Mailing List Archive

On 1/19/2012 06:00 PM, Neil Bothwick wrote:
> On Fri, 20 Jan 2012 00:42:16 +0200, Alan McKinnon wrote:
>
>> There's no known way to decrypt a mail like that without the single
>> private key needed (this works exactly like https traffic to your
>> bank). I feel very confident saying "no known way" as cracking that
>> puzzle has been the Holy Grail of maths prizes for 40 years and no-one
>> has announced success. Seeing as mathematicians are a vain lot, and the
>> one that accomplishes this feat with be showered with honour and glory
>> for all time (making Einstein look like a child), it's a safe
>> assumption that it hasn't been done yet.
>
> Unless he works for GCHQ/NSA or any other government's security services.
>
> Remember, RSA was invented several years before R, S and A did so, by a
> mathematician working at GCHQ (the UK's communication monitoring
> department).

Possible, but not too likely*. RSA keys are based on two very large prime
numbers and their composite. The two primes are hundreds of digits in length,
and are used to generate the cipher (public) key, and the decipher (secret)
key. After which their composite is found and the two primes are discarded.

This type of public key cryptography is based on the difficulty of factoring
very large composites with only two very large prime factors, and is based in
number theory. It can be done, but it usually takes years using distributed
computer networks. It is possible that the NSA has found a magic formula to do
such factoring, but I find it more likely that the US Navy or the CIA would do
so first. Remember, the NSA exists to monitor communications for "suspicious"
activity and this is what most of their supercomputers are used for (sifting
many emails, web page interactions, telephone conversations, and the like).

While I am sure the NSA has its share of cryptologists, and cryptographers, I
would hazard to say that the Navy has more, and so probably does the CIA/MI5
(or is it MI6 now?).

*DISCLAIMER: With any public key cryptosystem, there is a risk that you will be
using keys that have already been cracked. If so, anyone who knows the crack
could decrypt your messages.

Chris

On Thu, Jan 19, 2012 at 6:20 PM, Dale <rdalek1967@gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mud is clearing up a bit.
>

Excellent! Lookin good!


>
> Dale
>
> :-) :-)
>
> - --
> I am only responsible for what I said ... Not for what you understood
> or how you interpreted my words!
>
> Miss the compile output? Hint:
> EMERGE_DEFAULT_OPTS="--quiet-build=n"
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8YpUwACgkQiBoxVpK2GMCz4QCeNBRDf8wmErruB5SVREcra4uu
> 6dQAnRnR8OuS0Mo5jcBnLNRGug0hkhK/
> =XWWa
> -----END PGP SIGNATURE-----
>
>
- Matt

On Thursday 19 Jan 2012 23:20:44 Dale wrote:
> Chris Walters wrote:

> I'm starting to see this now. When I sign a message, it is public but
> people are assured that it came from me. Sort of like having a check
> with a picture ID that matches. :/

Better than that.

Readers (all that have access to this list) can a)see that you have signed it
and b)rest assured that no one has tampered with its content since you signed.
If anyone intercepted the message mid-air and changed its content, your
signature would show as bad in the recipients mail client (assuming they have
a GnuPG/PGP compatible client).

BTW, your signature is not showing in Kmail ... are you using inline or
opengpg/smime format?


> > You could then encrypt a message to me, and you could add yourself
> > to the recipient list so you could read it. Then, when I received
> > the message, I would be prompted for my secret key's passphrase -
> > this would allow decryption of the message. Providing that I
> > replied to you and chose the "encrypt" option, the entire message,
> > including any quotes would be encrypted.
> >
> > Hope this helps, Chris

> So, this is why when I want to sign a message it asks me for the
> password. I thought it was trying to do something wrong. Made me
> scratch my head.

To avoid an easy misunderstanding about what the "password" does:

You are asked for a passphrase not because Chris used that passphrase to
encrypt the message he sent you with (that would have been symmetric
encryption and both of you would need to know in advance the secret
passphrase). Instead, you are asked for a passphrase to decrypt your own
private gpg key which is stored in encrypted format on your hard drive for
security purposes. The private key once decrypted and loaded in memory will
be used by your openpgp application to decrypt the message sent by Chris.

