Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

Web-based pinentry

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


mike at silverorange

Aug 29, 2012, 9:32 AM

Post #1 of 5 (194 views)
Permalink
Web-based pinentry
Hello,

I'm the maintainer of a PHP package that integrates with GnuPG
(https://github.com/gauthierm/Crypt_GPG)

The package is used on a website to allow decrypting stored messages.
This is accomplished using the --status-fd and --command-fd options of
GnuPG, allowing the passing of passphrases.

As of GnuPGv2, the --command-fd method of passing passphrases no longer
seems to work. Is there an alternative I can use so that the pin entry
interface is still a webpage?

I would continue to use GnuPGv1, but distributions have stopped
including it by default and no longer provide packages.

Please let me know what I can use to handle pin-entry in a web-based system.

Thanks,
Mike

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


yyy at yyy

Aug 30, 2012, 3:48 AM

Post #2 of 5 (182 views)
Permalink
Re: Web-based pinentry [In reply to]
----- Original Message -----
From: "Michael Gauthier" <mike [at] silverorange>
To: <gnupg-users [at] gnupg>
Cc: "Michael Gauthier" <mike [at] silverorange>
Sent: Wednesday, August 29, 2012 7:32 PM
Subject: Web-based pinentry

> As of GnuPGv2, the --command-fd method of passing passphrases no longer
> seems to work. Is there an alternative I can use so that the pin entry
> interface is still a webpage?
>
> Please let me know what I can use to handle pin-entry in a web-based
> system.
>

If I have understood correctly, in gpg2, in such cases you are supposed to
use no passphrase at all.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


mike at silverorange

Aug 30, 2012, 7:28 AM

Post #3 of 5 (182 views)
Permalink
Re: Web-based pinentry [In reply to]
> yyy yyy at yyy.id.lv
> Thu Aug 30 12:48:45 CEST 2012
>
>> As of GnuPGv2, the --command-fd method of passing passphrases no longer
>> seems to work. Is there an alternative I can use so that the pin entry
>> interface is still a webpage?
>>
>> Please let me know what I can use to handle pin-entry in a web-based
>> system.
>>
>
> If I have understood correctly, in gpg2, in such cases you are
supposed to
> use no passphrase at all.

Where can I find documentation that recommends not using a passphrase?
My understanding is a passphrase is important to protect private keys in
the event they are acquired:
http://www.gnupg.org/gph/en/manual/c481.html#AEN506

If I don't use a passphrase, how should I protect my key (other than
making it difficult to physically access)?

Cheers,
Mike

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

Aug 30, 2012, 8:11 AM

Post #4 of 5 (185 views)
Permalink
Re: Web-based pinentry [In reply to]
On Wed, 29 Aug 2012 18:32, mike [at] silverorange said:

> Please let me know what I can use to handle pin-entry in a web-based system.

For exact that reasons (the original requester was building a student
webmail system), GnuPG has a feature to make this easy. What you need
to do is to provide a script which acts as the pinentry and asks the
user for the passphrase. To control that script you set the environment
variable PINENTY_USER_DATA to what ever value you need to control it.
The variable is then passed all the way from your application via gpg to
the pinentry.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


wk at gnupg

Aug 31, 2012, 12:34 AM

Post #5 of 5 (182 views)
Permalink
Re: Web-based pinentry [In reply to]
On Thu, 30 Aug 2012 16:28, mike [at] silverorange said:

> Where can I find documentation that recommends not using a passphrase?
> My understanding is a passphrase is important to protect private keys
> in the event they are acquired:

Right. However, most people asking for an easy way to convey the
passphrase to gpg already have the passphrase online in some file. The
usual code is a script like

echo mypassphrase | gpg --passphrase-fd 0 .....

or

cat myfilewiththepassphrase | gpg --passphrase-fd 0 .....

This does not give you any protection at all because an attacker has
immediate access to the passphrase. Thus the suggestion is to use an
empty (ie. no) passphrase.

However, if the system is an attended one and the user is able to enter
a passphrase, a passphrase is useful. In that case the passphrase is
not stored on the system and a stolen hard disk won't be a problem (as
long as a good passphrase is used).


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.