So, I've been playing around with PGP, and boy, is it convoluted! All I wanted was to make (and exchange) a keypair, and dance the easy message-crypto dance: encrypting messages from me with my private key to ensure authenticity, then with their public key

Email
Comment *
File	Select/drop/paste files here
Password	(Randomized for file and post deletion; you may also set your own.)
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Flag
Oekaki	Show oekaki applet (replaces files and can be used instead)
Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 16 MB. Max image dimensions are 15000 x 15000. You may upload 3 per post.

▶Anonymous 03/26/19 (Tue) 22:21:49 No.1045579>>1046894 [Watch Thread][Show All Posts]

So, I've been playing around with PGP, and boy, is it convoluted! All I wanted was to make (and exchange) a keypair, and dance the easy message-crypto dance: encrypting messages from me with my private key to ensure authenticity, then with their public key to ensure privacy, decrypting messages to me with my private key to ensure privacy, then with their public key to ensure authenticity. But, nooo, they had to add a bunch of fluff. And it is fluff (or ought to be seperated into the various parts, so that it isn't one convoluted mess). The main thing about keypairs that you can prove is that any message encrypted by the private key of that pair will be decryptable only by the corresponding public key, and vice versa. You cannot prove that a given human is the owner of a given key, nor can you prove that a given key is owned by a given human, that's beyond the scope of the system. Sure, it's maybe possible to establish fairly decent probabilities that they are in such a relation, but that gets convoluted fast, as we see with PGP. The beauty of the idea was that you don't need to prove all that, all you really need to do is treat each public key as a sort of name for some person who you only know by that name (with the benefit that the likelihood of another having the same name is extremely small), thus you essentially treat the public key as the person, and watch the behaviour of that person (which will be trivially provably the behaviour of that person, because it is all signed by their private key, which is verified using their public key, and any behaviour which is not signed thus is treated as not them (and if it's not signed at all, it's treated as a sort of cryptographic 'wild west', where no reasonable person trusts anything, because there is no establishing of trustworthiness))

I guess what I'm trying to get at is this: is there any cryptographic software system compatible with PGP, but only provides the (sufficient) abilities 'generate keypair', 'encrypt message using key', 'decrypt message using key'?

<inb4 variety of algorithms

I'm all for having a variety of algorithms, but my concern here is what one can do with the algorithms, how easy it is to do those things with those algorithms, and how easy it is to learn how to do those things with those algorithms (respectively: capability / mechanism, usability / elegant interface, learnability / proper documentation), as opposed to which algorithms are best (which is for probabilists and cryptologers to understand and advise us of, and is likely dependant on the circumstance)

▶Anonymous 03/26/19 (Tue) 23:03:54 No.1045588

Do you need all 3 of those threads, you dipshit? xD

>encrypting messages from me with my private key

Messages are not encrypted with private keys. You publish your public key and others encrypt messages with your public key thus ensuring only you can decrypt them with your private key. That's why you actually can not decrypt messages to others unless you encrypt them with YOUR public key too.

Likewise, you sign your message with your private key, and people can use your public key to verify the signature.

>I guess what I'm trying to get at is this: is there any cryptographic software system compatible with PGP, but only provides the (sufficient) abilities 'generate keypair', 'encrypt message using key', 'decrypt message using key'?

If you drop the signing/verifying part, you have absolutely no way to verify the identity of a sender. Remember: anyone could be using your public key to send you a message.

▶Anonymous 03/27/19 (Wed) 08:09:19 No.1045735

Mods please contain this faggot

▶Anonymous 03/28/19 (Thu) 13:16:39 No.1046825>>1046833 >>1046894

There are a few "GPG made easy" type projects, but they come with the big fat warning any "crypto made easy" type project does. Unfortunately, GnuPG is a colossal piece of shit software that is notoriously hard to integrate to the point where people parse its goddamn output (sometimes with fatal consequences).

▶Anonymous 03/28/19 (Thu) 13:49:45 No.1046833>>1046849 >>1046894

>>1046825

But how hard is it to write something like this these days? Don't we have libraries that make this shit relatively easy? Can't any nigger use libressl and python to encrypt shit?

▶Anonymous 03/28/19 (Thu) 15:03:37 No.1046849>>1047191

>>1046833

Email encryption has to parse email content. Or, rather, decryption does. With encryption you just encrypt, base64 (PGP should do these two steps by itself) and set an appropriate MIME type IIRC. Though multipart/encrypted is a nasty piece of work.

If we don't consider that, it SHOULDN'T be that hard. Apart from GPG, there is an Enigmail add-on for Thunderbird or whatever, so GPG is not the only free/opensource solution, but using the whole Thunderbird might be an overkill for some purposes.

I dunno why people don't really care about cleaner PGP implementation. I suppose GPG is "gud enuff" and privacy nuts don't rely on PGP to hide their asses: PGP ensures no MitMs can read the communication, but email delivery system itself prevents anybody from creating a system that hides user's email address. Everybody listening in could see who is talking to whom.

▶Anonymous 03/28/19 (Thu) 18:07:51 No.1046894>>1047191

>>1045579 (OP)

I don't know of any such system. UNIXtards are too busy masturbating over nonsense like the WoT, X.509, and other snake oil.

>>1046825

>GnuPG is a colossal piece of shit software that is notoriously hard to integrate to the point where people parse its goddamn output (sometimes with fatal consequences).

serves you right for trying to parse text output of programs period

>>1046833

if you had to ask you wont be able to. there will be a CVE on your project the day after it becomes popular. if you want to implement crypto, learn crypto first. if you want to combine primitives learn to combine primitives first

▶Anonymous 03/28/19 (Thu) 19:29:34 No.1046914

lrn2google

https://securityinabox.org/en/guide/thunderbird/linux/

▶Anonymous 03/29/19 (Fri) 16:03:12 No.1047191

>>1046849

People tend to not care about implementation quality at all. This holds doubly so for free software; the four freedoms may include the freedom to read, but unfortunately not the freedom to understand in a reasonable timeframe, and the GNU folks will accept any garbage as long as it has the GPL slapped onto it. It doesn't help that PGP standards are pretty messy (I wonder (((why)))).

>>1046894

>serves you right for trying to parse text output of programs period

Correct, but just this once they don't do it by choice since GnuPG does not exist in usable library form.

/tech/ - Technology★

General

WebM

Theme

User JS

Do not paste code here unless you absolutely trust the source or have read it yourself!

Favorites

Customize Formatting

Filters