Re: A forgotten patch?

[Werner Koch]

On Sat, 28 Feb 2015 03:02, a...@raxys.net said:

> of GnuPG in 2009. According to him, the patch fixes lots of problems
> that might be usable as in attack vectors on GnuPG. It seems however, as
> if this patch was never included into upstream GnuPG. Because of that,

This comes up every once in a while and I try not to spend time on that
silly thing.  At least by private mail I explained it to him years ago,
but he seem not to understand.  Let's look at two examples:

We have this function:

  /* Return a string which is used as a kind of process ID */
  const byte *
  get_session_marker( size_t *rlen )
  {
  static byte marker[SIZEOF_UNSIGNED_LONG*2];
  static int initialized;

  if ( !initialized ) {
  volatile ulong aa, bb; /* we really want the uninitialized value */
  ulong a, b;

  initialized = 1;
  /* also this marker is guessable it is not easy to use this
   * for a faked control packet because an attacker does not
   * have enough control about the time the verification does
   * take place.  Of course, we can add just more random but
   * than we need the random generator even for verification
   * tasks - which does not make sense. */
  a = aa ^ (ulong)getpid();
  b = bb ^ (ulong)time(NULL);
  memcpy( marker, &a, SIZEOF_UNSIGNED_LONG );
  memcpy( marker+SIZEOF_UNSIGNED_LONG, &b, SIZEOF_UNSIGNED_LONG );
  }
  *rlen = sizeof(marker);
  return marker;
  }

Fefe changes it to use /dev/urandom by inserting this code before the
above initialization test:

  int fd;

  if (!initialized) {
fd=open("/dev/urandom",O_RDONLY);
if (fd!=-1) {
if (read(fd,marker,sizeof(marker))==sizeof(marker))
  initialized=1;
close(fd);
}
  }

Let's ignore the fact that a failed open falls back to the, in his
book broken, existing scheme.   The real trouble here is that he does
not look for the use of this function.  Now, for what is it used: If a
clearsigned messages is received that message has an indication which
hash algorithms are used (the "Hash: " line).  We need to convey
this information from the unarmor layer to the actual parsing code. This
is done by inserting a faked packet with information on the hash
algorithms as well as a plaintext packet.  The final message the parser
then sees resembles this valid OpenPGP message

   One-Pass Signed Message :- One-Pass Signature Packet,
   OpenPGP Message, Corresponding Signature Packet.

Now an attacker might be able to insert a bogus control packet in an
arbitrary non-armored messages and in such a way resembles cleartext
message.  However, the only thing he could do with this is to announce a
different hash algorithm and switch the parsed to a different
interpretation of white spaces at line ends.  The first is entirely
harmless because gpg checks that the used hash algorithms matches those
in the actual Signature Packet which comes after the signed text.  It is
annoying if that happens but it merely leads to a BAD signature.

The slightly changed interpretation of trailing line spaces (clearsigned
versus text mode signatures) might be useful to insert extra trailing
spaces into a text file.  But that is something which happens to mails
anyway and the whole reason for text mode messages.

Why the session marker packet?  That is simply to help gpg to stop
earlier on bogus input data.  No need for cryptographical strong random.


Second example:

  struct private_membuf_s {
size_t len;
size_t size;
char *buf;
int out_of_core;
  };
  typedef struct private_membuf_s membuf_t;

  void
  put_membuf (membuf_t *mb, const void *buf, size_t len)
  {
if (mb->out_of_core)
  return;

assert(mb->len + len > mb->len);
if (mb->len + len >= mb->size)
  {
char *p;

assert(len + 1024 > len);
assert(mb->size + len > mb->size);
mb->size += len + 1024;
p = xrealloc (mb->buf, mb->size);
mb->buf = p;
  }
memcpy (mb->buf + mb->len, buf, len);
mb->len += len;
  }

The assert calls are inserted by Fefe.  Their intention is to detect
integer overflows.  Given that unsigned integers are used these checks
do work.  Are they required?

Looking at the first one: MB->LEN tracks the used length of a malloced
buffer.  Thus it this value is bound at a reasonable value.  LEN give
the length of BUG which is either a static array or another malloced
region.  Thus this is also bound.  To trigger this assertion it needs
two buffers which together allocate more that 2^32 bytes (or 2^64 on
systems with sizeof(size_t)==8). And before the process comes to
put_membuf it has already allocated other buffers.

