Mailing List Archive

On 2020-07-08 at 23:24 +0200, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>
> > The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters, numbers,
> > and characters? Generally, if your non-randomly-generated password is easy for you to remember, it's also easy for a
> > computer to guess. Diceware is the attempt to make something easy as possible to remember while still being truly
> > high-entropy. If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an
> > EFF book and roll some casino dice. The entropy comes from the dice and so is verifiable.
>
> How do I do that when traveling, because I can't memorize the diceware pass phrase and then roll dices and tell via a
> non-secure channel my now generated pass phrase, or do I make a mistake now in thinking?

You only use the dices suggested by Ryan for creating a new password.
A local program is probably perfectly fine for creating "random"
passwords, though.


If you are traveling, you would do as in home: you bring with you your
password manager. You should probably prepare in advance a list of all
credentials you might need, and then only bring a reduced "travel-size"
version of your stored passwords (you could also take with you a
"simple" one you expect to use and a bigger -not necessarily complete-
one that you expect not to need to unlock).

Note that "bringing" could involve a physical entity, such as a file in
your laptop or a usb key, but also simply the ability to download it
from the internet (after logging into <account>, probably).


You may obviously rotate all those passwords after you are back (as well
as before you depart, if you wish).

You still need to properly protect the master password of that manager,
which should probably involve memorizing it.


If you are only concerned about part of your travel itinerary, such as a
layover at a foreign location with few privacy guarantees, or just until
the time you cross the border (as is the case when crossing the British
or US border, where otherwise constitutional rights are
suspended),[1][2] you could actually deprive yourself from the required
knowledge to decrypt the content.
Let's suppose that you arrive Friday night, and will meet with the
foreign client on Monday, showcasing some company confidential
information to them stored in an encrypted laptop.

You could memorize half of the password, then get told the other half by
phone on Monday morning by your corporate lawyer. You would then a of
being unable to decrypt it while crossing the border, which means you
can't be coerced to provide it. This would make quite sense from the
point of view of the company. The border agents may not be happy with
that, though. And maybe result as well in a not-so-nice experience for
the employee.

On the other hand, if you were targeted by e.g. the MI5, you would
probably be returned a bugged hardware, and you better didn't travel
with a laptop there to begin with.


Kind regards


1- https://www.schneier.com/blog/archives/2008/05/crossing_border.html
2- https://www.thelawforlawyerstoday.com/2018/10/border-searches-of-your-e-device-encryption-may-be-of-limited-value-in-protecting-client-data/




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

?ngel wrote:

> On 2020-07-08 at 23:24 +0200, Stefan Claas wrote:
> > Ryan McGinnis via Gnupg-users wrote:
> >
> > > The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters,
> > > numbers, and characters? Generally, if your non-randomly-generated password is easy for you to remember, it's also easy
> > > for a computer to guess. Diceware is the attempt to make something easy as possible to remember while still being truly
> > > high-entropy. If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an
> > > EFF book and roll some casino dice. The entropy comes from the dice and so is verifiable.
> >
> > How do I do that when traveling, because I can't memorize the diceware pass phrase and then roll dices and tell via a
> > non-secure channel my now generated pass phrase, or do I make a mistake now in thinking?
>
> You only use the dices suggested by Ryan for creating a new password.

This is the problem what I mean ..., When I create a diceware pass phrase with dices (prior traveling)
I can't memorize the the words. If I would use the dices after arrival I do not have a way to transfer
the pass phrase securely.

[...]

Thanks for explaining the detailed procedure.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Juergen Bruckner via Gnupg-users wrote:

Hi Juergen

> It's a good question what to do if you lose your SC or token.
> Basically, it has to be said that you should definitely have a backup of
> your key. And you have to be very careful with your SC or tokens.
> In principle it is almost the same as losing your credit card or
> passport etc. while traveling; you have to provide alternatives (e.g.
> multiple smartcards).

Since you and Andrew are using smard cards or tokens I would like to
ask the following, prior considering purchasing one myself in the near
future.

I use Windows 10 and Android (Samsung A40) and would like to know,
in case the is possible with my smartphone and under Windows 10 to
use a smard card where I can enter a PIN, thus only putting a secret
key without a passphrase on it, for ease of use, because my bank card
also has only a PIN. Is there software for such PIN entering for Win
and Android availalble and if so what Android email client software
would you or Andrew recommend, which allows to use a secret key without
a passphrase from a smard card?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 09/07/2020 13:58, Stefan Claas wrote:
> Is there software for such PIN entering for Win
> and Android availalble

The standard GPG4win package handles smartcards and PINs. I'm not an
Android user though, so can't help you there.

