[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Introducing TGP...

On Mon, 14 Jun 2010 21:40:30 +0000
"Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx> wrote:

> Hey Nid - 
> 
> > -----Original Message-----
> > From: Nid [mailto:nidfulldisc@xxxxxxxxxxxxxx]
> > Sent: Monday, June 14, 2010 11:18 AM
> > To: Thor (Hammer of God)
> > Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> > Subject: Re: [Full-disclosure] Introducing TGP...
> > 
> > Hi Timothy
> > >
> > > TGP - "Thor's Godly Privacy"
> > >
> > > 06/13/10 v1.1.06
> > >
> > First of all you should keep in mind, that base64 raises the size of your 
> > data
> > by 33%.
> 
> Yep.  I'm fine with that.  One can always zip the data. 
> 
> > posting big files especially on mailing lists might offend the other users 
> > of the
> > list. specially if you see the headline of lsi's answer.
> > there your message is marked as spam. Also assuming to have a lot of people
> > behaving like this would result in moderated lists.
> > BTW why not storing your data on rented space?
> 
> Of course - all that goes without saying (well, I guess not ;)  - I was just 
> using that as an example.  Mailing list, facebook, blog, whatever.  Of course 
> there will be some places where that won't be appropriate, but that much 
> should be obvious.  We could use Google cache for that matter...  The point 
> was the portability options one has in a public environment; let's not get 
> bogged down into things like "spam" - that takes the focus off the real point.
> 
> 
> > 
> > The next issue is that you can not trust private keys which are published on
> > the internet with respect to signatures. These keys could have been cracked.
> > Using such a key only for yourself to have data on the internet seems also
> > not to make sense. It could be better placed on a private machine where you
> > have controled access to for example with VPN or ssh.
> 
> Well, that's the whole point.  In TGP, I use AES256 bit encryption based on 
> what should be a strong passphrase in combination with a salt to protect the 
> private key.  To crack that private key, you would have to brute force the 
> entire keyspace, which is currently not technically feasible, or have a 
> custom-made rainbow table with also is not technically feasible for my 20 
> character passphrase and salt.   If you are going to "trust" encryption, then 
> the key's integrity should be acceptable.  But, if you don't want to publish 
> it, then don't.  Problem solved.  Please don't misunderstand my statements - 
> I'm not saying one has to do that.  I'm saying that one *could* do that if 
> you wanted to.  I could post 20 different private keys around the world in 
> different places if I wanted to, but only use the one *I* know is used.  
> There are a million ways of doing it.  However, I think you are missing the 
> logic that if your private key could really be cracked, and thus I could get 
> the ke
 y 
>  required to asymmetrically decrypt the key used to symmetrically decrypt the 
> CryptoBlob, then I would not bother with the key at all and just crack the 
> crypto blob.   Further, if one could just "crack" the key, then one would 
> just "crack" the VPN encryption or SSL encryption and get your private key 
> that you had controlled access to.  If I have to pick a locked cased to get 
> to a key that opens another case, I'd just pick the lock on the other case.  
> Why looking at encrypted data as something that has to be further protected 
> -- just make sure the encryption is sound in the first place.
> 
> > 
> > The next point is if you would like to use the key in an internet cafe at a
> > restaurant, you will not be able to trust the machine. most likely there is 
> > a
> > trojan on it or a key grabber.
> 
> I wouldn't say "most likely" but that's a great point.  However, it doesn't 
> matter if the machine is owned - I'm just copying the data off of it. Hell, I 
> could print out my key if I wanted to and type it back into my own system.  
> Even better, if I'm using other people's public keys to encrypt data, it 
> won't matter if the machine has a key logger.  I don't type passwords for 
> people's public keys.   But like I already said - if you don't want to post 
> it, don't.   Easy.  I actually speak to that in the part of my post direct 
> below that you quoted... 
> 
> > 
> > > Normally, you want to keep your private keys as safe as possible. This
> > > is still the case with TGP. However, it is trivial to build as many
> > > private keys as you wish to use for anything you want to use them for.
> > > TGP Private Key files are password protected and individually salted,
> > > so with a strong passphrase you have very reasonable assurance that no
> > > one is going to get to your key any time soon. So, you can create a
> > > private key with a strong password, post that, and then, say, encrypt
> > > a scan of your passport and post that. Then if you are ever in a pinch
> > > while travelling or something like that, you can simply use Google or
> > > Bing to access your data wherever you are.
> 
> Thanks for the comments! 
> 
> t

Boah.....
HEIL HITLER......
CAN YOU NOW SHUT THE FUCK UP ALL PLEASE...
IT'S LIKE a record from talks of FX or so.. just useless shit....

And you should know when to STFU... seriously....
I wonder how FX can read this list foir years...


rmb
-- 
rembrandt <rembrandt@xxxxxxxxxxx>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/