Thus the answer from the engineering department is: No.

The QA department would give an unfavorable statement about the use of
assert calls for conditions which are supposed to happen (in Fefe's
short sighted anal

LDAP-based Keyserver

[Neal H. Walfield]

Hi,

Nearly a decade ago, Walter Haidinger posted a how to describing how
to setup an OpenLDAP PGP keyserver.

  http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html

In that time, OpenLDAP configuration has gotten a lot more
complicated.  I've modernized and significantly expanded his tutorial.
You can find it here:

  http://wiki.gnupg.org/LDAPKeyserver

I did my best to provide a recipe that requires little prior knowledge
about OpenLDAP while also explaining the reasoning behind the actions
and high-level concepts.

I'd appreciate it if someone could try to reproduce the steps and
report any bugs.  I used Debian.  There are probably differences on
other platforms that are worth noting.

I'd also appreciate any improvements to the text.

Thanks!

Neal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Ralph Seichter]

On 28.02.2015 00:48, Hugo Osvaldo Barrera wrote:

> Please, stop spreading the iMessage falacy, it's system offers privacy
> only from *some* parties, but not from everyone.

I invite you to read my message again. I used iMessage as an example for
usability (as did c't editor Jürgen Schmidt), not for impregnable
security. There is a reason why I use PGP, but there are also reasons
why my family does not. Lately I have set up S/MIME when I helped
friends with their smartphones, but while that takes care of transporting
the public keys automatically, establishing trust is still an issue most
people spend too little thought and effort on. Lower that bar, and more
users will likely opt for end-to-end encryption.

-Ralph


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Johan Wevers]

On 27-02-2015 16:57, Mark H. Wood wrote:

> It's always good to look for patterns that lead to useful
> simplification.  But there comes a point at which no further
> simplfication can be done without making the system less useful.

Well, in making it more beginner friendly, I imagine a system that does
not bother the user with complexities about whan to sign someone's key
to which degree, but after install:

1. The beginner friendly installer notices there is no secret key yet ->
create one automatically and upload it to the keyservers. To make the
experience as easy as possible perhaps even offer to use no password on
the key so it does not need to ask for a password when opening mail
(with a warning that this could give problems if losing or confiscating
the computer is part of the threat model).

2. It notices 2 email programs -> offer to integrate a plugin in both
and set the defaults to sign and encrypt when the receiver has a public
key on the servers. I agree that for webmail solutions this might be
difficult but plugins for browser automation do exist (usually aimed at
unit testing of websites).

This approach might lead to issues, like targeted attacks with false
keys and stolen computers, but it would get the number of encrypted
emails up. At least the mails would be safer in transit and at the mail
provider.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Johan Wevers]

On 27-02-2015 19:16, Christoph Anton Mitterer wrote:

> This is basically what they want: Anonymous cryptography, whose complete
> security is based on some good luck whether you've communicated with the
> right peer the first time.

In practice the Textsecure protocol works well of couyrse because it
uses the phone number. One usually knows that number already from a
contact. Most people I communicatw with often I even recognise by voice
alone - taking over the phone number is not going to work. I don't see
even the NSA breaking that.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Peter Lebbing]

I think a bit of opportunistic encryption without proper identity verification
can be a very good thing. I was just pointing out that you need to know the
limits of that way of working, and make a conscious decision whether you need
proper verification or not.

But I didn't indicate that clearly enough.

HTH,

Peter.

PS: By the way, my ISP and some of it's employees are in a perfect position to
do a man in the middle. I sure hope they can't "just hack my system" because of
that position. The one capability certainly does not imply the other.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Hugo Osvaldo Barrera]

On 2015-02-28 12:37, Ralph Seichter wrote:
> On 28.02.2015 00:48, Hugo Osvaldo Barrera wrote:
> 
> > Please, stop spreading the iMessage falacy, it's system offers privacy
> > only from *some* parties, but not from everyone.
> 
> I invite you to read my message again. I used iMessage as an example for
> usability (as did c't editor Jürgen Schmidt), not for impregnable
> security. There is a reason why I use PGP, but there are also reasons
> why my family does not. Lately I have set up S/MIME when I helped
> friends with their smartphones, but while that takes care of transporting
> the public keys automatically, establishing trust is still an issue most
> people spend too little thought and effort on. Lower that bar, and more
> users will likely opt for end-to-end encryption.
> 
> -Ralph
>

Of course iMessage is a lot more usable: it's not a challenge to create very
usable and friendly IM UIs. The challenge is about creating easily usable
*secure* communication software.

