Mailing List Archive

Again, Signal is touted as better than PGP.Why?Look at this problem
with signal. Looks really serious.
Signal Desktop Leaves Message Decryption Key in Plain Sight
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/

I don't think PGP does THIS !
Elwin
Sent using Hushmail
On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" wrote:I’m
not so sure that it does. I think that’s the point security
researchers like Schneier have been trying to make: it is easy for all
people — from grandparents who still think they need AOL to
chipheads who can install Arch without watching a YouTube tutorial —
to screw up encrypted email in a way that exposes the cleartext.
Encrypted email is fundamentally unsafe as it currently exists.
It’s really hard to screw up some of the new E2E encrypted
messengers. Sure, if your method for secure communications is
dropping stego’d memes with encrypted payloads on imgur, then simple
tools like Signal and WhatsApp won’t do. But if you’re trying to
securely communicate like a normal person who is not pretending to be
Mister Robot, then PGP for email is one of the least adopted, least
safe ways to do so and Signal/iMessage/WhatsApp are decent solutions.

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail
Sent from ProtonMail Mobile

On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users wrote:
On Mon, Jul 22, 2019 at 03:46:18PM +0000, Ryan McGinnis via
Gnupg-users wrote:
>
[1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html
>
> 3. Why is anyone using encrypted e-mail anymore, anyway?
Reliably and
> easily encrypting e-mail is an insurmountably hard problem for
reasons
> having nothing to do with today's announcement. If you need to
> communicate securely, use Signal. If having Signal on your phone
will
> arouse suspicion, use WhatsApp.

Depends on your threat model. For mine, reliably and easily
encrypting email is almost absurdly simple:

1) Use PGP
2) Don't send secrets to people I don't trust to keep them.

Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my
emails so that (if you care enough to install PGP) you can be highly
assured that they're from me.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

It seems kinda cheeky to find one (fixed) bug in the least secure implementation of the program and act like that disqualifies it.  All programs have bugs.  Most implementations of GPG have had some pretty bad bugs over the years.  No programs are going to be free of security flows - the question is whether the app or platform was built with security as a priority and what happens when those flaws are discovered.  I'd argue Signal was built with security it mind and that they're pretty swift at fixing issues as they arise. 

Also, not that it makes the bug any less impactful, but I know very few people who make regular use of the desktop implementation of Signal; it's mostly meant for mobile devices. 

-Ryan McGinnis
https://bigstormpicture.com
PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
Sent with ProtonMail

??????? Original Message ???????
On Tuesday, July 23, 2019 3:32 AM, <mercuryrising@hush.ai> wrote:

> Again, Signal is touted as better than PGP.
> Why?
> Look at this problem with signal. Looks really serious.
>

> Signal Desktop Leaves Message Decryption Key in Plain Sight
> https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/
>

> I don't think PGP does THIS !
>

> Elwin
>

> Sent using Hushmail
>

> On 7/22/2019 at 7:53 PM, "Ryan McGinnis via Gnupg-users" <gnupg-users@gnupg.org> wrote:
>

> > I’m not so sure that it does.  I think that’s the point security researchers like Schneier have been trying to make: it is easy for all people — from grandparents who still think they need AOL to chipheads who can install Arch without watching a YouTube tutorial — to screw up encrypted email in a way that exposes the cleartext.   Encrypted email is fundamentally unsafe as it currently exists.  It’s really hard to screw up some of the new E2E encrypted messengers.  Sure, if your method for secure communications is dropping stego’d memes with encrypted payloads on imgur, then simple tools like Signal and WhatsApp won’t do.  But if you’re trying to securely communicate like a normal person who is not pretending to be Mister Robot, then PGP for email is one of the least adopted, least safe ways to do so and Signal/iMessage/WhatsApp are decent solutions.  
> >

> > -Ryan McGinnis
> > https://bigstormpicture.com
> > PGP: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> > Sent with ProtonMail
> >

> > Sent from ProtonMail Mobile
> >

> > On Mon, Jul 22, 2019 at 15:00, Mark H. Wood via Gnupg-users <gnupg-users@gnupg.org> wrote:
> >

> > > On Mon, Jul 22, 2019 at 03:46:18PM +0000, Ryan McGinnis via Gnupg-users wrote:
> > > > [1]https://www.schneier.com/blog/archives/2018/05/details_on_a_ne.html
> > > >
> > > > 3. Why is anyone using encrypted e-mail anymore, anyway? Reliably and
> > > > easily encrypting e-mail is an insurmountably hard problem for reasons
> > > > having nothing to do with today's announcement. If you need to
> > > > communicate securely, use Signal. If having Signal on your phone will
> > > > arouse suspicion, use WhatsApp.
> > >