This is asymmetric encryption: a sender can use your public key and their
private key to encrypt a message to you, which only you can decrypt with your
private key and the sender's public key. Look at the picture on the right in
this page:

http://en.wikipedia.org/wiki/Public-key_cryptography

HTH
--
Regards,
Mick

On Thu, 19 Jan 2012 18:28:04 -0500, Chris Walters wrote:

> >> I feel very confident saying "no known way" as cracking that
> >> puzzle has been the Holy Grail of maths prizes for 40 years and
> >> no-one has announced success. Seeing as mathematicians are a vain
> >> lot, and the one that accomplishes this feat with be showered with
> >> honour and glory for all time (making Einstein look like a child),
> >> it's a safe assumption that it hasn't been done yet.
> >
> > Unless he works for GCHQ/NSA or any other government's security
> > services.


> Possible, but not too likely*. RSA keys are based on two very large
> prime numbers and their composite. The two primes are hundreds of
> digits in length, and are used to generate the cipher (public) key, and
> the decipher (secret) key. After which their composite is found and
> the two primes are discarded.

I know it is extremely unlikely that anyone could crack it. My point was
that if someone did crack it, they would not necessarily shout about it.
If they worked for the security services, that would not want others to
know their encryption was insecure. Britain was selling Enigma machines
to their "friends" for decades after it was broken.

> While I am sure the NSA has its share of cryptologists, and
> cryptographers, I would hazard to say that the Navy has more, and so
> probably does the CIA/MI5 (or is it MI6 now?).

GCHQ, as mentioned above :)


--
Neil Bothwick

I am Zaphod of Borg. Now, where's the coolest place to be assimilated...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 1/19/2012 07:27 PM, Neil Bothwick wrote:
> On Thu, 19 Jan 2012 18:28:04 -0500, Chris Walters wrote:
>> Possible, but not too likely*. RSA keys are based on two very large
>> prime numbers and their composite. The two primes are hundreds of
>> digits in length, and are used to generate the cipher (public) key, and
>> the decipher (secret) key. After which their composite is found and
>> the two primes are discarded.
>
> I know it is extremely unlikely that anyone could crack it. My point was
> that if someone did crack it, they would not necessarily shout about it.
> If they worked for the security services, that would not want others to
> know their encryption was insecure. Britain was selling Enigma machines
> to their "friends" for decades after it was broken.

That is very true. In fact, they'd likely do just what you brought up about
Britain selling Enigma machines to their "friends" after it was broken. That
is that would likely promote the cipher(s) they know how to crack and dismiss
the ones they don't as being "not secure".

>> probably does the CIA/MI5 (or is it MI6 now?).
>
> GCHQ, as mentioned above :)

GCHQ, eh? What does that stand for, or is that a State secret? Like the NSA =
"No Such Agency"...

Chris

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJPGLcmAAoJEFHj8CHvnA9YoRYP/R7Ln7rQc59J+By0cXnwgK6i
XeQgXHe3m02XKBqSxZVRihVPMUoUeJbs9ianemWgNq5I5WDD8qjnjFIMJv+3YHan
DHqJxIhnRiirMAsUowCxwFktjhN6kpQgOOZvxrxid+q5GpfEh39VM9+eiqogoHHK
R5aAf0SC6ZSOqmCx5vv/bfWXJPgxXeunyi3xZ7S+ZQZOQhVqu5XyMTHvwzibiMbX
zbbpRUIer8Sx+5C4+Vf317ftOhV7Ix2jIdSmJAUW0AxVuqSC6B3ab+PLTz7IVrui
a1RucF0B8zb5OJnLSSapB9K68U9X2j96RcnxyyrCQzTYEyf0ICIeWBTWeijqP1nd
qt2qWXMKFTK+5p9TOD53QJkATk0ZwOhnVbHmc/zPXHk20YgvwC3ucRkExVJW9sU5
Mre8YE6j7Ds/JegBIkp1TY7lfkNWXhmGVxwzTlIqveHIimtDwTPgxefrP67GHyt6
vjr+lWek+hj0Fix0xW542Oj4434+JNpxyUjqOjEiVQ8oPInsri/qBobLxVu3ZRd6
y6YI/NYD+8HRum/3YfKmkgWi6KuuJ9zqa12tpbwh83nNTsakY8emCEnLIXpfhy+K
CXGgIDxtX3tWuvOPtIt/OgWTIhPjNozlN7v+lSg42SC5cgMkSErsM/LFTYBZ65ti
kzrMYYwxfXUP22eJnbCx
=egVJ
-----END PGP SIGNATURE-----