Sure, lower the bar *on how secure what you're using is*, and most it's easier
to user.

S/MIME isn't *really* safe. It requires trusting a bunch of CAs, and is
can basically receive the same criticism as TLS applied to the web.

-- 
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Peter Lebbing]

On 28/02/15 13:28, Johan Wevers wrote:
> I don't see even the NSA breaking that.

Heh, famous last words ;).

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: Thoughts on GnuPG and automation

[Daniel Kahn Gillmor]

On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson  
wrote:
> I think you misunderstood my complaint. I don't mind if the agent is a
> persistance daemon that provides GPG-related services, that's all well
> and good. It's good process separation and I have no problem with that.
>
> My gripe with the agent, is the agent is controlling the UI of
> authentication. This breaks Mailpile, and this is one of the key areas
> where GnuPG crosses the imaginary line between library/utility and
> "application". Fixing this was point 1. in my list of suggestions and
> explaining why it was necessary was the bulk of the post.

The only part of the UI that the agent controls is prompting the user
for use of the key, and passphrase entry upon unlock.

Why does this break mailpile?  I prefer the agent to have separate UI
from the tool that uses the agent, because i want don't want tools that
use the agent to be able to mask the agent's UI.

I'm quite happy that enigmail (for example) appears to be dropping plans
for non-agent use of secret key material.  this should be a simplifying
change, and it should make it easier for systems to integrate OS-level
prompting and feedback to the user independent of which application uses
the secret key store.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Ralph Seichter]

It looks like we agree on most aspects, but to get back to the original
question of this thread: From what I have seen since the nineties (I do
remember donating money for Philip Zimmermann), PGP is great for users
with a solid foundation in cryptography, but it is too complicated for
avarage users -- no disrespect intended. For more than 20 years, PGP has
not made critical mass, and in these years computers and related
services have become ever more accessible to average users who don't
know about cryptography. In its current form, PGP can be used to improve
security in many areas and I am very grateful for the work Werner and
others put into it, but PGP does not work for mass e-mail protection, as
much as I would prefer matters to be different.

-Ralph


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Peter Lebbing]

On 28/02/15 14:06, Ralph Seichter wrote:
> but PGP does not work for mass e-mail protection

Let me stress again that the proper course might be to replace SMTP (e-mail) and
then work from that. If you have a sieve and wish for something to hold liquids,
you could plug up all the holes or say "Blow this for a lark" and get a pan.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: LDAP-based Keyserver

[Hauke Laging]

Am Sa 28.02.2015, 12:27:05 schrieb Neal H. Walfield:

> In that time, OpenLDAP configuration has gotten a lot more
> complicated.  I've modernized and significantly expanded his tutorial.
> You can find it here:
> 
>   http://wiki.gnupg.org/LDAPKeyserver

Doesn't refer to your work but is a general question as I have never 
used LDAP:

Is there any advantage in using LDAP for this? Or is this a "We have the 
LDAP server anyway thus we add the keyserver stuff instead of using a 
separate keyserver" decision?


Hauke
-- 
Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/
http://userbase.kde.org/Concepts/OpenPGP_Help_Spread
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

[Daniel Kahn Gillmor]

On Sat 2015-02-28 13:28:06 +0100, Johan Wevers wrote:

> In practice the Textsecure protocol works well of couyrse because it
> uses the phone number. One usually knows that number already from a
> contact. Most people I communicatw with often I even recognise by
> voice alone - taking over the phone number is not going to work. I
> don't see even the NSA breaking that.

We had this discussion recently over on messag...@moderncrypto.org.
It's far from "trivial", but breaking voice-based authentication
(particularly in the already-noisy realm of mobile phone calls) with
high probability doesn't seem to be beyond serious researchers.

