On Fri, Nov 06, 2009 at 07:27:57PM +0100, Heinz Diehl wrote: > On 06.11.2009, Si St wrote: > > > Is the security problems as to e.g. watermarks also affecting gnuPG? > > Well, I would think so if the ECB is used > > GnuPG uses CFB mode of operation (as defined in the OpenPGP standard), > it's a streaming version of CBC and is therefore not vulnerable to > watermarking. Please folks, correct me if I'm wrong. AFAIK you are not wrong. Watrermarking vulnerabilities seem to mostly afftect short, not chained cipher blocks, as in sector level disk encryption. > > I am a doctor and transfers daily info of thousands of patients every > > day on a USB-stick. Before I used to plaintextcopy them all to the > > stick, but now I always encrypts it as a tar-file with gpg. I transfer > > the journals from my office machine to home machines.... > > In my opinion, you're better off using LUKS/dmcrypt on the USB-stick. In > addition, the whole system should be encrypted as well, to handle leaking > of the passphrase/key. As long as you do the encryption on the source machine and the decryption on the target machine and the stick only ever has the gpg-encrypted file on it, I see nothing wring at all with the procedure. And it is significantly easier to set-up (stick-agnostic, as long as it has a gfilesystem). > > The office machine is an old SuSE 7.3 !! with hardware from the year of > > the Lord 2001. But this machine is NOT configured to internet - it is > > only a stand alone machine. This machine is fine, if you do not connect it to the Internet. Never change a working system. You should hovever use a current version of gpg. Arno > This machine needs to be updated. A whole lot of things changed since 2001. > > > Was sagst du ?ber diese Sache, mein lieber Heinz? Stubborness and > > remnant Newbie, maybe. > > I would update / replace the old machine with a new one, install some > recent Linux distribution on it, with encrypted filesystems (incl. > root/swap), and prepare the USB stick with a LUKS/dmcrypt formatted > partition. Newer Linux kernels also provide a bunch of modes of operation > which are not vulnerable to watermarking (XTS...). > > Alternatively, you could use an SSH tunnel using autorization via RSA-key > from/to your home/workingplace machine and drop carrying sensitive data on > your memory stick. > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
