Using of subkeys for encryption
Hello, i have a problem while encrypting a message. I'm using the OpenPGP Card but i think the Problem doesn't depends on it. I've got a an decrypted e-mail and if i try to encrypt the e-mail i got a "gpg: public key decryption failed: wrong secret key used". The ID of the used key is an ID an a subkey. Usualy I don't use the subkey for de- and encryption, but i don't know anythink about the subkeys. According to the GnuPG Handbook it should work to use the subkey. Have a nice day and a good morning :), Patrick Here is the complete output: [EMAIL PROTECTED]:~$ gpg very_secret.gpg gpg: encrypted with 2048-bit RSA key, ID , created -XX-XX "Another Person <[EMAIL PROTECTED]>" gpg: encrypted with 1024-bit RSA key, ID 37BDF910, created 2005-09-21 "Patrick Plattes (Mr. Parity) <[EMAIL PROTECTED]>" gpg: public key decryption failed: wrong secret key used gpg: decryption failed: secret key not available [EMAIL PROTECTED]:~$ gpg --list-keys 37BDF910 pub 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] uid Patrick Plattes (Mr. Parity) <[EMAIL PROTECTED]> sub 1024R/37BDF910 2005-09-21 [expires: 2008-09-20] sub 1024R/8A270C95 2005-09-21 [expires: 2008-09-20] [EMAIL PROTECTED]:~$ gpg --list-secret-key /home/patrick/.gnupg/secring.gpg sec 1024D/CE4CF5A4 2003-04-23 uid Patrick Plattes (Mr. Parity) <[EMAIL PROTECTED]> ssb 4096g/D7173E45 2003-04-23 sec> 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] Card serial no. = 0001 04FB uid Patrick Plattes (Mr. Parity) <[EMAIL PROTECTED]> ssb> 1024R/37BDF910 2005-09-21 ssb> 1024R/8A270C95 2005-09-21 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using of subkeys for encryption
On Wed, 04 Jan 2006 09:39:44 +0100, Patrick Plattes said: sec> 1024R/F7E086A6 2005-09-21 [expires: 2008-09-20] > Card serial no. = 0001 04FB The key is on the card. Check whether the card works: gpg --card-status should list the key too. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using of subkeys for encryption
On Wed, 04 Jan 2006 09:39:44 +0100, Patrick Plattes said: > gpg: encrypted with 1024-bit RSA key, ID 37BDF910, created 2005-09-21 > "Patrick Plattes (Mr. Parity) <[EMAIL PROTECTED]>" > gpg: public key decryption failed: wrong secret key used I missed this message in my first reply. > gpg: decryption failed: secret key not available With the additional data supplied by Patrick: Signature key : F7E0 86A6 created : xxx Encryption key: 8A27 0C95 created : xxx Authentication key: 37BD F910 created : xxx General key info..: pub 1024R/F7E086A6 2005-09-21 Patrick Plattes (Mr. you can see that the messages has been encrypted to the authentication key and not to the encryption key (8a270c95). This is due to the fact that gnupg 1.2.5 does not know about authentication keys and tries to use them as encryption keys. This has been fixed in 1.2.7 (the last one in the old 1.2 branch). Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: updating a key's self-signature
On Tue, Jan 03, 2006 at 07:59:08PM -0800, [EMAIL PROTECTED] wrote: > > >Message: 8 > >Date: Tue, 3 Jan 2006 19:43:01 -0500 > >From: David Shaw <[EMAIL PROTECTED]> > >Subject: Re: updating a key's self-signature > > >Yes, but note that it's still possible for someone to get the old > >self-sig from a keyserver. > > what good would that do anyone once the old signature hash is no > longer trusted, > and the key is updated with the new one ? Remember than keys are merged on the keyservers, so you'll end up with both self-sigs present. To be sure, GPG will use the more recent, stronger, self-sig, but the old one is still there. If an attacker compromises the keyserver or in any way distributes your key himself, he can remove the new self-sig, leaving the old one behind. It's not much of an attack. I wouldn't lose sleep over it. > >Despite the recent attacks, I'd use SHA-1. > > i'd prefer whirpool, but settled for sha-256 ;-) This is fine, but note that the key may not work in older versions of PGP and GPG. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
lost private key password
hello, I have found an old pair of private and public keys but unfortunaltely do no remember the corresponding password. Public key is places on key servers, thus I would like to have access to it's password again. What would you suggest in this case? A brute force attack with some software if I know part of the password? What tool is suitable for that? Thanks in anticipation. Regards, -- Realos ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: lost private key password
Realos wrote: hello, I have found an old pair of private and public keys but unfortunaltely do no remember the corresponding password. Public key is places on key servers, thus I would like to have access to it's password again. What would you suggest in this case? A brute force attack with some software if I know part of the password? What tool is suitable for that? Maybe you want to revoke the Key :) Have a nice day, Patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: lost private key password
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Patrick Plattes wrote on 05.01.2006 2:13: > Realos wrote: > >> hello, >> >> I have found an old pair of private and public keys but unfortunaltely >> do no remember the corresponding password. Public key is places on key >> servers, thus I would like to have access to it's password again. >> >> What would you suggest in this case? A brute force attack with some >> software if I know part of the password? What tool is suitable for that? >> >> > Maybe you want to revoke the Key :) > To revoke any key at first it's needed to generate a revokation certificate: gpg --output [file] --gen-revoke [key id] This operation requires passphrase for private key... Thus it's strongly recommended to generate a revokation certificate at once after creating a key and keep it in safe place. If you already have an appropriate revokation certificate, simply import it into your keyring: gpg --import [rev cert file] Regards - -- My current OpenPGP key ID: 0x500B8987 Key fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- iD8DBQFDvHLNnjU7VlALiYcRAwtDAJ9pYB4HrBw5Ou6TnA57dC1VsVpH1ACg2tlV BLpywWXQXfNPjz+BFDENvQc= =ZIvM -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: lost private key password
