Re: How difficult is it to break the OpenPGP 40 character long fingerprint?
On 1 April 2013 19:46, Daniel Kahn Gillmor wrote: > On 04/01/2013 12:24 PM, adrelanos wrote: > > > gpg uses only(?) 40 chars for the fingerprint. > > (I mean the output of: gpg --fingerprint --keyid-format long.) > > this is a 160-bit SHA-1 digest of the public key material and the > creation date, with a bit of boilerplate for formatting. This is not > gpg-specific, it is part of the OpenPGP specification: > > https://tools.ietf.org/html/rfc4880#section-12.2 > > A better place to discuss issues related to OpenPGP in general is the > IETF's OpenPGP mailing list: > > https://www.ietf.org/mailman/listinfo/openpgp > > It is a good idea to review their archives for fingerprints and digest > algorithms before posting, though. Much of what you asked has been > discussed in some detail on that list already. > > > How difficult, i.e. how much computing power and time is required to > > create a key, which matches the very same fingerprint? > > This is called a second-preimage attack. I am not aware of any > published second-preimage attacks against SHA-1's 160-bit digest that > bring the computation within tractable limits. A theoretically perfect > 160-bit-long digest algorithm would require ~2^160 operations to arrive > at a particular digest. SHA-1 is almost certainly not theoretically > perfect against this sort of attack, but does not appear to be > practically broken by anyone who is publishing about it. > > > Isn't 40 chars a bit weak? > > the underlying material is 160 bits -- it does not need to be > represented as 40 chars. And if the digest algorithm was known to be > weak (e.g. if it was a simple CRC), then even fingerprints 10 times as > long would not be enough. > > However, for the purposes of key fingerprints in particular, SHA-1 > appears to be reasonable in the near term. > > > Are there plans to provide a longer fingerprint which in theory can't be > > broken with computing power expected in for example 100(0) years? > > For future OpenPGP drafts, there has been some discussion about moving > to a longer digest (on the IETF list i mentioned above). Those > decisions have not reached a consensus, from what i can tell. > > Predicting computing power or the state of mathematics itself 100 or > 1000 years into the future seems like a dubious proposition. Consider > the state of mechanical computation and mathematics 100 or 1000 years > ago. Do you think that even a skilled mathematician at the time could > have predicted where we are today? > > The longevity of any public key cryptosystem should probably be > estimated in years or decades at the longest if you want any confidence > in your answer. > I've been doing a lot of work with bitcoin lately. Bitcoin is essentially a ledger where you have an array of fingerprints (160 bit hashes of a public key) and a value (number of coins in wallet). Transactions involve signing transfers from one key to another, which also creates new coins in the process, when the distributed ledger syncs up. Unfortunately bitcoin only supports ECDSA and not RSA. But I wonder if a fingerprint of your GPG key could be used as the basis of a payment ledger? > > Regards, > > --dkg > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Separate OpenPGP cards for master key and sub-keys
Hello all, I'm looking into setting myself up with some OpenPGP cards, and I'm looking into some opinions on using separate OpenPGP card for the master key and sub-keys vs using a single OpenPGP card. The idea behind this would be that my master OpenPGP card would be kept in a safe area (hidden cavern, back home under pillow/mattress and similar :), while I'd carry my sub-keys OpenPGP card with me at all times and use it for every-day operations. In particular, I'm curious to find out if there is any technical limitation that I should be aware of if I go with this kind of schema? Mainly in terms of how GnuPG handles the OpenPGP cards? Does anyone utilise this kind of schema? Or do people go with soft token for master key instead? Best regards P.S. If somebody knows of a good previous thread about this topic, please do feel free to point me to it with a link. "Best-practices" links in terms of key management with OpenPGP smart-cards are welcome as well, especially in terms of back-up :) -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Separate OpenPGP cards for master key and sub-keys
On Mon, Jun 3, 2013 at 5:41 AM, Branko Majic wrote: > Hello all, > > I'm looking into setting myself up with some OpenPGP cards, and I'm > looking into some opinions on using separate OpenPGP card for the > master key and sub-keys vs using a single OpenPGP card. > > The idea behind this would be that my master OpenPGP card would be kept > in a safe area (hidden cavern, back home under pillow/mattress and > similar :), while I'd carry my sub-keys OpenPGP card with me at all > times and use it for every-day operations. > > In particular, I'm curious to find out if there is any technical > limitation that I should be aware of if I go with this kind of schema? > Mainly in terms of how GnuPG handles the OpenPGP cards? > > Does anyone utilise this kind of schema? Or do people go with soft > token for master key instead? Using separate smartcards for master and subkeys works perfectly fine for RSA keys in my experience. I do precisely this with one of my recent keys. Here's a general overview of how I did it: 1. Generate primary key on the computer (not directly on the smartcard), then make appropriate offline backups (e.g. on CD-R) so if the card is damaged I can still use the key. 2. Transfer the primary key to the smartcard, then delete the primary key from the computer. I then ran "gpg2 --card-status" to generate the private key stub that tells GnuGP that the private key for that KeyID is on the smartcard. 