Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.security.pgp.discuss > #54 > unrolled thread

Re: GPG Question on Symmetric Key Input

Started byJeffrey Goldberg <nobody@goldmark.org>
First post2011-05-26 00:52 -0500
Last post2011-07-09 02:41 -0500
Articles 13 — 7 participants

Back to article view | Back to comp.security.pgp.discuss

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.


Contents

  Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-05-26 00:52 -0500
    Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-05-26 05:01 -0700
      Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-23 03:17 -0600
        Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-06-27 20:07 -0700
          Re: GPG Question on Symmetric Key Input "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2011-06-28 03:11 -0400
            Re: GPG Question on Symmetric Key Input Fritz Wuehler <fritz@spamexpire-201106.rodent.frell.theremailer.net> - 2011-06-29 12:47 +0200
              Re: GPG Question on Symmetric Key Input Globemaker <alanfolmsbee@cabanova.com> - 2011-08-19 04:36 -0700
                Re: GPG Question on Symmetric Key Input Otto Sykora <bggbflxben@tzk.pu> - 2011-08-28 13:22 +0200
                Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-08-31 12:48 -0500
                  Re: GPG Question on Symmetric Key Input "Thor Kottelin" <thor@anta.net> - 2011-09-01 00:18 +0300
                    Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-09-01 13:29 -0500
          Re: GPG Question on Symmetric Key Input Bohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca> - 2011-06-30 00:32 -0600
      Re: GPG Question on Symmetric Key Input Jeffrey Goldberg <nobody@goldmark.org> - 2011-07-09 02:41 -0500

#54 — Re: GPG Question on Symmetric Key Input

FromJeffrey Goldberg <nobody@goldmark.org>
Date2011-05-26 00:52 -0500
SubjectRe: GPG Question on Symmetric Key Input
Message-ID<94684jF3lbU1@mid.individual.net>
[follow-up set to comp.security.pgp.discuss]

On 11-05-25 11:55 PM, Globemaker wrote:
> I have searched the documentation but there is no mention of how I can
> set the AES-128 key to be one I choose. I want my key to be hex 0x0000
> 0000 0000 0000 0000 0000 0000 0000
> GPG generates keys, but how can I input a key of all 128 bits of
> zeros?

Last I checked, GPG does not allow this. You give it a passphrase and it
generates the key from that.

> I do not want GPG to make a key for me, I want GPG to accept a key
> that I specify. Is that disallowed?

Seems so.

> Where in the documentation does it explain how to enter a symmetric key of my choice?

It's open source so you can modify it yourself. Or you can find another
tool. But you might have more luck asking in the appropriate place.

comp.security.pgp.discuss would be a far better place to get answers.
I've set followups there.

Cheers,

-j

-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

[toc] | [next] | [standalone]


#55

FromGlobemaker <alanfolmsbee@cabanova.com>
Date2011-05-26 05:01 -0700
Message-ID<8415d78c-6208-463a-826a-a5ed707ebd87@n10g2000yqf.googlegroups.com>
In reply to#54
On May 26, 1:52 am, Jeffrey Goldberg <nob...@goldmark.org> wrote:
> [follow-up set to comp.security.pgp.discuss]
>
> On 11-05-25 11:55 PM, Globemaker wrote:
>
> > I have searched the documentation but there is no mention of how I can
> > set the AES-128 key to be one I choose. I want my key to be hex 0x0000
> > 0000 0000 0000 0000 0000 0000 0000
> > GPG generates keys, but how can I input a key of all 128 bits of
> > zeros?
>
> Last I checked, GPG does not allow this. You give it a passphrase and it
> generates the key from that.
>
> > I do not want GPG to make a key for me, I want GPG to accept a key
> > that I specify. Is that disallowed?
>
> Seems so.
>
> > Where in the documentation does it explain how to enter a symmetric key of my choice?
>
> It's open source so you can modify it yourself. Or you can find another
> tool. But you might have more luck asking in the appropriate place.
>
> comp.security.pgp.discuss would be a far better place to get answers.
> I've set followups there.
>
> Cheers,
>
> -j
>
> --
> Jeffrey Goldberg          http://goldmark.org/jeff/
> I rarely read HTML or poorly quoting posts
> Reply-To address is valid

Thank you Jeffrey.  I also concluded that it is not allowed to input a
symmetric key into GPG. I tried it last year and this year my searches
showed that other people also could not control the key bits. OpenSSL
does provide this capability.