I recommend reading the thread and the referenced papers:

  http://moderncrypto.org/mail-archive/messaging/2015/001307.html

  --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: Thoughts on GnuPG and automation

[Bjarni Rúnar Einarsson]

Hi Dan,

I dedicated an most of the blog post to answering that question (why it
breaks Mailpile), did you not read it or did I fail to communicate?

- Bjarni
On 28 Feb 2015 12:44, "Daniel Kahn Gillmor"  wrote:

> On Fri 2015-02-27 07:19:41 -0500, Bjarni Runar Einarsson 
> wrote:
> > I think you misunderstood my complaint. I don't mind if the agent is a
> > persistance daemon that provides GPG-related services, that's all well
> > and good. It's good process separation and I have no problem with that.
> >
> > My gripe with the agent, is the agent is controlling the UI of
> > authentication. This breaks Mailpile, and this is one of the key areas
> > where GnuPG crosses the imaginary line between library/utility and
> > "application". Fixing this was point 1. in my list of suggestions and
> > explaining why it was necessary was the bulk of the post.
>
> The only part of the UI that the agent controls is prompting the user
> for use of the key, and passphrase entry upon unlock.
>
> Why does this break mailpile?  I prefer the agent to have separate UI
> from the tool that uses the agent, because i want don't want tools that
> use the agent to be able to mask the agent's UI.
>
> I'm quite happy that enigmail (for example) appears to be dropping plans
> for non-agent use of secret key material.  this should be a simplifying
> change, and it should make it easier for systems to integrate OS-level
> prompting and feedback to the user independent of which application uses
> the secret key store.
>
> --dkg
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: LDAP-based Keyserver

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 02/28/2015 01:23 PM, Hauke Laging wrote:
> Am Sa 28.02.2015, 12:27:05 schrieb Neal H. Walfield:
> 
>> In that time, OpenLDAP configuration has gotten a lot more 
>> complicated.  I've modernized and significantly expanded his
>> tutorial. You can find it here:
>> 
>> http://wiki.gnupg.org/LDAPKeyserver
> 
> Doesn't refer to your work but is a general question as I have
> never used LDAP:
> 
> Is there any advantage in using LDAP for this? Or is this a "We
> have the LDAP server anyway thus we add the keyserver stuff instead
> of using a separate keyserver" decision?

Can't speak as to the motives of the OP, but at least Symantec
Encryption Server can be configured to look for keys on LDAP server on
keys.[domain] of the recipient to try to establish an OpenPGP channel.
This product does not support the HKP protocol, so I'm actually
experimenting with a HKP<->LDAP gateway using OpenLDAP myself.

- -- 
- 
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- 
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- 
Nihil lacrima citius arescit
Nothing dries more quickly than a tear
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJU8dO3AAoJEP7VAChXwav6Bh8IALdNFfEl8rU9byZYLyStpnrP
mwDzVc+kWqhXDtWyd5oG9YaVzVDMGUK01MEpqWW1/UqwF8QorztMpkn2SUe1Fvns
941Ga2ADFpRDMuCj/mythm5YmIWrtqkmBPm113szQDXYmsO3sDIywt/uirTqb8tZ
mU65e6niRAE5/E9Fgk9Go5MYsU+D1gGYcc33FFg4D7vK4bc9D1xdr+RmvhhpogfE
3VJNDrd+Yi2SOykfRHCnCsjuDkYqRMkeYS3h4QacnYKSEX8xoNo+vLGpdoxh4x1U
vmd8lFv9jjXTI7Dtcq9WuanyUDiJcGbiHRdiDUWFeNpHUpiaU90SoA6ZxyliJ7k=
=GML0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Re: German ct magazine postulates death of pgp encryption

[Bjarni Runar Einarsson]

Peter Lebbing  wrote:
> On 28/02/15 14:06, Ralph Seichter wrote:
> > but PGP does not work for mass e-mail protection
> 
> Let me stress again that the proper course might be to replace SMTP (e-mail) 
> and
> then work from that. If you have a sieve and wish for something to hold 
> liquids,
> you could plug up all the holes or say "Blow this for a lark" and get a pan.

People keep saying this. I see this as both less realistic and more
harmful than the voices that are now claiming that OpenPGP should die.