--
Andrew Gallagher

Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit :
> Juergen Bruckner via Gnupg-users wrote:
>
> Hi Juergen
>
> > It's a good question what to do if you lose your SC or token.
> > Basically, it has to be said that you should definitely have a
> > backup of
> > your key. And you have to be very careful with your SC or tokens.
> > In principle it is almost the same as losing your credit card or
> > passport etc. while traveling; you have to provide alternatives
> > (e.g.
> > multiple smartcards).
>
> Since you and Andrew are using smard cards or tokens I would like to
> ask the following, prior considering purchasing one myself in the
> near
> future.
>
> I use Windows 10 and Android (Samsung A40) and would like to know,
> in case the is possible with my smartphone and under Windows 10 to
> use a smard card where I can enter a PIN, thus only putting a secret
> key without a passphrase on it, for ease of use, because my bank card
> also has only a PIN. Is there software for such PIN entering for Win
> and Android availalble and if so what Android email client software
> would you or Andrew recommend, which allows to use a secret key
> without
> a passphrase from a smard card?
>
> Regards
> Stefan
>

For Android (actually I use /e/ degoogled OS), I use K9Mail and
OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
all sort of passwords, that I synchronize using git with my other
devices.

Franck


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit :
> Juergen Bruckner via Gnupg-users wrote:
>
> Hi Juergen
>
> > It's a good question what to do if you lose your SC or token.
> > Basically, it has to be said that you should definitely have a
> > backup of
> > your key. And you have to be very careful with your SC or tokens.
> > In principle it is almost the same as losing your credit card or
> > passport etc. while traveling; you have to provide alternatives
> > (e.g.
> > multiple smartcards).
>
> Since you and Andrew are using smard cards or tokens I would like to
> ask the following, prior considering purchasing one myself in the
> near
> future.
>
> I use Windows 10 and Android (Samsung A40) and would like to know,
> in case the is possible with my smartphone and under Windows 10 to
> use a smard card where I can enter a PIN, thus only putting a secret
> key without a passphrase on it, for ease of use, because my bank card
> also has only a PIN. Is there software for such PIN entering for Win
> and Android availalble and if so what Android email client software
> would you or Andrew recommend, which allows to use a secret key
> without
> a passphrase from a smard card?
>
> Regards
> Stefan
>

For Android (actually I use /e/ degoogled OS), I use K9Mail and
OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
all sort of passwords, that I synchronize using git with my other
devices.

Franck


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Andrew Gallagher wrote:

> On 09/07/2020 13:58, Stefan Claas wrote:
> > Is there software for such PIN entering for Win
> > and Android availalble
>
> The standard GPG4win package handles smartcards and PINs. I'm not an
> Android user though, so can't help you there.
>

Ah, good to know that this works with Windows. Thanks!

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Franck Routier (perso) wrote:

> Le jeudi 09 juillet 2020 ? 14:58 +0200, Stefan Claas a ?crit :
> > Juergen Bruckner via Gnupg-users wrote:
> >
> > Hi Juergen
> >
> > > It's a good question what to do if you lose your SC or token.
> > > Basically, it has to be said that you should definitely have a
> > > backup of
> > > your key. And you have to be very careful with your SC or tokens.
> > > In principle it is almost the same as losing your credit card or
> > > passport etc. while traveling; you have to provide alternatives
> > > (e.g.
> > > multiple smartcards).
> >
> > Since you and Andrew are using smard cards or tokens I would like to
> > ask the following, prior considering purchasing one myself in the
> > near
> > future.
> >
> > I use Windows 10 and Android (Samsung A40) and would like to know,
> > in case the is possible with my smartphone and under Windows 10 to
> > use a smard card where I can enter a PIN, thus only putting a secret
> > key without a passphrase on it, for ease of use, because my bank card
> > also has only a PIN. Is there software for such PIN entering for Win
> > and Android availalble and if so what Android email client software
> > would you or Andrew recommend, which allows to use a secret key
> > without
> > a passphrase from a smard card?
> >
> > Regards
> > Stefan
> >
>
> For Android (actually I use /e/ degoogled OS), I use K9Mail and
> OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
> all sort of passwords, that I synchronize using git with my other
> devices.

Thanks for the information, much appreciated!

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hi Stefan

> Since you and Andrew are using smard cards or tokens I would like to
> ask the following, prior considering purchasing one myself in the near
> future.
>
Well my first choice - as it is a OpenSource product - is always a
Nitrokey [1], I use both the NK Start as well as the NK Pro.

But also see the following....

> I use Windows 10 and Android (Samsung A40) and would like to know,
> in case the is possible with my smartphone and under Windows 10 to
> use a smard card where I can enter a PIN, thus only putting a secret
> key without a passphrase on it, for ease of use, because my bank card
> also has only a PIN. Is there software for such PIN entering for Win
> and Android availalble and if so what Android email client software
> would you or Andrew recommend, which allows to use a secret key without
> a passphrase from a smard card?
>
Well, Nitrokeys do also work on Android devices, with a USB-Adapter.

In case you want to use your SmartCard/Token on the Andoid device via
NFC, the best choice would be a Yubikey 5 NFC [2].

The Windows software to enter the PIN-Code is your PGP Software with
SmartCard Support. On Android you should use Openkeychain for that.

As Android e-mail-client the most people who use PGP, also use K9-Mail;
my personal preference and my strong recommendation is the app called
"FairEmail", as this app supports both, PGP (via Openkeychain) and also
S/MIME.

I hope i have been able to help you a bit.

Best regards
Juergen


[1] https://www.nitrokey.com/de
[2] https://www.yubico.com

--
Juergen M. Bruckner
juergen@bruckner.email