In sci.crypt it is appropriate to discuss THE REASON for designing GPG
with that "feature" which is not mentioned in the documentation.  One
can speculate several altruistic or sinister REASONS that the key is
untouchable. Here is a list:

1 Requiring a password to generate a key helps the goon squads to
guess the key.
2 Keys are too important to let stupid people mishandle them.
3 Symmetric keys are more powerful than asymmetric and goons are
preventing cascading encipherments.
4 It's for the children, the happy ones, to be insulated from tedious
operations, to use short passwords that are easy to remember and easy
to write on little papers to stick on the monitor.
5 Export permission from Commerce for GPG is easy to get if the Gnu
staff compromises on security.

[toc] | [prev] | [next] | [standalone]


#69

FromBohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca>
Date2011-06-23 03:17 -0600
Message-ID<96gel5F70vU1@mid.individual.net>
In reply to#55
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
GPG and PGP use a hash on the symmetric key you enter,

because the hash contains more entropy: It is
always 128 bits of enhanced randomness, so the
best reason for hashing your keystrokes is because
people are not always very creative with their
pass-phrases. Phil Zimmerman coined that term,
because even after he did the work of hashing
pass-phrases, he wasn't convinced that people
would always come up with sixteen letterz for
their security, AND it was hard to prove that
hashing a key was effective against short or
sloppy symmetric keys.

I imajin that you want to use a key with all
zeros to test the symmetric encryption method.
Well...your final analysis should include the
effect of hashing your zeros.
_______
http://ecn.ab.ca/~brewhaha/ BrewJay's Babble Bin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQCVAwUBTgMEjR47apzXdID2AQJIBwP+K/z8fgdmspRcvWNvlepNigk8MIbv6GDd
o+GqWs8DTQ2WvjA+4pdh992SfpVqrXOAhyAezQ9KrJ/CmUCX3cri5Rv3LkHUN3Sw
dpR6K1xMbbettoJx9Lo9fCmm2iOgWEQyHd4irG9Xxs+AsOXuIVe2sPOxi5ayrLc+
7YuQrdxgbxg=
=g9wJ
-----END PGP SIGNATURE-----

[toc] | [prev] | [next] | [standalone]


#70

FromGlobemaker <alanfolmsbee@cabanova.com>
Date2011-06-27 20:07 -0700
Message-ID<c4033f9f-f9dc-488b-a216-726e822a2047@q17g2000vby.googlegroups.com>
In reply to#69
On Jun 23, 5:17 am, Bohgosity BumaskiL
<brewh...@freenet.edmonton.ab.ca> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> GPG and PGP use a hash on the symmetric key you enter,
>
> because the hash contains more entropy: It is
> always 128 bits of enhanced randomness, so the
> best reason for hashing your keystrokes is because
> people are not always very creative with their
> pass-phrases. Phil Zimmerman coined that term,
> because even after he did the work of hashing
> pass-phrases, he wasn't convinced that people
> would always come up with sixteen letterz for
> their security, AND it was hard to prove that
> hashing a key was effective against short or
> sloppy symmetric keys.
>
> I imajin that you want to use a key with all
> zeros to test the symmetric encryption method.
> Well...your final analysis should include the
> effect of hashing your zeros.
> _______http://ecn.ab.ca/~brewhaha/BrewJay's Babble Bin
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/
>
> iQCVAwUBTgMEjR47apzXdID2AQJIBwP+K/z8fgdmspRcvWNvlepNigk8MIbv6GDd
> o+GqWs8DTQ2WvjA+4pdh992SfpVqrXOAhyAezQ9KrJ/CmUCX3cri5Rv3LkHUN3Sw
> dpR6K1xMbbettoJx9Lo9fCmm2iOgWEQyHd4irG9Xxs+AsOXuIVe2sPOxi5ayrLc+
> 7YuQrdxgbxg=
> =g9wJ
> -----END PGP SIGNATURE-----

Thank you for mentioning the hash step. My conclusion is that the
hashed password value is not accessible to me or any user from the
menus. If the symmetric key is a hashed password, it is no better than
a password. The hash is easy to duplicate. Bad passwords : 123456,
password, secret, etc. always hash into the same symmetric key. GPG
seems to prevent users from seeing the symmetric key or setting the
key. Only passwords are used to hash to set the key. This is weak
crypto. It is compromised. Correct me if there is a way to input a 128
bit key directly into GPG AES. I believe there is no menu item to
define a 128 bit key for symmetric ciphers. That is bad quality
crypto. It is weak so it can be broken easily by NSA, etc. But it is
strong enough to fool my little sister or script kiddies.

