AuthorTopic: GPG4USB and GPA  (Read 1071 times)

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
GPG4USB and GPA
« on: February 26, 2016, 10:20:43 PM »
I received an email today in reply to one I sent yesterday that I had encrypted with GPG4USB.  Thunderbird recognised it as an OpenPGP message, but didn't put the encrypted text on the screen, instead it said I needed the OpenPGP plugin.  I've been through all that before and didn't want to do it that way.

So I did Thunderbird > View > Message Source , which puts the entire email on the screen including the headers.  The body of the email was empty, but it had an attachment in PGP/MIME format.  I copied the appropriate part, between "-----BEGIN PGP MESSAGE" and "END PGP MESSAGE-----", and pasted it into GPG4USB.  So far so good.

I then did GPG4USB > Decrypt, entered my password, and GPG4USB crashed.  I did it again - crashed. Did it again from a terminal, so I could see what was crashing - "segmentation fault, core dumped".  Very unhelpful.

Then I noticed that the message didn't have the optional 2nd line "Version: xxxxxxxxxx", which normally reads "Version: GnuPG v1" .
That shouldn't make any difference, but I put one of those in, and carefully checked everything else looked OK.  Tried again - crashed.

So I tried running it with GPA, which does the same thing as GPG4USB, only with not such an intuitive graphical interface, and not from USB.  I was expecting it to crash too, only perhaps with more explanation as to WHY it crashed.

To my surprise, it worked.

Now both GPG4USB and GPA use the GnuPG libraries, but GPA was built (by me) using the version 2.0.29 libraries, and GPG4USB doesn't say what it was built with, but probably version 1.  In fact neither actually say what version of libraries they are using, which is a poor show all round.

So there is a possibility that encrypted messages produced by AppleMail with PGP plug-in use some PGP options that only v2 can understand.  My correspondent is definitely the kind of person who would make use of the latest encryption algorithms "just for the hell of it", and IF that is what is going on here, GPG4USB has a bit of a problem.

Main differences between GPA and GPG4USB

1.  The most obvious thing is that GPG4USB is designed to be run from a USB stick, as opposed to being held on disk with the main file system.  The secure vault that holds the keys (most importantly your private keys) is therefore in a different place - /USB/gpg4usb/keydb/ as opposed to /home/palloy/.gpupg/ .

2.  There are 3 main functions to this task, and GPA has 3 different windows for them, called Clipboard, Key Manager and File Manager.  GPG4USB combines Clipboard and the useful everyday bits of Key Manager and File Manager into one screen called Editor, and the non-everyday things are done under a separate window called Key Management.  GPG4USB's Editor is multi-tabbed, while GPA's Clipboard is not - I have found those tabs useful occasionally.  My preference is for the GPG4USB interface, but GPA is still quite usable.

3.  GPA has a fourth window for Card Manager, which GPG4USB doesn't have at all - you need a mag-stripe reader and a magnetic card to take advantage of Card Manager.

4.  GPG4USB has Linux 32-bit, Linux 64-bit, and Windows 7+ versions in every package, with Mac OS "coming soon", and it contains everything it needs including the GnuPG libraries, instead of sharing them. This greatly simplifies walking up to any computer (like in an internet cafe) , sticking your USB stick in, and encrypting/decrypting emails.  But this may not be important to you, and it is easier to lose a USB stick than a whole desktop computer.

5.  Here's the trickiest problem - neither GPG4USB nor GPA update themselves automatically.  Well, GPA would do if you installed your OS's version of it, and the OS updated its version, but if Ubuntu haven't kept their version up to date for years, then probably no other OS has.  gnupg.org are working away fixing bugs and improving the source code of GPA, but unless you keep going to their site and checking for security fixes and newer versions, then you are not going to know about it.  And then gnupg.org don't provide pre-built apps, only source code, so you have to build it yourself.

I can't see a neat solution to this updating problem other than volunteering to do all the work myself, and given that nobody seems to care anyway,  I'm not about to do that.

If you want to get an idea of how bad having an out of date encryption system is, look up "Venona" in Wikipedia, and learn about how the US cracked the Russians' encryption system during WW2, and how that led on to the start of the Cold War, the CIA, the McCarthy witch-hunts - all because they reprinted their one time pads (even though they only used them one time).
The State is a body of armed men

Offline Palloy

  • Moderator
  • Sous Chef
  • *****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: GPG4USB and GPA
« Reply #1 on: February 27, 2016, 06:59:38 PM »
Quote
GPG4USB doesn't say what it was built with, but probably version 1.

To be fair, if you dig around on the GPG4USB website, http://gpg4usb.org/development.html has a link to https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html which lists all the libraries used.  It is indeed version 1, specifically:
gnupg-1.4.20
libgpg-error-1.21
libgcrypt-1.6.5
libksba-1.3.3
libassuan-2.4.2
pinentry-0.9.7
gpgme-1.6.0

I have lodged a bug query with GPG4USB. 
The app should NEVER crash, but should report something like "Hashing method MD5 is no longer supported" to give some idea of what went wrong.
The State is a body of armed men

 

Related Topics

  Subject / Started by Replies Last post
10 Replies
2059 Views
Last post June 06, 2017, 01:54:29 AM
by Palloy
7 Replies
2011 Views
Last post November 22, 2015, 06:12:37 PM
by Palloy
2 Replies
957 Views
Last post November 22, 2015, 06:19:59 PM
by Palloy