E-mail is the *only* surviving decentralized free and open messaging
system with any clout today. Literally everything else in common use is
proprietary and centralized. We should all be deeply worried about this.

Either way, even if this were a reasonable attitude, it doesn't in any
way diminish or excuse the fact that OpenPGP in all its glory is too
complicated for all but a handful of humans on the planet, most of whom
are probably on this mailing list. :-) OpenPGP may be hard to use over
SMTP, but it isn't any easier over XMPP or Facebook messages or carrier
pigeons either.

That said, the DIME proposal is one attempt at "next gen SMTP". From
what I've read it's pretty well thought out. It's really, really
complicated though, so I'm not particularly optimistic about its chances
of success.

Cheers!
 - Bjarni

-- 
Sent using Mailpile, Free Software from www.mailpile.is___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Peter Lebbing]

On 28/02/15 16:25, Bjarni Runar Einarsson wrote:
> E-mail is the *only* surviving decentralized free and open messaging
> system with any clout today. Literally everything else in common use is
> proprietary and centralized. We should all be deeply worried about this.

Well, I think it's a bit grim to think that therefore a successor to replace
SMTP must surely be proprietary and centralized, and we should desperately
clutch to our last straw, SMTP. Plus, half the e-mail is @google.com anyway.
Proprietary, and centralized. It can still communicate with the rest of the
world, but for most contacts, it doesn't need to.

> Either way, even if this were a reasonable attitude, it doesn't in any
> way diminish or excuse the fact that OpenPGP in all its glory is too
> complicated for all but a handful of humans on the planet, most of whom
> are probably on this mailing list.

But a large part of that is due to the fact that SMTP was never built to
accomodate any form of privacy or security.[1]

Hence my comparison of SMTP being a sieve and privacy being a liquid to
transport in that sieve.

I for my part think it's unrealistic to keep using SMTP. As I said, you can keep
the endpoint communication the same, but the core network needs to be designed
with a different goal than SMTP was designed for, to wit, privacy and security.

Peter.

[1] At least where it concerns using OpenPGP for e-mail communication, which is
what we are discussing. I think most users of Debian properly use GnuPG for the
authentication of the package management, as an example.



PS: By the way, I think you don't mean "literally" in the first quoted
paragraph. Because then I need to read your words in a literal fashion, and
verbal communication qualifies, in a literal sense, as a messaging system and is
not proprietary or centralized.

PPS: I like the word "literal". It's the one word in the dictionary that can by
definition not be used in any other than its true sense :). It's comfortingly
solid in that respect.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Christoph Anton Mitterer]

On Sat, 2015-02-28 at 13:28 +0100, Johan Wevers wrote: 
> In practice the Textsecure protocol works well of couyrse because it
> uses the phone number.
"In practise"... I guess that's also what most "normal" people believed
about their security before Snowden.

And a phone number is really no secure credential at all to prove one's
identity. o.O


> Most people I communicatw with often I even recognise by voice
> alone
Not sure what you refer to,... but if it's authentication schemes like
ZRTP (which TextSecure wouldn't use)... I'm quite sceptical about these.
The idea behind them (authentication via voice and some random string
which the peers say to each other and compare) may sound nice at a first
glance,... but little is known how good (or not) powerful organisations
can real-time fake voices. And even if not, how difficult can it be for
an organisation like the NSA to spy on you for a while and record enough
of your voice and then do a MitM?

> taking over the phone number is not going to work. I don't see
> even the NSA breaking that.
You seem to have missed all the years long discussion about how easy it
is to hack mobile systems? Even for novice criminals, etc.?
And this even assumes that everything in between (network operator,
phone manufacturer, OS manufacturer) is actually not evil, which is
unlikely as well.


Cheers,
Chris.



smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust paths

[Johan Wevers]

On 27-02-2015 22:30, Christoph Anton Mitterer wrote:

> I meant in the sense that I want to trust e.g. Werner's key but haven't
> met him in person yet,... but I might have an indirect trustpath to him
> via some other persons (which I do trust).
> Obviously I'll need any intermediate keys (and enough of them that I
> personally decide it's trustworthy).