3. Generate subkeys (encryption and signing) on the computer, signing them with the smartcard-based primary key. 4. Transfer the subkeys to a new smartcard, then deleting the subkeys from the computer. "gpg2 --card-status" generates the stubs for the subkeys, as above. I keep the backups in a physically secure location, including a locked box in my house and in a safe deposit box at my bank. I'm not really worried about physical compromise of my keys (I figure if someone's breaking into my house to steal my keys, I have more important issues at hand). My use of smartcards is to help reduce the risk of key compromise due to malware or some other computer-based attack, so they're kept in my immediate control but not as physically secure (e.g. in desk drawer, rather than in a locked box). Your exact strategy might differ slightly: for example, you might want to generate the keys on the card and never have private key material on the computer (this also prevents you from making backups), but the overall process should be similar. Since the smartcards don't support DSA or ElGamal keys, you can't use the cards to protect these types of keys (though you can use RSA subkeys with a DSA primary key). One of my keys is a DSA primary key, which I keep offline but have the RSA subkeys on a smartcard (I have three in total). I only use the DSA key for signing/certifying new subkeys or other people's public keys, then delete it from the computer. Cheers! -Pete -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How difficult is it to break the OpenPGP 40 character long fingerprint?
On 06/03/2013 08:04 AM, Melvin Carvalho wrote: > Bitcoin is essentially a ledger where you have an array of fingerprints > (160 bit hashes of a public key) and a value (number of coins in wallet). i thought that bitcoin didn't hash the public keys at all, but rather used the full elliptic curve public key, since it is smaller than comparably-strong RSA or DSA keys. I don't know much about bitcoin though so i could be mistaken here. > Unfortunately bitcoin only supports ECDSA and not RSA. But I wonder if a > fingerprint of your GPG key could be used as the basis of a payment ledger? The OpenPGP standard supports elliptic curve keys directly: https://tools.ietf.org/html/rfc6637 GnuPG will add support for these keys in version 2.1 (now in beta). If you wanted to make an assertion about your ownership of a given bitcoin purse it seems like you might be able to do that. however, the specific curves used seem to differ: According to https://en.bitcoin.it/wiki/Protocol_specification, For ECDSA the secp256k1 curve from http://www.secg.org/collateral/sec2_final.pdf is used. https://tools.ietf.org/html/rfc6637#section-11 refers to NIST curve P-256, which i think is different :/ Still, it seems like it wouldn't be difficult to use your OpenPGP identity make assertions about your possession of any given bitcoin wallet, they just wouldn't be digested into the global bitcoin transaction log. Does this address what you were asking about? if not, what problem are you trying to solve specifically? --dkg PS your MUA seems to think that this list is named "Jay Litwyn on GnuPG-Users " -- you probably want to update your addressbook :) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Separate OpenPGP cards for master key and sub-keys
I already moved my subkeys to one cryptostick. When i tried to move the primary key (4096 RSA) to another stick i got: >gpg> keytocard >Really move the primary key? (y/N) y >Signature key : [none] >Encryption key: [none] >Authentication key: [none] >Please select where to store the key: >Your selection? Note that there is NO valid choice. Any ideas ? I'm using gpg 2.0.20 signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Separate OpenPGP cards for master key and sub-keys
On Mon, Jun 3, 2013 at 11:10 AM, Mustrum wrote: > I already moved my subkeys to one cryptostick. > When i tried to move the primary key (4096 RSA) to another stick i got: > >>gpg> keytocard >>Really move the primary key? (y/N) y >>Signature key : [none] >>Encryption key: [none] >>Authentication key: [none] > >>Please select where to store the key: >>Your selection? > > Note that there is NO valid choice. > > Any ideas ? > > I'm using gpg 2.0.20 What version of the Crypto Stick are you using? I've successfully moved 4096-bit RSA primary keys to the OpenPGP smartcard and 2048-bit RSA subkeys to a Crypto Stick v1.2, but I would expect the Crypto Stick would also support 4096-bit keys. I don't know if early versions wouldn't support keys of that length. -- Pete Stephenson ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
