I know that rsa uses prime numbers but when i create a new key pair on my computer how does the program finds the prime numbers where they come from ?
I want to get rid of the MDC packet in OpenPGP because I view SHA1 as a catastrophic threat. If one can invert SHA1, then all plaintext in OpenGPG is … open. If one tries to go back to RFC 2440 standards, disable the MDC, and encrypt a file, it does not work, but gpg does not tell you immediately:
gpg2 --rfc2440 --symmetric --cipher-algo CAMELLIA256 /home/none/Oak gpg: WARNING: encrypting without integrity protection is dangerous gpg: Hint: Do not use option --rfc2440
I wanted to see whether I could actually get gpg to use CAMELLIA256 in the RFC 2440 Standard, and evidently it worked:
gpg2 --list-packets /home/none/Oak.gpg gpg: CAMELLIA256 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected gpg: decryption forced to fail! # off=0 ctb=8c tag=3 hlen=2 plen=13 :symkey enc packet: version 4, cipher 13, s2k 3, hash 2 salt A1B3FC0972AB559C, count 29360128 (236)
Notice this part above: decryption forced to fail
So I went further and tried to change the cipher-algo too:
gpg2 --rfc2440 --symmetric --s2k-digest-algo SHA512 --s2k-cipher-algo AES256 /home/none/Peach
Which also worked, as shown by the packet analysis. But if one tries to decrypt such a file, this happens:
gpg2 --decrypt /home/none/Oak.gpg gpg: AES256 encrypted data gpg: encrypted with 1 passphrase asdfsadfvvvvvvvasdfsdfsdf gpg: WARNING: message was not integrity protected gpg: ***decryption forced to fail!***
So, it looks to me as if gpg does not want anyone to encrypt a file without the MDC packet’s SHA1–they certainly are not intent on updating it, and backwards compatibility could be made optional. How do I kill the “force to fail” command? Or how do I otherwise encrypt with gpg without having the plaintext hashed by SHA1?
I’ve tried their poldi library to no luck. Local login with the openpgp card would be awesome, but Windows doesn’t support it and I’ve had no luck on Linux so far either.
I know PIV and OpenPGP are separate standards and independent applications in the YubiKey, but for newcomers like me they look very similar with their signing, encryption and authentication keys, use cases, etc.
After setting up my YubiKey with OpenPGP keys I’m wondering: is it advisable, useful and/or secure to load the PIV slots with certificates issued for the same keys used for OpenPGP?
I have successfully converted ssh keys to gpg primary keys and then converted them to authentication subkeys using pem2openpgp. Unfortunately there is only one primary key and only one authentication subkey allowed on my yubikey.
Are there hardware tokens that allow multiple openpgp identities on a single key or at least multiple authentication keys?
I am using gpg-agent instead of ssh-agent to allow my current yubikey authentication subkey to be used for login. As I cannot add additional authentication subkeys to yubikey I attempt to add the standard ssh key to gpg-agent with “ssh-add”. At this point I am prompted for the key password and on success “ssh-add -l” reports that the key has been cached.
When I try and ssh into a box with the standard ssh key I keep getting prompted for the password to the key even though it is in the cache. Entering the password results in it being rejected as invalid.
My 2nd question is how can I get gpg authentication keys and ssh keys to work together with gpg-agent?