OR, in case a key belongs to a well-known person, you've seen it
mentioned in enough places and seen it used to sign gpg packages to be
rather certain that if it were a forgery someone would have noticed by
now and made noise about it.

After all, if I want to securely communicate witgh the author of GnuPG I
want to know if this key belongs to someone calling himself "Werner
Koch". If the government knows this person by the same name (that what
is known by an ID check) is less of a concern for me, maybe "Werner
Koch" is only an artist name.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Johan Wevers]

On 28-02-2015 13:40, Peter Lebbing wrote:

> On 28/02/15 13:28, Johan Wevers wrote:
>> I don't see even the NSA breaking that.
> 
> Heh, famous last words ;).

OK, not cryptographically. They could always try to bribe/threat/torture
someone to cooperate. But that model fails if you want to perform
unnoticed mass surveillance.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: strength of voice authentication [was: Re: German ct magazine postulates death of pgp encryption]

[Johan Wevers]

On 28-02-2015 15:09, Daniel Kahn Gillmor wrote:

> We had this discussion recently over on messag...@moderncrypto.org.

What is described there is a much more confined problem.

> It's far from "trivial", but breaking voice-based authentication
> (particularly in the already-noisy realm of mobile phone calls) with
> high probability doesn't seem to be beyond serious researchers.

Fooling a computer that a certain voice belongs to someone else, sure,
I'm sure that is or will be possible. Fooling me that a short, fixed
string is spoken by someone I know when in fact it is not, sure, that too.

But fooling me that the person on the other end of the line is someone I
know well by only technically impersonating his voice while having an
actual conversation... I don't believe it very likely to happen in the
near future. Perhaps it could work on someone I barely know, but pick
only once the wrong person and I might become very suspicious. It
requires not only changing the voice but also solving a problem much
harder than the classic Turing test. For once, it requires much
contextual knowledge about what both persons know of each other.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust paths

[Christoph Anton Mitterer]

On Sat, 2015-02-28 at 18:39 +0100, Johan Wevers wrote: 
> OR, in case a key belongs to a well-known person, you've seen it
> mentioned in enough places and seen it used to sign gpg packages to be
> rather certain that if it were a forgery someone would have noticed by
> now and made noise about it.
I'm not sure but I fear you have some deep misunderstanding of
cryptography... or at least that's how I understand your message (but
maybe I confuse something).

"Well-known", "often seen enough" or "not having heard any noise about
it" are absolutely no ways to prove the validity of a key's named
identity.


If there was only one "Werner Koch" on the keyservers, and that key was
signed by thousands of other famous names (Linus Torvalds, and that
like) you still couldn't be sure of anything.
An attacker that MitMs you could just set up a fake web-of-trust in very
little time and when you ask your favourite keyserver, block any of the
"real answers" and instead deliver you his faked key space with all the
mutual signatures and so on.
And you'd think "Only one Werner Koch, with an @gnupg.org email, even
signed by all these other people - that can't be coincidence, some of
the must have checked his ID, and if it was an impostor, I'd surely have
read on heise.de about it" - while in fact no one else than you ever saw
these faked keys.

If the attacker is powerful enough (and this is still way below of what
intelligence agencies can do - rather the level of what your network
provider can do), they can also intercept anything you'd send back to
the web with these forged keys, so they'd truly be never discovered.

Cheers,
Chris.

btw: These kinds of things are just what one can heise accuse of: they
give people an all to easy sight of crypto security, so that they'll
believe things are secure by using one's phone number, or by using
pinning techniques like HPKP.


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Johan Wevers]

On 28-02-2015 18:21, Christoph Anton Mitterer wrote:

> Not sure what you refer to,... but if it's authentication schemes like
> ZRTP (which TextSecure wouldn't use)...

No it's not, it is much simpler. When I call my wife and are in fact
connected with a computer or agent impersonating her, they are unlikely
being able to copy her voice so good that I don't hear it. And even if
they are, I think it's very unprobable they would be able to fool me due
to them missing context.

Try it out: have 2 people who know each other well speak via a computer
synthesised voice so voice reconnition would not work. Then have a third
person who doesn't have intimate knpowledge about both others try to
fool one of the other two he is the other person. Unluikely to work.

