Recent searches

No recent searches

Search options

Not available on mastodon.zunda.ninja.
mastodon.zunda.ninja is one of the many independent Mastodon servers you can use to participate in the fediverse.
Zundon is a single user instance as home of @zundan as well as a test bed for changes of the code.

Administered by:

Server stats:

1
active users

mastodon.zunda.ninja: AboutPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.5.0-alpha.1+e46cdd94-ruby-3.4.5

#openpgp

0 posts0 participants0 posts today
Andreas Grupp :tux: :opensuse:

Neue Version von #GnuPG (v2.5.6) und eine weitere Beta-Version des kommenden #Gpg4Win 5.0 erschienen.

Wer Gpg4Win (noch) nicht kennt: Enthält u.a. das MS Outlook-Plugin GpgOL damit dort #OpenPGP-verschlüsselte Mails funktionieren, GpgEX damit man im Explorer Dateien verschlüsseln kann, oder die Schlüssel-/Zertifikats-Verwaltung Kleopatra. Mit 5.0 dann Post Quanten resistant encryption.

S/MIME gibt es natürlich auch. Das skaliert wegen der Kosten für die zusätzlich zeitlimitierten Zertifikate, in der Bevölkerung aber noch schlechter als OpenPGP. Deshalb plädiere ich für einen Fokus darauf um wenigstens hier eine größere Verbreitung zu schaffen.

Und von mir ein fettes Danke an den Hauptentwickler der Werkzeuge @DD9JN

gpg4win.org/

www.gpg4win.orgGpg4win - Secure email and file encryption with GnuPG for Windows
Replied in thread
*
l

@eff @evacide
GnuPG is not the only way to encrypt email, I use #OpenPGP with Thunderbird and @delta, both don't use GPG.

Also pages
ssd.eff.org/module/how-use-pgp
and
ssd.eff.org/module/how-use-pgp
are outdated, Thunderbird now has built-in OpenPGP implementation and Enigmail does not work with the latest versions.

ssd.eff.orgHow to: Use PGP for LinuxNOTE: This guide is not being actively reviewed or updated, and is currently retired. If you would like to use PGP via GnuPG, or Thunderbird with Enigmail, please refer to those services’ websites and documentation for information on how to install and use them. To use PGP to exchange secure emails you have to bring together three programs: GnuPG, Mozilla Thunderbird and Enigmail. GnuPG is the program that actually encrypts and decrypts the content of your mail, Mozilla Thunderbird is an email client that allows you to read and write emails without using a browser, and Enigmail is an add-on to Mozilla Thunderbird that ties it all together. What this guide teaches is how to use PGP with Mozilla Thunderbird, an email client program that performs a similar function to Outlook. You may have your own favorite email software program (or use a web mail service like Gmail or Outlook.com). This guide won't tell you how to use PGP with these programs. You can choose either to install Thunderbird and experiment with PGP with a new email client, or you can investigate other solutions to use PGP with your customary software. We have still not found a satisfactory solution for these other programs. Using PGP doesn't completely encrypt all aspects of your email: the sender and receiver information is unencrypted. Encrypting the sender and receiver information would break email. For similar reasons, PGP does not encrypt the subject line of your emails so you may want to use a generic subject line when sending encrypted emails. What using Mozilla Thunderbird with the Enigmail add-on gives you is an easy way to encrypt the body of your email. You will first download all the software needed, install it, and then end with configuration and how to use the result.
Replied to GnuPG
*
Theia Institute™

@GnuPG @todd_a_jacobs Using #LTFS to store #encrypteddata outside of hyper scaler environments without the dedicated #KMS components expensive tape libraries use to enable #LTO9 drives' built-in, hardware #AES256GCM support is an area the institute is evaluating, and thinking about how #GPG might fit in has been a facet of our research process.

All recent generations of #LTO drives support strong, on-the-fly, hardware-accelerated encryption on the drives themselves. Sadly, it's essentially useless in the standalone drives sold to individuals, the #SOHO market, or to other non-enterprise customers because of the high cost of the tape library hardware required to activate it.

In some ways, the situation is much like the early Intel 386 computers that shipped with missing or disabled math coprocessors even when it stopped being a cost issue. In part, that was a strategic market segmentation decision, and the institute currently believes the lack of accessible LTFS encryption for all encryption-capable drives is no different.