> > > Depends on your threat model. For mine, reliably and easily
> > > encrypting email is almost absurdly simple:
> > >

> > > 1) Use PGP
> > > 2) Don't send secrets to people I don't trust to keep them.
> > >

> > > Anyway, 99% of my PGP use is for the opposite of secrecy: I sign my
> > > emails so that (if you care enough to install PGP) you can be highly
> > > assured that they're from me.
> > >

> > > --
> > > Mark H. Wood
> > > Lead Technology Analyst
> > >

> > > University Library
> > > Indiana University - Purdue University Indianapolis
> > > 755 W. Michigan Street
> > > Indianapolis, IN 46202
> > > 317-274-0749
> > > www.ulib.iupui.edu
> > > _______________________________________________
> > > Gnupg-users mailing list
> > > Gnupg-users@gnupg.org
> > > http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 7/22/2019 at 7:12 AM, "Robert J. Hansen" <rjh@sixdemonbag.org> wrote:

>Mathematicians have come up with different ways to estimate how
>many
>primes there were under a certain value
...
>The first estimate for ?(x) was "x divided by the natural
>logarithm of x".
...
>If we do that same equation for a 2048-bit key, it turns out there
>are
>10 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
>000 000
>000 000 000 000 000 000 000 different prime numbers that could go
>into it.

=====

not really, for GnuPG keys, but for the default size GnuPG key of 4096, it's actually bigger than the number you quoted above ;-)

For a GnuPG key of 4096, it's only necessary to compute for primes up to 2^2048.

But,

Since GnuPG uses 2 primes only in the 2^2048 size, for a 4096 bit key,
then the amount of primes is actually:

[ (2^2048) / ln(2^2048) ] - [ (2^2047) / ln (2^2047) ] = 1.37 x 10^613


So, not to worry about someone creating a 'database' to crack GnuPG ...


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Wednesday 24 July 2019 at 2:36:36 AM, in
<mid:20190724013636.4B681E0792@smtp.hushmail.com>, vedaal via
Gnupg-users wrote:-


> but for the default size GnuPG key of 4096,

The default key size is 2048. That is the size generated if you use
the --quick-generate-key command.

- --
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

Man is not a rational animal, he is a rationalising animal.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXTlyd18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+gduAPwI2gnyutM1fWBgNJRZkU/ag0Ni30mH4mlRBG3JxT5ioQEA6qLqt2nJij3N
YiuVpTOj/qNuTeV4E6vosZ2kRHY1RAKJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXTlyd18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/32ID/0bQmEOTJgd34X4zPBNhI639ERs
DcyPxIfdTU6ax+e54Eq9Gt0shaMgyC0IGQGrRom2cBK+g9SB9TgKDa7Vj+ao1JOi
Dzg29insC06OpYa365Suk5Ep5RnqaoyFgYg3x3+v1vqhu7vdQuFYfCGeRY0WaiZW
7QcBGHV5XOicSZVYXDhu5uFDE1DXfukysBjKOoa16xW15oAQi9PX0uKWytShuS28
Q40NTx8Rvhq79XoeO71tKX9WQ+ZO0juXu3nwPeGG/r6kLEKOhTiSaQ2u5GL6oC4o
Obz29/jVwUTPODRjYQ97aRpUtRJ8pGposAX6CPBD3e0UZV5mZlfgsvXwGtv81zMS
tZYvG5L5myf85TvGjSWinetMORL6R0OjWab5oB2hkE7VoCkffRFVoutd2Y6LFknB
NZK4Q9WGvSFkzk7w5o9GABB8b76d0Yz14cWV9egeyzHU7rwoqaw127lfdKL8MUZ+
c3FDQ4B7zO2NCDYESsuUOsSuImd/+NNsZH9QjuwaGzou3TQw4T03uDsemPQ5pBEb
WiZmTOsoXvkmTcwnu7o1HmfmZ/C9Xq8rNLeh7kAxrHnAERDhSCuKz7CQH0h7Tc9i
iSuasPhX1XCX2AXXXdcN3Bw/SokgBRzrn4+mh3IejUv/KaFqwKcg05tJM9MWtoEo
CHnfniEoaNb/C/Llpg==
=GKS4
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users