---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 120119-1, 01/19/2012
Tested on: 1/19/2012 7:36:59 PM
avast! - copyright (c) 1988-2012 AVAST Software.
http://www.avast.com

Mick wrote:
> On Thursday 19 Jan 2012 23:20:44 Dale wrote:
>> Chris Walters wrote:
>
>> I'm starting to see this now. When I sign a message, it is public but
>> people are assured that it came from me. Sort of like having a check
>> with a picture ID that matches. :/
>
> Better than that.
>
> Readers (all that have access to this list) can a)see that you have signed it
> and b)rest assured that no one has tampered with its content since you signed.
> If anyone intercepted the message mid-air and changed its content, your
> signature would show as bad in the recipients mail client (assuming they have
> a GnuPG/PGP compatible client).
>
> BTW, your signature is not showing in Kmail ... are you using inline or
> opengpg/smime format?
>
>

I don't have mine set up to sign them all. I did a couple to see if it
worked or not. Whenever I sign a message, it asks for the password. It
is quite a long password and I don't want to type it in every time I
send something.


>>> You could then encrypt a message to me, and you could add yourself
>>> to the recipient list so you could read it. Then, when I received
>>> the message, I would be prompted for my secret key's passphrase -
>>> this would allow decryption of the message. Providing that I
>>> replied to you and chose the "encrypt" option, the entire message,
>>> including any quotes would be encrypted.
>>>
>>> Hope this helps, Chris
>
>> So, this is why when I want to sign a message it asks me for the
>> password. I thought it was trying to do something wrong. Made me
>> scratch my head.
>
> To avoid an easy misunderstanding about what the "password" does:
>
> You are asked for a passphrase not because Chris used that passphrase to
> encrypt the message he sent you with (that would have been symmetric
> encryption and both of you would need to know in advance the secret
> passphrase). Instead, you are asked for a passphrase to decrypt your own
> private gpg key which is stored in encrypted format on your hard drive for
> security purposes. The private key once decrypted and loaded in memory will
> be used by your openpgp application to decrypt the message sent by Chris.
>
> This is asymmetric encryption: a sender can use your public key and their
> private key to encrypt a message to you, which only you can decrypt with your
> private key and the sender's public key. Look at the picture on the right in
> this page:
>
> http://en.wikipedia.org/wiki/Public-key_cryptography
>
> HTH


The password I was talking about is the one when I send a message. It
does ask for the password when Paul was sending a message. Those were
off list tho. Anyway, when I put the password in, I can read the email.
Otherwise, I can't read anything.

How sure are we that there is no back door the Government has to bypass
this? Are we 99% sure or about 50/50 with our fingers crossed?

Dale

:-) :-)
--
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!

Miss the compile output? Hint:
EMERGE_DEFAULT_OPTS="--quiet-build=n"

On Thu, 19 Jan 2012 19:36:56 -0500, Chris Walters wrote:

> > GCHQ, as mentioned above :)
>
> GCHQ, eh? What does that stand for, or is that a State secret? Like
> the NSA = "No Such Agency"...