[toc] | [prev] | [next] | [standalone]


#71

From"David W. Hodgins" <dwhodgins@nomail.afraid.org>
Date2011-06-28 03:11 -0400
Message-ID<op.vxrx9znda3w0dxdave@hodgins.homeip.net>
In reply to#70
On Mon, 27 Jun 2011 23:07:39 -0400, Globemaker <alanfolmsbee@cabanova.com> wrote:

>> GPG and PGP use a hash on the symmetric key you enter,
> Thank you for mentioning the hash step. My conclusion is that the
> hashed password value is not accessible to me or any user from the
> menus. If the symmetric key is a hashed password, it is no better than
> a password. The hash is easy to duplicate. Bad passwords : 123456,

How do you figure the hash is easy to duplicate?

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[toc] | [prev] | [next] | [standalone]


#72

FromFritz Wuehler <fritz@spamexpire-201106.rodent.frell.theremailer.net>
Date2011-06-29 12:47 +0200
Message-ID<6270bd9d83b002c4f9729fb9b88f0a26@msgid.frell.theremailer.net>
In reply to#71
Didn't see the original post so...

> >> GPG and PGP use a hash on the symmetric key you enter,

For what? Not the session key, that's randomly generated for each
message. If you are talking about using pure symmetric crypto with PGP then
that is also wrong, in that case there is no session key saved anywhere, it
has no choice but to use the exact passphrase you use. The hash is on the
message itself so it can be verified when you supply the correct key!

> > Thank you for mentioning the hash step. My conclusion is that the
> > hashed password value is not accessible to me or any user from the
> > menus. If the symmetric key is a hashed password, it is no better than
> > a password. The hash is easy to duplicate. Bad passwords : 123456,

The *passphrase* is an iterated hash of the password. If you have questions
on exactly how it's done you should ask on those mailing lists instead of
posting incorrect information as gospel. The gpg method should protect
against precalculating hashes for common passphrases but even if that didn't
work, the passphrase is useless without the private key. The basis of using
PGP or GPG securely is keeping your private key secure. Then your passphrase
is meaningless. I rarely use passphrases because they're not worth it for my
threat model. If you are worried about people getting your private key then
you have bigger problems than I do.

> How do you figure the hash is easy to duplicate?

Not to speak for the OP but the men in black and other motivated attackers
mmaintain large lists of common words and phrases and their hash values in
all the commonly deployed hashes so they can work backwards much more
quickly. They don't so much duplicate hashes as much as they have all the
possible hash values for given words and phrases ready to look up.

[toc] | [prev] | [next] | [standalone]


#79

FromGlobemaker <alanfolmsbee@cabanova.com>
Date2011-08-19 04:36 -0700
Message-ID<e5c25171-69c0-4cfa-abb8-6bfb1140c7cc@t7g2000vbv.googlegroups.com>
In reply to#72
On Jun 29, 6:47 am, Fritz Wuehler
<fr...@spamexpire-201106.rodent.frell.theremailer.net> wrote:
> Didn't see the original post so...
>
> > >> GPG and PGP use a hash on the symmetric key you enter,
>
> For what? Not the session key, that's randomly generated for each
> message. If you are talking about using pure symmetric crypto with PGP then
> that is also wrong, in that case there is no session key saved anywhere, it
> has no choice but to use the exact passphrase you use. The hash is on the
> message itself so it can be verified when you supply the correct key!
>
> > > Thank you for mentioning the hash step. My conclusion is that the
> > > hashed password value is not accessible to me or any user from the
> > > menus. If the symmetric key is a hashed password, it is no better than
> > > a password. The hash is easy to duplicate. Bad passwords : 123456,
>
> The *passphrase* is an iterated hash of the password. If you have questions
> on exactly how it's done you should ask on those mailing lists instead of
> posting incorrect information as gospel. The gpg method should protect
> against precalculating hashes for common passphrases but even if that didn't
> work, the passphrase is useless without the private key. The basis of using
> PGP or GPG securely is keeping your private key secure. Then your passphrase
> is meaningless. I rarely use passphrases because they're not worth it for my
> threat model. If you are worried about people getting your private key then
> you have bigger problems than I do.
>
> > How do you figure the hash is easy to duplicate?
>
> Not to speak for the OP but the men in black and other motivated attackers
> mmaintain large lists of common words and phrases and their hash values in
> all the commonly deployed hashes so they can work backwards much more
> quickly. They don't so much duplicate hashes as much as they have all the
> possible hash values for given words and phrases ready to look up.

