pgp and me

[OldSoG]

for some reason pgp is not working too well for me here. always getting an error about a "bad packet" but i've figured out a work about.


when you get a encrypted message,



check the box at the end and then chose download at text file. this opens it up in notepad



then you can go to your pgp icon and open it like normal





this makes pgp workable for me.


peace,

 

[phlegmbae]

How the hell do you get it to actually go to notepad?

 

[mmm420socal]

PGP is worthless against the .GOV anyway... good for casual snoopers, but for absolute security the only way is to not talk on the PC at all...

JMHO.

M

 

[OldSoG]

mine opens with notepad by default... you using mozilla/firefox or IE? you may need to have notepad be your default viewer for .txt files.

with firefox it opens a windows asking if i want to allow it to use notepad to open the message.

peace,

 

[phlegmbae]

I've got'er figured out now OS. Thanks for pointing this stuff out. I hope others find this post.

 

[Underground Man]

PGP is worthless against the .GOV anyway... good for casual snoopers, but for absolute security the only way is to not talk on the PC at all...

JMHO.

M

pgp is not worthless against the gov, sorry to say but that is some uninformed BS. Do some research, we are talking about mathematical certainties here.

If you really were the target of the government most likely they would try to steal your private key and passphrase rather than invest the thousands of years of computation to break the encryption with brute force.

And I think most government survielince is "casual", think about carnivore, echelon, etc. There is no way they can attack all the encrypted data they collect.

Still PGP never claims to be totally secure, just "Pretty Good Privacy" You are right about the only way to achieve absolute security though.

 

[Verite]

I also think you highly underestimate their resources. Thousands of sand turds have been using pgp for years and if you think the govt doesnt have a few machines that break pgp in a matter of seconds you would probably be mistaken.

 

[Underground Man]

I also think you highly underestimate their resources.

I don't think so, I have read many books about the NSA and I think it is safe to assume that they are years (maybe even decades) ahead of the curve when it comes to computer technology. (I feel it is very evil that they hold back these technological advances from the public though)

Theoretically a machine can be built that can crack 1024 bit PGP messages in about a year. I'd bet money that the NSA DOES have such a machine.

But you should realize that 2048 bit encryption isn't twice as secure as 1024, it is many thousands time more secure.

Also It would be much easier for the spooks to hack your computer and steal your public key and passphrase than tie up their billion dollar machine for a year cracking your emails. Maybe they can send an agent to your house to break in and do that if you use good computer security.

My point is that RSA encryption is the strongest link in the chain, storage of the private key is the weaksest. You shouldn't be concerned that the GOVCO will try to attack your messages, rather that they will try to steal your key.

 

[guineapig]

i am down with learning more about PGP....

thanks for helping people remain more secure if they so wish to learn how to do so.....

-kind regards from guineapig

 

[Verite]

Last I heard the NSA was getting one of those new ones with the some odd 65,000 processors in it and I have a hard time thinking it would take a years crunching time on that to crack pgp.

For every pgp key they think they can steal theres got to be more that they cant. Those are more realistic odds.

 

[Underground Man]

All the calculations I've seen say that it will take all the computers in the world something like the age of the universe to crack a 2048 bit key. 65,000 processors ain't much compared to that.

NSA has alot of computing power but not that much.

 

[Verite]

Imo 65,000 processors is a lot compared to such a realistically accurate value as " all the computers in the world something like the age of the universe to crack a 2048 bit key "

And since when is pgp 2048 bits?
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

 

[Underground Man]

since forever. You are able to choose your key size when you generate your keypair.

you could generate a 4096 bit key if you want.

 

[Underground Man]

note: some superscript formatting may have been lost in cut/paste

It is relatively easy to demonstrate that a 128 bit key is secure against brute force attack. In order to merely step through all 2^128 values, one must dissipate 128 bits of entropy at each step. This is a total of 2^128 * 2^7= 2^135 bits.