Even though #GnuPG is usually thought of as primarily an email tool, it's actually an important "Swiss Army knife" for a variety of #infosec use cases. It's also on a tragically short list of #OpenPGP and telatrd #cryptography tools that remains fully #opensource.

We're putting this topic on our agenda for further exploration and discussion. Meanwhile, these community conversations and the viewpoints of respected tool developers is an invaluable resource to everyone.

PGPkeys EU

In recent weeks, a theoretical downgrade attack against the new default encryption mode used by GnuPG 2.5 has been published. This comes two years after a theoretical downgrade attack was announced against GnuPG's new default *signature* format. Both issues have been addressed in the latest update to the official OpenPGP specification, but GnuPG has declared that it will not implement the fixes.

#gnupg #openpgp #librepgp

blog.pgpkeys.eu/security-issue

blog.pgpkeys.euA Summary of Known Security Issues in LibrePGPAn occasional blog about OpenPGP keyservers and related issues
Dr. Todd A. Jacobs

#TIL that @GnuPG appears to use the #ustar tar archive format, likely the version from POSIX.1-1988, for #gpgtar rather than either the #POSIX or Star formats from POSIX.1-2001. Since ustar has serious limitations on filename and pathname lengths, can't store certain file types or metadata, and has a 2GB file size limit, it seems unsuitable for most modern use cases.

If gpgtar is actually using star, pax, or the GNU tar POSIX mode, it's not in the #GnuPG user documentation which explicitly says it uses ustar. I have a lot of respect for the #GPG devs, so I hope this is either just a documentary oversight or something that they can easily fix by linking with newer libraries. In either case, ustar is totally unsuitable for writing large archives to tape, and doesn't even offer the options GNU tar does for creating a separate index file, encrypted or not.

The gnutar command line doesn't offer the option to write a separate index, and requires a separate pass to list out the index. For example if you wanted to encrypt a 20TiB archive with a separate, encrypted index to make finding files easier, you'd either have to pipe tar through gpg (which can cause shoe-shining or buffering issues on #LTFS) and then encrypt GNU/BSD tar's index, or have triple the online HDD/SDD capacity of your archived data so you can tar up your files, run another pass with GnuPG to extract the index, and then encrypt both the tarball and index separately before writing them out to tape.

That seems...unreasonable. #OpenPGP doesn't support the AES-256-GCM mode built into current #LTO drives, so gpgtar needs to keep up with the massive growth of data storage capacity rather than remaining an afterthought utility. Especially for #SOHO LTO drives, the ability to write encrypted gpgtar archives and indexes directly to LTFS could be a real game-changer!

Alexandre Dulaunoy

RFC9580 is finally out. A good refresh to the OpenPGP standard.

#openpgp #pgp #gnupg

datatracker.ietf.org/doc/html/

IETF DatatrackerRFC 9580: OpenPGPThis document specifies the message formats used in OpenPGP. OpenPGP provides encryption with public key or symmetric cryptographic algorithms, digital signatures, compression, and key management. This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. This document obsoletes RFCs 4880 ("OpenPGP Message Format"), 5581 ("The Camellia Cipher in OpenPGP"), and 6637 ("Elliptic Curve Cryptography (ECC) in OpenPGP").
*
Delta Chat

some news regarding rPGP, the minimal #Rust #OpenPGP implementation that stably provides end-to-end encryption for Delta users since many years:

- a new FAQ including questions about IETF specs, Post-Quantum cryptography, Autocrypt, LibrePGP, Seqouia etc. github.com/rpgp/rpgp/blob/mast

- NLNET just granted #OpenPGP V6 work on rPGP: nlnet.nl/project/rPGP-cryptore

rPGP is an independent and stable project which provides good general #OpenPGP interoperability, see "rpgpie" in tests.sequoia-pgp.org/

GitHubrpgp/docs/FAQ.md at main · rpgp/rpgpOpenPGP implemented in pure Rust, permissively licensed - rpgp/rpgp
*
Heiko

Meet oct-git, a new #OpenPGP signing and verification tool for use with the #Git distributed version control system:

crates.io/crates/openpgp-card- 🦀

oct-git focuses exclusively on ergonomic use with OpenPGP card-based signing keys

It is designed to be easy to set up, standalone (no long running processes), and entirely hands-off to use (no repeated PIN entry required, by default). It comes with desktop notifications for touch confirmation (if required)

crates.iocrates.io: Rust Package Registry
#RustLang#PGP#GnuPG
Blue Ghost

Proton Mail automatically encrypts/decrypts messages between Proton Mail accounts via OpenPGP/PGP.

