be possible to stop the reader (i.e., > > the person, not the program) from copying and pasting that > > decrypted email; > > It isn't. And if all else fails he can still write it down by hand. If I'm not mistaken, the thing that gpg tries (or will try) to protect against in this case is the cleartext being written to temporary files and such things. That is, protect the user from herself (by making it hard to make mistakes), not protect the cleartext from the user. -- Karl Hasselström, [EMAIL PROTECTED] www.treskal.com/kalle ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg --symmetric with same passphrases
Hello, is it secure to use for different files, to be encrypted using "gpg --symmetric", the same passphrase? Or does this pose a risk of a cryptographic attack which would not exist if different passphrases were used? Background: There are multiple notebook computers whose each root filesystem is encrypted using dm-crypt. The partition encryption key is is different for each encrypted filesystem and resides as a file on a different filesystem in encrypted form. It is not feasible to store the different encryption keys in one keyring (in order to avoid multiple files encrypted with the same passphrase), because then, copies of that keyring would have to reside on all notebook computers. It is not feasible to use different passphrases, either. Thank you, Xuân. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Equivalent to option -f ?
On Thu, 23 Jun 2005 17:40:36 +0200, Konrad Mathieu said: > I have to adapt a shell script to work with GPG instead of PGP and it > contains the -f option for acting like a filter. Actually, There is no need for such an option because gpg, being a good Unix citizen, does this by default. > the full command is: pgp -f -ea rvsdata > How do I make gpg behave exactly the same? Either: gpg -ea http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
Werner Koch wrote: >There is just one caveat: [...] >| http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip >Where this - but only this - shouldn't be a problem even if the EU >continues to ignore the will of its citizens and national parliaments >in next week's parliament reading on software patent. I'm affraid I don't understand what you mean (my English might be lacking). Are you saying that my idea to output a picture with tempest-resistant fonts won't couse a problem, or that even if tempest-resistant fonts are patented only the fonts from the above URL can be used for this purpose? -- ir. J.C.A. Wevers // Physics and science fiction site: [EMAIL PROTECTED] // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "--for-your-eyes-only"
Johan Wevers wrote: > Jean-David Beyer wrote: > > >>I do not see how it would be possible to stop the reader (i.e., the person, >>not the program) from copying and pasting that decrypted email; > > > It isn't. And if all else fails he can still write it down by hand. It's > considerd more like a hint, not as a 100% secure thing. And it might > prevent that decryptd files are on the computer by accident. > > After all, if you mail something secret and the receiver will tell > it further, no encryption protocol is going to protect you against > that. > This may help in IM http://www.cypherpunks.ca/otr/ but the authors put in the caveat that this method may not be feasible for e-mail due to its latency. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