And even if it would be possible, it would require so much manpower to
make it unusable for mass surveilance. It would probably only be used
against very high-priority targets of the caliber Bin Laden.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Christoph Anton Mitterer]

On Sat, 2015-02-28 at 18:45 +0100, Johan Wevers wrote: 
> OK, not cryptographically. They could always try to bribe/threat/torture
> someone to cooperate. But that model fails if you want to perform
> unnoticed mass surveillance.

Admittedly, when it comes to "unnoticed mass surveillance" anonymous
cryptography (like TextSecure does for most users, since they aren't
pushed to validate - and even if, one cannot mark who was validated and
who not)... *might* help somewhat against unnoticed mass surveillance,
that is when something like DH is used.

But this assumption is largely based on two things:
- That's resource-wise too costly for them to MitM everyone
  => and given what we've learned from Snowden (and what "paranoid"
 people already assumed/knew before)... I really doubt that this
 would be any bigger problem for them.
 Apparently they sit at all the bigger internet exchanges,
 transatlantic cables, etc. and all the big US players (FB, Google,
 and Tier-1 content providers are anyway forced to cooperate with
 them)
- That people actually eventually check their keys, so that they'd find
  out whether their anonymous DH was attacked by some MitM.
  This might be done by some "more advanced" people who even know about
  what a fingerprint is, and when their client actually exports it to
  them (which may not be the case when you do something like whotsapp™
  or any other system used by the masses, which just promises you to be
  "secure".


Cheers,
Chris.


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Christoph Anton Mitterer]

On Sat, 2015-02-28 at 19:01 +0100, Johan Wevers wrote: 
> No it's not, it is much simpler. When I call my wife and are in fact
> connected with a computer or agent impersonating her, they are unlikely
> being able to copy her voice so good that I don't hear it.
I guess you've missed some developments in research here (see Daniel's
post) - and this is just the publicly known research.


> And even if
> they are, I think it's very unprobable they would be able to fool me due
> to them missing context.
They don't need to know any content. And they don't need to fake her all
the time.

When "they" MitM you, they just need to wait for the time when you'd
actually to mutual authentication via saying some "code" or whatever the
ZRTP implementation gives you.
Only then they need to mute the real "her" and let the faked "her" say
the code for their (evil) DH connection with you - and vice versa.

I'm not sure what the most recent ZRTP implementations do... but is it
more than numbers, letters or simple words?
Nothing one couldn't fake or perhaps pre-record somewhere in the real
world.

Of course they might still not be able to imposture her completely - in
the sense that "she" tells you to send all your savings via PayPal to
cales...@scientia.net (which would be surely a good idea ;-) ) - But
it's enough for them to eavesdrop.


> And even if it would be possible, it would require so much manpower to
> make it unusable for mass surveilance. It would probably only be used
> against very high-priority targets of the caliber Bin Laden.
btw: I don't think that GnuPG's only intent is to fight against mass
surveillance.
I mean mass surveillance *is* of course a problem - but at least none
that will usually have any directly measurable negative effect on the
victim (again I'm not talking about the negative effect on his liberties
here).
The NSA has definitely read most of my mails (as they go to public lists
^^) but since I'm no criminal, neither someone like Snowden, Greenwald
or Assange - they simply don't care about me.

But such people or Iranian dissidents and that like ... probably want
some system which not only protects them against mass surveillance but
also gives them at least the best possible safety against dedicated
surveillance of single targets.


Cheers,
Chris.


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: trust paths

[Johan Wevers]

On 28-02-2015 18:56, Christoph Anton Mitterer wrote:

> I'm not sure but I fear you have some deep misunderstanding of
> cryptography...

I'm not talking about mathematically proving something. After all, a
government agency could make a false key with Werner Koch's name on it
and send someone who looks like him with real ID documents to a
keysigning party. Government-issued ID's are no mathematical proof either.

> "Well-known", "often seen enough" or "not having heard any noise about
> it" are absolutely no ways to prove the validity of a key's named
> identity.

No proof no - but nathematical proof does not exist in this matter.

> If there was only one "Werner Koch" on the keyservers, and that key was
> signed by thousands of other famous names (Linus Torvalds, and that
> like) you still couldn't be sure of anything.