Going back to the start of this thread, Wikipedia's back on so you can
look it up :P

It's Government Communications Headquarters. It grew out of Bletchley
Park, where the Enigmas were cracked in WWII.


--
Neil Bothwick

Top Oxymorons Number 5: Twelve-ounce pound cake

On Thursday, January 19, 2012, Dale <rdalek1967@gmail.com> wrote:
> I don't have mine set up to sign them all. I did a couple to see if it
> worked or not. Whenever I sign a message, it asks for the password. It
> is quite a long password and I don't want to type it in every time I
> send something.

If you use gpg-agent (and configure Enigmail to use it), it will remember
that you already entered your passphrase for some amount of time, so you
don't need to keep reentering it over and over during the same session.

On Thu, Jan 19, 2012 at 01:22:50PM -0600, Paul Hartman wrote:
> On 1/19/2012 11:32 AM, Chris Walters wrote:
> > On 1/19/2012 11:57 AM, Frank Steinmetzger wrote:
> >> On Thu, Jan 19, 2012 at 12:53:07AM -0600, Dale wrote:
> >>
> >>> While on this subject, sort of. Who on here as their email set up to
> >>> encrypt and decrypt emails? I want to test some things OFF LIST.
> >>
> >> Well, if you had signed your mail, then I could write you encrypted. :)
> >
> > This is a test. Enigmail has been trying to use a revoked and expired key to
> > sign my messages, lately.
> >
> > Chris
>
> Looks good to me, at least based on what's presently available in the
> keyservers.

Hm... I seem to be too dumb. Mutt tells me that the msg is signed, but doesn't
tell me by whom (I know that I need to have the public key in my keyring to see
a name, but it doesn't even tell me the key ID). Saving the whole mail to a
file and verifying the sig doesn't work either, that too is obvious because 1)
only the text is signed, not the rest of the mail and b) the signed stuff and
the sig need to be two different files for gpg --verify to work. So I saved the
signature.asc and the text separately. Now verification works and I see a key
ID, but using gpg --search <key ID> doesn't find the given key on the server.

GPGing was much easier when KMail still worked. ^^
--
Gruß | Greetings | Qapla'
I forbid any use of my email addresses with Facebook services.

The computer is not a miracle.
It only works so fast because it doesn’t think.

On Friday 20 Jan 2012 07:57:38 Frank Steinmetzger wrote:
> On Thu, Jan 19, 2012 at 01:22:50PM -0600, Paul Hartman wrote:
> > On 1/19/2012 11:32 AM, Chris Walters wrote:
> > > On 1/19/2012 11:57 AM, Frank Steinmetzger wrote:
> > >> On Thu, Jan 19, 2012 at 12:53:07AM -0600, Dale wrote:
> > >>> While on this subject, sort of. Who on here as their email set up to
> > >>> encrypt and decrypt emails? I want to test some things OFF LIST.
> > >>
> > >> Well, if you had signed your mail, then I could write you encrypted.
> > >> :)
> > >
> > > This is a test. Enigmail has been trying to use a revoked and expired
> > > key to sign my messages, lately.
> > >
> > > Chris
> >
> > Looks good to me, at least based on what's presently available in the
> > keyservers.
>
> Hm... I seem to be too dumb. Mutt tells me that the msg is signed, but
> doesn't tell me by whom (I know that I need to have the public key in my
> keyring to see a name, but it doesn't even tell me the key ID). Saving the
> whole mail to a file and verifying the sig doesn't work either, that too
> is obvious because 1) only the text is signed, not the rest of the mail
> and b) the signed stuff and the sig need to be two different files for gpg
> --verify to work. So I saved the signature.asc and the text separately.
> Now verification works and I see a key ID, but using gpg --search <key ID>
> doesn't find the given key on the server.
>
> GPGing was much easier when KMail still worked. ^^

Yes, I dabbled with mutt but I found the gpg and s/mime rather cranky compared
with the super-smooth integration of kmail and kgpg. Unfortunately with
kdepim-4.7 the whole kmail experience has been a rather unpleasant one for me.
:(
--
Regards,
Mick