OP Globemaker sender says:

Thank you all for answering. No response gave me a way to enter a 128
bit key for AES encryption in GPG. I conclude that GPG has no menu for
me to specify a specific 128 bit key for AES to use to encrypt a
message. GPG only allows a password to be a seed to create a 128 bit
key that I can never see. I am criticizing GPG for this reason. It is
compromised.

[toc] | [prev] | [next] | [standalone]


#80

FromOtto Sykora <bggbflxben@tzk.pu>
Date2011-08-28 13:22 +0200
Message-ID<fm8k57hqi0lroh1t4dbrk5c0gfg7p7efbp@4ax.com>
In reply to#79
>I can never see. I am criticizing GPG for this reason. It is
compromised.<

hmmm, what do you mean by compromized?
The fact that there is no way to use self made symetric keys does not
mean anything about compromizing.

gpg is not a software meant for such trivial use.

as stated above, symetric keys are one time use items and need not to
be stored, presented or entered in any case. To handle them you need
the asymetric part of gpg to make any use of it.



[toc] | [prev] | [next] | [standalone]


#81

FromJeffrey Goldberg <nobody@goldmark.org>
Date2011-08-31 12:48 -0500
Message-ID<9c7af2F1ktU1@mid.individual.net>
In reply to#79
On 11-08-19 6:36 AM, Globemaker wrote:

> I conclude that GPG has no menu for me to specify a specific 128 bit
> key for AES to use to encrypt a message. GPG only allows a password
> to be a seed to create a 128 bit key that I can never see.

That is correct. PGP/GnuPG are designed for real world secure
communication and encryption, not a tool chest for playing with algorithms.

> I am criticizing GPG for this reason. It is compromised.

It also doesn't make toast. Therefore it is completely broken.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

[toc] | [prev] | [next] | [standalone]


#83

From"Thor Kottelin" <thor@anta.net>
Date2011-09-01 00:18 +0300
Message-ID<3zx7q.72761$mX5.62382@uutiset.elisa.fi>
In reply to#81
"Jeffrey Goldberg" <nobody@goldmark.org> wrote in message 
news:9c7af2F1ktU1@mid.individual.net...
> On 11-08-19 6:36 AM, Globemaker wrote:

>> I am criticizing GPG for this reason. It is compromised.
>
> It also doesn't make toast.

Not even if you place a slice of bread on the keyboard of a ten year old 
laptop, make GPG crunch out a 8192-bit key and close the lid overnight?

-- 
Thor Kottelin
http://www.anta.net/

[toc] | [prev] | [next] | [standalone]


#84

FromJeffrey Goldberg <nobody@goldmark.org>
Date2011-09-01 13:29 -0500
Message-ID<9ca19eFiboU1@mid.individual.net>
In reply to#83
On 11-08-31 4:18 PM, Thor Kottelin wrote:
> "Jeffrey Goldberg" <nobody@goldmark.org> wrote in message
> news:9c7af2F1ktU1@mid.individual.net...
>> On 11-08-19 6:36 AM, Globemaker wrote:
> 
>>> I am criticizing GPG for this reason. It is compromised.
>>
>> It also doesn't make toast.
> 
> Not even if you place a slice of bread on the keyboard of a ten year old
> laptop, make GPG crunch out a 8192-bit key and close the lid overnight?

Fair enough. But it would burn the toast, in which case I have to say
that it doesn't make toast well.  So it is still completely broken.
Broken I say!

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

[toc] | [prev] | [next] | [standalone]


#73

FromBohgosity BumaskiL <brewhaha@freenet.edmonton.ab.ca>
Date2011-06-30 00:32 -0600
Message-ID<972jl9F6hdU1@mid.individual.net>
In reply to#70
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 2011-06-27 9:07 PM, Globemaker wrote:
> On Jun 23, 5:17 am, Bohgosity
BumaskiL

> <brewh...@freenet.edmonton.ab.ca> wrote:
> GPG and PGP use a hash on the symmetric key you enter,
>
> because the hash contains more entropy: It is
> always 128 bits of enhanced randomness, so the
> best reason for hashing your keystrokes is because
> people are not always very creative with their
> pass-phrases. Phil Zimmerman coined that term,
> because even after he did the work of hashing
> pass-phrases, he wasn't convinced that people
> would always come up with sixteen letterz for
> their security, AND it was hard to prove that
> hashing a key was effective against short or
> sloppy symmetric keys.
>
> I imajin that you want to use a key with all
> zeros to test the symmetric encryption method.
> Well...your final analysis should include the
> effect of hashing your zeros.
> _______
> http://ecn.ab.ca/~brewhaha/BrewJay's Babble Bin

> Thank you for mentioning the
hash step. My
> conclusion is that the
> hashed password value is not
accessible to
> me or any user from the

> menus.

