[Full-disclosure] Introducing TGP...

["Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>]

This is what I've been talking about... Here is the first part of the docs I 
wrote up - make sure you see that I'm not yet supporting huge files unless you 
have huge RAM.  **.Net 4.0 Client profile is required to run this.**

Right now the install bits are only available on the pilot site at: 
http://www.owa.hammerofgod.com in the downloads section.   I have to wait on 
Raging Haggis to return from Canada before posting on 
www.hammerofgod.com<http://www.hammerofgod.com> .

Here's a bit from the TGP Overview document included with the install and on 
the web site.  Please read through it before asking silly questions. :)

Also, feel free to hack it up as much as you would like.  I know this is full 
disclosure, so feel free to zing them at me, or if you prefer, I can work with 
you on any issues you might have.

Remember, this is totally free, so my ability to handle custom requests will be 
limited.  For those looking to break it, I would look at fuzzing the XML 
documents and the "drag and drop public XML" parsing feature.

If you have questions or challenges about any of the security, I would ask to 
keep it on the list so that everyone can get the full benefit of productive 
security development.   The read-me should pretty much lay everything out for 
you.  If not, we'll take it up from there.

t


TGP - "Thor's Godly Privacy"
06/13/10 v1.1.06

TGP is a small yet very powerful encryption utility.  With all eyes on "the 
cloud," I decided to write an encryption application better suited to an 
environment where portability and security were, at the least, challenging.   
In cloud computing, not only is the use of file structures becoming more 
abstract, but the very concept of a "file server" is becoming more and more 
ubiquitous.

As such, I designed TGP with "encryption for the cloud" in mind.  That means 
that not only does TGP do everything your normal PGP-type applications do, but 
it does things a bit differently - differently in a way that can change the way 
you work with your encrypted data.  At the simplest level, this is done by 
encrypting data into byte arrays, and then converting those byte arrays into 
Base64 encoded text wrapped inside XML tags.  In this way, not only do you get 
your typical file-based encrypted representation of your data, but you also get 
data that you can copy and paste directly into any email, mailing list, 
blog-page, or social networking site.

What I think is interesting about this is that if we choose to, we no longer 
have to be the custodians of our encrypted data - we don't have to worry about 
actually housing the files: we can just post them to the internet and let 
someone else assume the burden of storing the files for us.

If I want to share encrypted files with someone or secure my own files, all I 
have to do is TGP encrypt the data I want, and post it to a mailing list 
somewhere.  In the case of a list like Bugtraq or Full Disclosure, the data is 
actually automatically replicated out to any number of archive sites, thus 
distributing my data for me.  I can literally be anywhere in the world and just 
do a quick search for my post to retrieve my data.  And since the TGP public 
key files are also text representations of encrypted key data, I can do the 
same with my keys.

Normally, you want to keep your private keys as safe as possible.  This is 
still the case with TGP.  However, it is trivial to build as many private keys 
as you wish to use for anything you want to use them for.  TGP Private Key 
files are password protected and individually salted, so with a strong 
passphrase you have very reasonable assurance that no one is going to get to 
your key any time soon.  So, you can create a private key with a strong 
password, post that, and then, say, encrypt a scan of your passport and post 
that.  Then if you are ever in a pinch while travelling or something like that, 
you can simply use Google or Bing to access your data wherever you are.

Of course, that's just an example, but I think it illustrates the power of 
encrypted file structures like this.  You can literally use Facebook to post 
encrypted documents that you don't have to maintain.

That's really the main different between TGP and an application like PGP.  That 
and of course, TGP is free, and personally, I think PGP is tardware.  It's 
bloated, it's far too expensive, it's hard to use, and if you don't watch your 
licensing, you can get screwed hard like I did when I didn't want to buy the 
extended support and one day my encrypted drives stopped working until I paid 
them.  That doesn't fly.  TGP also doesn't require that you are an admin to 
install.  However, the .NET installer for the 4.0 client profile does - that's 
not my doing.  Regardless, here are the file structures TGP uses:

Things that still suck about TGP
Currently TGP uses a memory stream for the destination of the AES cryptostream. 
 This sucks because it makes the maximum file one can encrypt based on 
available memory.  It's not a huge deal, but it does keep you from encrypting a 
gigabyte file.  I'll be changing that soon.

[Description: Description: Description: TimSig]
Timothy "Thor" Mullen
Hammer of God
thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
www.hammerofgod.com<http://www.hammerofgod.com>
[cid:image002.png@01CB0B06.EED273B0]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/