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 1/20/2012 02:57 AM, Frank Steinmetzger wrote:
> On Thu, Jan 19, 2012 at 01:22:50PM -0600, Paul Hartman wrote:
>> On 1/19/2012 11:32 AM, Chris Walters wrote:
>>>
>>> This is a test. Enigmail has been trying to use a revoked and expired key to
>>> sign my messages, lately.
>>>
>>> Chris
>>
>> Looks good to me, at least based on what's presently available in the
>> keyservers.
>
> Hm... I seem to be too dumb. Mutt tells me that the msg is signed, but doesn't
> tell me by whom (I know that I need to have the public key in my keyring to see
> a name, but it doesn't even tell me the key ID). Saving the whole mail to a
> file and verifying the sig doesn't work either, that too is obvious because 1)
> only the text is signed, not the rest of the mail and b) the signed stuff and
> the sig need to be two different files for gpg --verify to work. So I saved the
> signature.asc and the text separately. Now verification works and I see a key
> ID, but using gpg --search <key ID> doesn't find the given key on the server.
>
> GPGing was much easier when KMail still worked. ^^

Hmmm... Have you tried running 'gpg -k | less' and searching for either
"Christopher Walters" or the keyid: EF9C0F58. If my key is not in your public
keys, that would explain the problem identifying who signed the message. It
sounds like it might be a problem with Mutt not importing the key, though I
could be wrong.

I only dabbled with Mutt a while ago, and now I don't even have an email client
set up on my Gentoo system. This time, I'll include my key with the message,
so it will have the key.

Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJPGSihAAoJEFHj8CHvnA9Yh9YP/jYpE9mnf2iCY3ihJ3JkVFQ9
Z4t89c+lBnPqaPs2aGoSbjOMcoWziU1f8adoKXv4DxPFNArX1Qgk+VKbt0GN91D7
L+WFdA7Tn/qZi9WfvhmpMFrA2e73OwOq+vUPLhh6cspRULwXx505VXlcv9QStuFf
CfP1rA5WCU9zhikTwPgChZbiDwEZtfe7A8ypybdudHCeygPHQGBHuMV8Qt88inH6
dQIpH/5n1qimCtgQ+3qlVjordo9CU0FhklfhWT5n+zZhjlVOco8By68mISZjsLyH
g3LHzWnAeLI6G5tJ/wXVyFKCIaQTDsGMijqJA9ChEfO0M/wbiX4X+3yy8QxYUzsz
NgKDSqyYpdPVOdmwCvWgZ66epmZXOWWGWqZp5IVrvGTc+SXzrl6GBAosUdTeGk46
KKiNA9WQ7jasBYZvw21vYar1UxUG5UApMfSQmvmUPoJLjq8r4Ngh29Ed8MX83dSO
INDBpHQQ1X2QsLmY8PdA2/BxQ74Zu00DuK8W/ng2ujcpVNLcZOfKYdoCTB4dP8mk
jWpyK6D4+ogDrr+OQ7E9+oeIqku6IdNNRU50/86MgsoGwQTzprY+wauFNigh7sjF
ZfLTGxtjnZqend6buRenKz6sgKKqpl9mOxpLkrIxpRp3wwpNSSzT7mVoxLeV5IW9
YTMfanz4zXaoDYC/tAbD
=1iC+
-----END PGP SIGNATURE-----

On 2012-01-19 5:42 PM, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> There's no known way to decrypt a mail like that without the single
> private key needed (this works exactly like https traffic to your
> bank). I feel very confident saying "no known way" as cracking that
> puzzle has been the Holy Grail of maths prizes for 40 years and no-one
> has announced success. Seeing as mathematicians are a vain lot, and the
> one that accomplishes this feat with be showered with honour and glory
> for all time (making Einstein look like a child), it's a safe
> assumption that it hasn't been done yet.

Heh - yeah, *loved* the movie 'Sneakers'...

Setec Astronomy == Too Many Secrets