Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Introducing TGP...
From: Nid <nidfulldisc () googlemail com>
Date: Mon, 14 Jun 2010 20:17:55 +0200

Hi Timothy

TGP – “Thor’s Godly Privacy”

06/13/10 v1.1.06

it does things a bit differently – differently in a way that can
change the way you work with your encrypted data. At the simplest
level, this is done by encrypting data into byte arrays, and then
converting those byte arrays into Base64 encoded text wrapped inside
XML tags. In this way, not only do you get your typical file-based
encrypted representation of your data, but you also get data that you
can copy and paste directly into any email, mailing list, blog-page,
or social networking site.
First of all you should keep in mind, that base64 raises the size of
your data by 33%.

What I think is interesting about this is that if we choose to, we no
longer have to be the custodians of our encrypted data – we don’t have
to worry about actually housing the files: we can just post them to
the internet and let someone else assume the burden of storing the
files for us.

posting big files especially on mailing lists might offend the other
users of the list. specially if you see the headline of lsi's answer.
there your message is marked as spam. Also assuming to have a lot of
people behaving like this would result in moderated lists.
BTW why not storing your data on rented space?

The next issue is that you can not trust private keys which are
published on the internet with respect to signatures. These keys could
have been cracked.
Using such a key only for yourself to have data on the internet seems
also not to make sense. It could be better placed on a private machine
where you have controled access to for example with VPN or ssh.

The next point is if you would like to use the key in an internet cafe
at a restaurant, you will not be able to trust the machine. most likely
there is a trojan on it or a key grabber.

Normally, you want to keep your private keys as safe as possible. This
is still the case with TGP. However, it is trivial to build as many
private keys as you wish to use for anything you want to use them for.
TGP Private Key files are password protected and individually salted,
so with a strong passphrase you have very reasonable assurance that no
one is going to get to your key any time soon. So, you can create a
private key with a strong password, post that, and then, say, encrypt
a scan of your passport and post that. Then if you are ever in a pinch
while travelling or something like that, you can simply use Google or
Bing to access your data wherever you are.

That’s really the main different between TGP and an application like
PGP. That and of course, TGP is free, and personally, I think PGP is
tardware. It’s bloated, it’s far too expensive, it’s hard to use, and
if you don’t watch your licensing, you can get screwed hard like I did
when I didn’t want to buy the extended support and one day my
encrypted drives stopped working until I paid them. That doesn’t fly.
TGP also doesn’t require that you are an admin to install. However,
the .NET installer for the 4.0 client profile does – that’s not my
doing. Regardless, here are the file structures TGP uses:

there are other possibilities than PGP for example GPG ect. I would
rather trust such a software, since I am somehow sure, that enough
people tried to find bugs in it. Also a lot of scientists and hackers
tried to find a bug in the implementation.

If for example your software uses a weak Pseudo random number generator
this could result in weak key room.

Best regards Norbert

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]