> If the symmetric key is a
hashed password,
> it is no better than

> a password. The hash is easy to duplicate.
> Bad passwords : 123456,

> password, secret, etc. always hash into the
> same symmetric key.

1. Hash words, in the same manner az PGP, like
   "secret".
2. If your hash matches the symmetric key, then
   you've cracked it.
3. Code is probably out there to apply "crack"
   to PGP.

Symmetric cryptography is never stronger than a
user's pass-phrase. Few people use symmetric
cryptography: gpg -c
That is why it was hard for Zimmerman to prove
that hashing a symmetric key was an improvement.
I see nothing that anyone can do about weak
pass-phrases, other than making a computer
demand a strong one, or at least rate strength.
Symmetric cryptography is never stronger than a
pass-phrase.

OTOH, if we talk about public key crypto, an
attacker haz to get both a private key, and a
pass-phrase. In that case, a symmetric key will
be extremely random, and it will be encrypted
with a public key.

> GPG

> seems to prevent users from seeing the symmetric
> key or setting the key. Only
passwords are used to

> hash to set the key. This is
weak

> crypto. It is compromised. Correct me if there
> is a way to input a 128

> bit key directly into
GPG AES. I believe there
> is no menu item to

> define a 128 bit key for symmetric ciphers. That
> is bad quality

> crypto. It is weak so it can be broken easily
> by NSA, etc. But it is

> strong enough to fool my little sister or script
> kiddies.

(remind me to find something to re-format quoted
text before enigmail signs it)

I do not see how using clear pass-phrases can be
any stronger than hashed pass-phrases. What you are
saying haz nothing to do with weak crypto: More
entropy is in keys being used to encrypt a message.
If you could enter a pass-phrase without a hash,
then you could still apply crack to it. It would
run twice az long, because it would hav to test
against both hashed and unhashed pass-phrases.

In the end, I see no compelling reason to enable
unhashed pass-phrases in symmetric crypto.
_______
A soldier who survived mustard gas and
pepper spray is now a seasoned veteran.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQCVAwUBTgwYgR47apzXdID2AQIb+AP+MdmSoY0tx/pHHZriUKgKAdXrKZFyQGOH
srnzcu4Xj/1Wqw9ws/m9BWPh80Sxxt0d4+cNVp4DTReGjF6m6dPDB6h3BuYM13Rh
6Khh0RWRVjEZJeGswtYFs2bnVBpgA05HAdyXu4Tr0BlBYRiPU1hftTrXZO0BXyZ1
4OO7n7vsJ8E=
=kX/J
-----END PGP SIGNATURE-----

[toc] | [prev] | [next] | [standalone]


#74

FromJeffrey Goldberg <nobody@goldmark.org>
Date2011-07-09 02:41 -0500
Message-ID<97qf1gFvjmU1@mid.individual.net>
In reply to#55
On 11-05-26 7:01 AM, Globemaker wrote:

> In sci.crypt it is appropriate to discuss THE REASON for designing GPG
> with that "feature" which is not mentioned in the documentation.  One
> can speculate several altruistic or sinister REASONS that the key is
> untouchable. Here is a list:

> 2 Keys are too important to let stupid people mishandle them.

This is one of the reasons that crypto systems use key derivation
functions. They are to go from the kinds of things that can live and
people's heads (and be typed in) to the 128 bit numbers that the actual
encryption uses.

I haven't looked at the source, but a quick bit of googling tells me
that GPG uses PBKDF2 as a key derivation function. The purpose of things
like PBKDF2 is to make the process of going from a pass phrase to the
key computationally expensive (say taking 200ms). 200ms isn't going to
bother a user typing in their pass phrase but it does slow down
automated password crackers.

I describe PBKDF2 (as used in a different tool) fairly vaguely for a
general audience here:

 http://blog.agilebits.com/2011/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/

If you want more details you can read the Wikipedia article on it or
even the relevant RFCs.

 http://en.wikipedia.org/wiki/PBKDF2

GnuPG/PGP is meant as a tool to help you keep things secret. If you want
a toolset for playing with encryption algorithms, they you will need to
look elsewhere.

Cheers,

-j


-- 
Jeffrey Goldberg          http://goldmark.org/jeff/
I rarely read HTML or poorly quoting posts
Reply-To address is valid

[toc] | [prev] | [standalone]


Back to top | Article view | comp.security.pgp.discuss


csiph-web