Using 2^10 ≈ 10^3, this comes to about 10^40 bits of entropy. Multiplying this by the Boltzmann constant (Boltzmann constant: more facts about this subject) (1.38 * 10-23) and by the natural log of 2 (0.69), one arrives at just about 10^17 J/k . At room temperature (let's call it 300K), that's very roughly about 3*10^19 Joules which must be dissipated as heat, simply to flick through the possible 2^128 combinations.

To accomplish this in 100 years - 3*10^9 seconds, one would have to dissipate it at a rate of 10^10 watts.

In other words: to simply flip through the possible values for a 128-bit key (never mind actually doing the computing to check it), one would need a device consuming at an absolute minimum 10 gigawatts running continuously for 100 years. An actual computation - checking each key to see if you have found a solution - would consume many multiples more.

For a 56-bit key, the numbers are a trifle more sane - the total minimum amount of energy comes to about 1/100 Joules.

KeySize MIPS-years required to factor
-----------------------------------------------------------------
512 30,000
768 200,000,000
1024 300,000,000,000
2048 300,000,000,000,000,000,000

The next chart shows some estimates for the equivalences in brute force key searches of symmetric keys and brute force factoring of asymmetric keys, using the NFS.

Symmetric Asymmetric
------------------------------------------------------------------
56-bits 384-bits
64-bits 512-bits
80-bits 768-bits
112-bits 1792-bits
128-bits 2304-bits

some more links
http://en.wikipedia.org/wiki/Key_size#Brute_force_attack
http://www.absoluteastronomy.com/reference/key_size

 

[Verite]

My new iPod can handle that.

 

[Underground Man]

your pocket must get pretty hot with 10 gigawatts being used

 

[Verite]

I buffer it thru a few hids. It was kinda interesting lookin this stuff up as I learned more than I originally knew about pgp. One of the more interesting ones was TM's site. http://www.mccune.cc/PGPpage2.htm

He did a lot of the common and not so common questions. Interesting note was their direction of taking the new pgp [ IDEA ] only to 128 bits since it was going to be more secure than a 15000 bit RSA key. The other was the delay time certain bit keys take on certain systems was also pretty interesting.

 

[GMT]

I clearly misunderstood PGP when I looked at it. I thought PGP was only any use if the computers at both ends of the connection was using it and using the same key. I had no idea that you could browse using it. But what I dont understand is why it is necessary to crack the code rather than the key. Given that a comp could start with a,A,b,B, and work through to Z, aa,aA,ab etc, how long would it really take to get the correct key for computers trying it at several million goes a second? Surely any word or phrase would be found to unlock the encryption within seconds at most.

 

[Underground Man]

Just let me try to lay it out.

IDEA is a symmetric algortihm. You use a key to encrypt some data, you use the same key to decrypt that data. The picture should actually show the arrow going both ways.



RSA is an asymettric public key algorithm. There are two keys involved, a different one for encryption and decryption. You give me your public key. I encrypt a message to you with your public key. That message can then only be decrypted by your private key which you must keep secret.


In order to protect your private key (anyone who has it can decrypt your messages) pgp symetrically encrypts it with a passphrase.

So if someone steals your hard drive they still need the passphrase to reveal your private key.

I dont understand is why it is necessary to crack the code rather than the key

Exactly.... well (substitute "private key" for "code" and "private key encryption passphrase" for "key")

OF course you still have to get your hands on the (encrypted)private key first. THe passphrase is useless without also posessing the private key which the passphrase decrypts.

Since people presumably choose a passphrase that is easy to remember it is waaaaay easier to try to brute force the passphrase (because you can assume its short, contains mostly letters, etc.) than brute force the private key.
So private key storage is the weakest link in the chain and the most likely point of attack for a three-letter-agency seeking to read your data.

RSA like any other encryption algorithm could be used to encrypt data for things other than email, I'm not sure if pgp does things like that or not, i use gnupg actually.

 

[Underground Man]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If anyone wants to test their pgp setup feel free to pm me some cipher text.

My public key is in my user profile.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD7Q6xqVjJBwLQoYsRAn1wAJ90hYKHm5J4dcxqi/ew4qiqj7oEVwCfaiX7
FcEs9VUp41H63WdiFsF3knI=
=8Y65
-----END PGP SIGNATURE-----