Of course not, anyone can upload a key with any name to the keyservers.
But I doubt anyone can publish a fake key on www.gnupg.org without
anyone noticing for long.

> An attacker that MitMs you could just set up a fake web-of-trust in very
> little time and when you ask your favourite keyserver, block any of the
> "real answers" and instead deliver you his faked key space with all the
> mutual signatures and so on.

I am not talking about keyservers at all, except maybe for obtaining a
key with a given keyID. Nothing more, and no WoT issues. While I
understand the concept I consider the WoT way to complicated and I use
it only as additional evidence a key belongs to someone.

> And you'd think "Only one Werner Koch, with an @gnupg.org email, even
> signed by all these other people - that can't be coincidence, some of
> the must have checked his ID, and if it was an impostor, I'd surely have
> read on heise.de about it" - while in fact no one else than you ever saw
> these faked keys.

If the key was only on the keyservers, sure, then even I could do that
myself easily. But I'm talking about keys on places where it is unlikely
anyone has write access to, like the gnupg website or as a signature in
mailinglist messages. Sure, it could be spoofed - but only a short time
before it get noticed.

It would not be the first time I read about a spoofed gpg key on a Linux
distro server when the server was hacked. The attack works - but not for
long.

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: German ct magazine postulates death of pgp encryption

[Doug Barton]

On 2/27/15 3:15 AM, Peter Lebbing wrote:

So what did this key attract, being on the keyserver for four years now?

22 Nigerian 419 scams. That's it. Twenty-two! They came in batches; I haven't
seen anything since March last year.


I've had a similar key out there for longer than four years, and my 
experience is the same. This is simply not an issue.


Doug

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best practice to make one's key known, was Re: German ct magazine postulates death of pgp encryption

[Doug Barton]

On 2/27/15 10:10 PM, Marco Zehe wrote:

Hi Werner et al,


Am 27.02.2015 um 20:56 schrieb Werner Koch :

There is no trust in keyservers by design.  As soon as you start
changing this you are turning PGP into a centralized system.


OK, then I have a very practical question: Even though this is my
fourth or fifth attempt at establishing OpenPGP in my daily routine
since the mid 1990s, I am still confused by what the best way is to
make my public key known. So if, as you say, key servers are not
trusted by design, if I want to spread word around my available
public key, which source should I put in a signature? While reading
this list, I have seen quite a number of different approaches. Some
put their key ID along with the finger print and the URL of a key
server. Others put a link to the key file on a web server, others
just quote their key ID and finger print, or only either of those.

I have my key uploaded (and kept current) on key servers as well as
on my web site(s), and my Impressum links to the copy on my web
site rather than the key server URL.

So: What’s the best practice advice? (and yes, I looked in the FAQ,
but that didn’t prove conclusive to me.)


It's overwhelmingly likely that you are overthinking this. :)

If someone wants to correspond with you using PGP, they will ask. If
you sign a message, they will know that you are using PGP, and what
your key Id is. And you've posted it enough places that even a
moderately motivated person will be able to find it.

Relax, and enjoy the ride.

Doug


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A forgotten patch?

[Alexander E. Fischer]

Well thank you for the explanation. Sadly, I think my knowledge about C
is not sufficient to fully judge the situation. Although I have to say,
that the first example sounds a bit like a hack. I just hope you are
right, a lot depends on it.

> Right he lists Microsoft and a German "newspaper", to which many
people
> would never talk, as his clients.
I think the majority of people work for people they don't necessarily
like that much. I suppose it's related to the unfair distribution of
wealth in our world. Being funded by Facebook isn't the most reputable
thing either.

> And why pusblishing a patch and no bug reports?
Is there anything in the patch you would reconsider to accept, if there
was a bug report for the patch? I would gladly write one if that would
help to improve the quality of GnuPG.

Kind regards

Alexander E. Fischer


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Best practice to make one's key known, was Re: German ct magazine postulates death of pgp encryption

[Marco Zehe]

Hi Doug,

> Am 28.02.2015 um 21:36 schrieb Doug Barton :
> 
> It's overwhelmingly likely that you are overthinking this. :)

Yes, I have been known to have that tendency sometimes. :)

Thanks! Will do as you suggest, then.

Marco



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users