Realos wrote: > What would you suggest in this case? A brute force attack with some > software if I know part of the password? What tool is suitable for that? There isn't any software that I know of to brute-force a GnuPG password. You could probably whip up something quick and dirty using GnuPG's password checking code, but to be honest and as much as it probably annoys you, I think the best thing to do is just admit that you've got to replace your key. I did the same thing with my first key. I learned the hard way that one should have produced a revocation certificate. This is something I'd like to see GnuPG offer to generate by default for any new keys. Another option, so you don't have to hold multiple revocation certificates in a safe place, is to create a key for the sole use of using it as a revoking key. You add that key as a revoker to any new keys you produce, and don't use the revoker key for anything else. You can then store the revoker key without a passphrase, or with a very easy to remember one like your birthday. If someone gets their hands on your revoker key, all the damage they can do to you is to issue revocation certificates, which (for most people) is merely annoying rather than actually dangerous. Even better is to get yourself a few OpenPGP smartcards. Use one as your primary use key, and another as a backup. The backup is set up as a revoker for the primary one. If you lose your primary, or it is stolen, you can use the backup to revoke the key on your primary, and then use that key as as your new primary one. Then you just order a new card to act as a backup and when it comes, set it up as a backup with the ability to revoke your new primary key. Sorry about your original key - it's a pain, I know. Kurt. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
hard-copy backups
has anyone given any thought to what would be the difference between
carefully and carelessly making hard-copy backups of secret keys?
i mean, it would be stupid to print a copy of ones secret key (with a weak
passphrase) and leave it lying on a table next to a window. OTOH, a
printed copy of a secret key (with a strong passphrase) would probably be
"secure" in a 10 ton safe.
so how strong should a passphrase be when printing out a secret key in the
first place? what are the pros/cons of hiding versus securing a hard-copy?
what other factors should be considered?
bear in mind, these are philosophical questions with philosophical
answers... i'm not looking for absolutes.
btw, if anyone prints out their secret key for backup, here's a few lines
of shell code that will print a (non-cryptographic) checksum for each
line. this way if you have to recover your key from hard-copy, it's *much*
easier to find mistakes. an example of the output looks like this
(indented):
-BEGIN PGP PUBLIC KEY BLOCK- 3675205589 37
3515105045 1
mQILBECkOvYBEADJfImYQNznN0PJxkwcGysohePmujLVJTsA30WV9tXrb6+4L5ib
2185591463 65
Ed9zHilbvXEgmrLJbG949H7yAwbNAaEjfnlqxBO31BmIJjUDmnXxe3FN98fuKIcq
3919870367 65
bVn8aqPOvGGvsJaWDwLyFSG3UT60htHFuh0I0Nco7AB6WTXBrwV/9JDkiy7p0fK5
1339170163 65
the code works on bsd (zsh) but may have to be slightly modified for other
operating systems or shells.
while read n
do
echo -n "${n}\t"
echo "${n}" | cksum
done
--
...atom
_
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
-
"I contend that we are both atheists. I just believe
in one fewer god than you do. When you understand
why you dismiss all the other possible gods, you
will understand why I dismiss yours."
-- Stephen Roberts
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: hard-copy backups
Atom Smasher wrote: has anyone given any thought to what would be the difference between carefully and carelessly making hard-copy backups of secret keys? i mean, it would be stupid to print a copy of ones secret key (with a weak passphrase) and leave it lying on a table next to a window. OTOH, a printed copy of a secret key (with a strong passphrase) would probably be "secure" in a 10 ton safe. so how strong should a passphrase be when printing out a secret key in the first place? what are the pros/cons of hiding versus securing a hard-copy? what other factors should be considered? i think you are mixing up two different things. on the one hand you have the problem of security of your data, e.g. no one should read your mails, etc. . on the other hand you have the problem of date recovery. for security you are using a very well gnupg setup. for data recovery you realy need a copy of your keys. paiper is one of the most robust medium to backup date (the egyptain know a more robust medium, but the usual computer user is not able to use a hammer and a chisel ;) ). i think you shoud take your paper (or flagstone), put them into a sealed envelope. give it to you local bank. the german bsi has written a book called it-grundschutzhandbuch imho there is also an english version avalable. maybe you want to read this. bear in mind, these are philosophical questions with philosophical answers... i'm not looking for absolutes. btw, if anyone prints out their secret key for backup, here's a few lines of shell code that will print a (non-cryptographic) checksum for each line. this way if you have to recover your key from hard-copy, it's *much* easier to find mistakes. an example of the output looks like this (indented): -BEGIN PGP PUBLIC KEY BLOCK-3675205589 37 3515105045 1 mQILBECkOvYBEADJfImYQNznN0PJxkwcGysohePmujLVJTsA30WV9tXrb6+4L5ib 2185591463 65 Ed9zHilbvXEgmrLJbG949H7yAwbNAaEjfnlqxBO31BmIJjUDmnXxe3FN98fuKIcq 3919870367 65 bVn8aqPOvGGvsJaWDwLyFSG3UT60htHFuh0I0Nco7AB6WTXBrwV/9JDkiy7p0fK5 1339170163 65 i know this little trick from the c64. there was a program called mse :) have a nice day, patrick ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
