Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jeffrey Walton (noloadergmail.com)
Date: Sat Jul 10 2010 - 12:36:54 CDT
Will you be leasing source so the implementation can be verified? I'm
interested in the security levels of the components, and its hard to
gather from the sales literature. I don't believe it was listed at
http://www.hammerofgod.com/tgp.html. More from that page....
> Key DropBox
> If you get someone’s private key off the internet or via email,
> or via email, you can just cut and paste it into the Key Dropbox
> field and hit “Create” to validate the data and create a new XML
> public key file.
Hmmm.... someone else's private key? Perhaps you will take the liberty
of signing for some one else, which seems to nullify non-repudiation.
If you're looking to read someone else's confidential data, perhaps
you should use Samir's Secret Sharing scheme. Then, all interested
parties can access the data.
> ... the Dropbox parsing function actually validates the data, checks the hash,
> and creates a new file for you.
One cannot make any integrity or authenticity claims when using an
unkeyed hash. If you can calculate the hash, so can the bad guy.
Perhaps you should use a MAC such as HMAC (HMAC is a keyed hash). Then
you can make a integrity/authenticity claim.
I’ll work up more little functoid like that when I have time.
On Fri, Jul 9, 2010 at 2:55 PM, Thor (Hammer of God)
> After a brief into to full disclosure, I'm have now released a new tool I call "TGP - Thor's Godly Privacy."
> As the name may indicate (other than the tongue-in-cheek egoism), it is an encryption tool that offers a bit more than your standard "for pay" tools and a better implementation (I think) than many free ones. You can find the full skinny at:
> Here is a brief snip from the "About TGP" bookmark for context:
> <Begin snip>
> TGP is a small yet very powerful encryption utility. With all eyes on "the cloud," I decided to write an encryption application better suited to an environment where portability and security were, at the least, challenging. In cloud computing, not only is the use of file structures becoming more abstract, but the very concept of a "file server" is becoming more and more ubiquitous.
> As such, I designed TGP with "encryption for the cloud" in mind. That means that not only does TGP do everything your normal PGP-type applications do, but it does things a bit differently - differently in a way that can change the way you work with your encrypted data. At the simplest level, this is done by encrypting data into byte arrays, and then converting those byte arrays into Base64 encoded text wrapped inside XML tags. In this way, not only do you get your typical file-based encrypted representation of your data, but you also get data that you can copy and paste directly into any email, mailing list, blog-page, or social networking site if you choose to. It also makes processing multiple encrypted files as key management much easier that other implementations as the XML encoding allows you to processes and manage encrypted data files or blobs programmatically.
> What I think is interesting about this is that if we choose to, we no longer have to be the custodians of our encrypted data - we don't have to worry about actually housing the files: we can just post them to the internet and let someone else assume the burden of storing the files for us while still offering security.
> If I want to share encrypted files with someone or secure my own files, all I have to do is TGP encrypt the data I want, and post it to a mailing list somewhere. In the case of a list like Bugtraq or Full Disclosure, the data is actually automatically replicated out to any number of archive sites, thus distributing my data for me. I can literally be anywhere in the world and just do a quick search for keywords in my posts to retrieve my data. And since the TGP public key files are also text representations of encrypted key data, I can do the same with my keys. I think that offers up some very interesting use cases.
> Normally, you want to keep your private keys as safe as possible. This is still the case with TGP. However, it is trivial to build as many private keys as you wish to use for anything you want to use them for. TGP Private Key files are password protected and individually salted, so with a strong passphrase you have very reasonable assurance that no one is going to get to your key any time soon. So, you can create a private key with a strong password, post that, and then, say, encrypt a scan of your passport and post that. Then if you are ever in a pinch while travelling or something like that, you can simply use Google or Bing to access your data wherever you are. My new version 1.2 also fully supports MSFT x509 certificates if you choose.
> Of course, that's just an example, but I think it illustrates the power of encrypted file structures like this. You can literally use Facebook to post encrypted documents that you don't have to maintain and use Facebook as a distribution method for you to securely exchange data without actually have to possess it.
> <End snip>
> Any questions are comments are welcome. TGP is totally free as are all Hammer of God utilities.
> Get Hammered!
> Timothy "Thor" Mullen
> Hammer of God