Proton Mail supports automatically encrypting/decrypting messages between Proton Mail accounts and external email accounts that support OpenPGP/PGP or GnuPG/GPG.

Instructions: proton.me/support/how-to-use-p
GnuPG: mastodon.online/@blueghost/111

Website: proton.me
Mastodon: @protonprivacy

#Proton#ProtonMail#ProtonPrivacy
Dr. Todd A. Jacobs

I was recently asked about whether signed commits would have prevented the #xz attack. The tl;dr is "no."

It's very important that the non #infosec community understands what a #digitalsignature does and doen't do. The notion that there's a #silverbullet for every technical, social, or trust problem is part of what makes #cybersecurity so hard to implement well.

#OpenPGP signatures rely on the system clock for setting the timestamp of a signature when signing the metadata and content of a commit. The author and committer dates can both legitimately differ from the timestamp of the signature for a number of reasons, or be made exactly the same rather trivially.

#Git history is a directed acyclic graph, not a cryptographic #blockchain, so a commit is just the delta between objects in the current treeish and the parent treeish in the graph. The signed metadata includes the current parent's SHA hash, but there's nothing stopping you from moving commits around and re-signing the new commits. If you couldn't do this, then you couldn't rebase, squash, do non-fast-forward merges, or cherry-pick.

This doesn't mean you can forge someone else's signature without access to their key material, but the attack wasn't the result of forged metadata or account impersonation. Signing wouldn't prevent commits by someone with commit access to the repository; it would just show that commits associated with Jia Tan were also signed by Jia Tan's private key. That provides no useful security control here. This was not a Git problem.

Replied to GnuPG
Todd A. Jacobs

@GnuPG @todd_a_jacobs@infosec.exchange @letsencrypt I pay for well-written #FOSS software on #iOS all the time. There's nothing that I know of that would prevent #GnuPG itself or their commercial relatives from releasing an #iOS version based on #libgcrypt, other than the scarcity of developer resources of course.

There's definitely a gap in the #OpenPGP ecosystem for trustworthy iOS and #iPadOS apps. Might be something to consider for the future to fund continued development of GnuPG!

Todd A. Jacobs

This is more of a security question, but I currently know way more people on ruby.social than infosec.exchange. I want to use a #Yubikey for #SMIME or #GPG signing on #iOS & #iPadOS, but can't find:

1. Any documentation about how to integrate it with Apple Mail.

2. Anyplace that offers #x509 certificates for S/MIME at zero or minimal cost the way @letsencrypt offers free #SSL certs.

Self-signed S/MIME certs are a non-starter, and there are no full-featured #OpenPGP apps on iOS. Suggestions?

Wiktor Kwapisiewicz

PSA: WKD Checker (https://metacode.biz/openpgp/web-key-directory) will be officially sunsetted on 1.05.2024.

The reasons are two-fold: on one hand the service already succeeded in raising awareness of the protocol on the other I lack the resources to maintain and develop it and leaving unmaintained online services is not the smartest move.

The service was powered by an open-source component so in case someone badly needs it it’s always possible to host your own: https://gitlab.com/wiktor/wkd-checker

Thanks for all your support and kind words! 👋

metacode.bizWeb Key Directory
#gpg#gnupg#pgp
David Runge

We have just issued the first #release of #sshd-openpgp-auth and #ssh-openpgp-auth.

Using this server and client-side tooling it is possible to manage the #authentication of #SSH host keys with the help of an #OpenPGP certificate as trust anchor.

crates.io/crates/sshd-openpgp-

crates.io/crates/ssh-openpgp-a

Many thanks to @wiktor for the great collaboration and #NLnet / #NGIAssure for funding this work!

crates.iocrates.io: Rust Package Registry
#DNS#KeyOxide#KnownHosts
TrendingLive feeds
About