Mailing List Archive

Which version of GnuPG to use?
Hi all

Some years ago I used GnuPG, but somewhen stopped with it.

Now I want to start again. However there are many rumors that it is
unsecure meanwhile.

I need recommendations:
- Which version of software shall I install?
- Create key via cli-commands or is Windows-Version ok?
- Which keys shall I take (there was an article not to encrypt/sign with
El-Gamal)?

Many thanks and kind regards
Daniel


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which version of GnuPG to use? [ In reply to ]
Hi,

On Mon, Sep 16, 2019 at 11:29:19AM +0200, Daniel Bossert wrote:
>I need recommendations:
>- Which version of software shall I install?

The latest version available for your system, which should in any case
be a version from the 2.2 branch. (If your system is Windows, that would
be Gpg4Win 3.1.10, which provides GnuPG 2.2.17.)

You should *not* use GnuPG 1.4.x unless you have some very specific
needs (such as working on a "exotic" system or having to interoperate
with PGP versions from the mid-1990s), and you should *not* use any
version from the 2.0 or 2.1 branch which are not supported anymore.


>- Create key via cli-commands or is Windows-Version ok?

This doesn't matter, really. You may use gnupg directly on the command
line if you're familiar with it, but you don't have to.


>- Which keys shall I take (there was an article not to encrypt/sign
>with El-Gamal)?

The usual recommandation is to stick to the default setting proposed by
GnuPG (which currently and if I remember correctly is to generate a
RSA-3072 master key for certifying and signing and a RSA-3072 encryption
subkey).

Note that modern versions of GnuPG do not ask you anymore to specify the
type and/or size of key you want unless you explicitly request it.


- Damien
Re: Which version of GnuPG to use? [ In reply to ]
Daniel Bossert wrote:

> Hi all
>
> Some years ago I used GnuPG, but somewhen stopped with it.
>
> Now I want to start again. However there are many rumors that it is
> unsecure meanwhile.

Can you tell us what rumors you have heared? I would say the encryption
in GnuPG is secure, but sadly people tend to use encryption software on
online computers due to many tutorials, MUA plug-ins and their lazyness
and therefore it can never been guaranteed that the communications are
always secure.

P.S. Question for Werner and all the other hackers. Would it be very
difficult to read out the required decryption parameters, like p&q so to
speak, with a specially crafted software, when using an online computer
with a SmardCard? I have read that the secret key can not been copied from
the card, but what about the 'bits and pieces' in memory when decrypting?

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which version of GnuPG to use? [ In reply to ]
On Mon, 16 Sep 2019 23:49, gnupg-users@gnupg.org said:

> speak, with a specially crafted software, when using an online computer
> with a SmardCard? I have read that the secret key can not been copied from
> the card, but what about the 'bits and pieces' in memory when decrypting?

Side-channel attacks on smartcards are an pretty old thing dating back
to the late 80ies. Current smartcards are hardened against most such
attacks. Unless you have physical access to the card the secrets and
their use on the card/token are well protected against any sniffing by
the host.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Which version of GnuPG to use? [ In reply to ]
Werner Koch wrote:

> On Mon, 16 Sep 2019 23:49, gnupg-users@gnupg.org said:
>
> > speak, with a specially crafted software, when using an online computer
> > with a SmardCard? I have read that the secret key can not been copied from
> > the card, but what about the 'bits and pieces' in memory when decrypting?
>
> Side-channel attacks on smartcards are an pretty old thing dating back
> to the late 80ies. Current smartcards are hardened against most such
> attacks. Unless you have physical access to the card the secrets and
> their use on the card/token are well protected against any sniffing by
> the host.

Unfortunately I am no programmer but I was thinking about the following:

I assume that in order to decrypt a message the secret key data must be
unlocked and loaded for a very short time into the computers RAM, in order
to perform the decryption, or am I wrong with my assumption?

And if I am not wrong, would that be very difficult to get the parameters
from the secret key or does GnuPG somehow (tries to) prevent this?

Sorry for this question but I like to learn more about how this works
and if I should invest in a smardcard in the future, for online usage.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which version of GnuPG to use? [ In reply to ]
On Tue, Sep 17, 2019 at 06:59:34PM +0200, Stefan Claas via Gnupg-users wrote:
>I assume that in order to decrypt a message the secret key data must be
>unlocked and loaded for a very short time into the computers RAM, in order
>to perform the decryption

No. The secret key data remains on the smartcard and is *not* sent to
the host computer. The host computer sends the data to be decrypted to
the smartcard, the smartcard does the decryption itself then sends the
decrypted data back to the host.

(Actually the "data" sent to the card is not an entire OpenPGP message,
just the asymetrically encrypted session key which the hosts then uses
to decrypt the bulk of the message. But this is a detail which does not
change the fact that the host never sees the secret private key.)

- Damien
Re: Which version of GnuPG to use? [ In reply to ]
Damien Goutte-Gattat wrote:

> On Tue, Sep 17, 2019 at 06:59:34PM +0200, Stefan Claas via Gnupg-users wrote:
> >I assume that in order to decrypt a message the secret key data must be
> >unlocked and loaded for a very short time into the computers RAM, in order
> >to perform the decryption
>
> No. The secret key data remains on the smartcard and is *not* sent to
> the host computer. The host computer sends the data to be decrypted to
> the smartcard, the smartcard does the decryption itself then sends the
> decrypted data back to the host.
>
> (Actually the "data" sent to the card is not an entire OpenPGP message,
> just the asymetrically encrypted session key which the hosts then uses
> to decrypt the bulk of the message. But this is a detail which does not
> change the fact that the host never sees the secret private key.)
>
> - Damien

Thank you Damien and Peter, both of your detailed replies are much appreciated!

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which version of GnuPG to use? [ In reply to ]
On 9/17/19 12:59 PM, Stefan Claas via Gnupg-users wrote:
> Unfortunately I am no programmer but I was thinking about the following:
> I assume that in order to decrypt a message the secret key data must be
> unlocked and loaded for a very short time into the computers RAM, in order
> to perform the decryption, or am I wrong with my assumption?


No, the decryption (of the message's session key) is performed entirely
within the smart card, using the smart card's internal processor.  The
session key is then in copied to the computer's main memory to perform
AES or whatever symmetrical encryption the message is encrypted with. 
The smart card is actually as a separate computer that performs basic 
encryption on the user's behalf, while making it as difficult as
possible to access the private keys.
Re: Which version of GnuPG to use? [ In reply to ]
Brian Minton wrote:

> On 9/17/19 12:59 PM, Stefan Claas via Gnupg-users wrote:
> > Unfortunately I am no programmer but I was thinking about the following:
> > I assume that in order to decrypt a message the secret key data must be
> > unlocked and loaded for a very short time into the computers RAM, in order
> > to perform the decryption, or am I wrong with my assumption?
>
>
> No, the decryption (of the message's session key) is performed entirely
> within the smart card, using the smart card's internal processor.? The
> session key is then in copied to the computer's main memory to perform
> AES or whatever symmetrical encryption the message is encrypted with.?
> The smart card is actually as a separate computer that performs basic?
> encryption on the user's behalf, while making it as difficult as
> possible to access the private keys.

Thank you too, much appreciated!

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
certified OpenPGP key blocks available on keybase.io/stefan_claas


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users