You are not logged in.
I was wondering why the gpg pass-phrase (german trans.: Mantra) is now limited to 22 chars (tested with gtk. For ncurses this may vary slightly) and if there is a workaround available?
As I understand pin-entry (a helper that passes the password to the gpg-agent) is now mandatory and not replaceable any longer. But if I try to use gpg, I get the error message:
passphrase too long / (Ger: Das Mantra (Passphrase) ist zu lang!)
http://virtualhorde.com/MEDIA/mantraTooLong.jpg
According to the gpg manual this limitation should not exist (and is also insecure):
"There is no limit on the length of a passphrase, and it should be carefully chosen. From the perspective of security, the passphrase to unlock the private key is one of the weakest points in GnuPG (and other public-key encryption systems as well) since it is the only protection you have if another individual gets your private key. Ideally, the passphrase should not use words from a dictionary and should mix the case of alphabetic characters as well as use non-alphabetic characters. A good passphrase is crucial to the secure use of GnuPG."
Also the responsible source-code is not inspiring confidence (call-pinentry.c) (no mlock or zeroing):
static gpg_error_t
getpin_cb (void *opaque, const void *buffer, size_t length)
{
struct entry_parm_s *parm = opaque;
if (!buffer)
return 0;
/* we expect the pin to fit on one line */
if (parm->lines || length >= parm->size)
return gpg_error (GPG_ERR_ASS_TOO_MUCH_DATA);
/* fixme: we should make sure that the assuan buffer is allocated in
secure memory or read the response byte by byte */
memcpy (parm->buffer, buffer, length);
parm->buffer[length] = 0;
parm->lines++;
return 0;
}Without further investigation I would assume that the (short/insecure) pass-phrase is copied without any precautions in memory.
(Edit: fixed typos )
-- mod edit: read the Forum Etiquette and only post thumbnails http://wiki.archlinux.org/index.php/For … s_and_Code [jwr] --
Last edited by yousry (2014-12-25 13:13:04)
Offline
When do you see this warning? My passwords are 23+ characters and I have not encountered such warning...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
When do you see this warning? My passwords are 23+ characters and I have not encountered such warning...
I was in a hurry yesterday, so I most likely miscounted the number of asterisks in the password dialog. I think the maximum passphrase length is 99 characters.
To clarify my problem I would like to explain it with following example:
Imagine you have created a keyring with application keys, shop keys and server-certs several years ago and encrypted it with following passphrase:
"My pet T-Rex sucked at my bones during the 8 o'clock 0pera performance of my cat which was also a great success."
(A more or less memorable sentence because it is visualizable/unusual)
If you have recently updated gnugp to version 2.1.1 and now try to sign a new version of one of your applications, you will get an error message during keyring unlocking, stating that your passphrase or (ger.) Mantra is to long.
Is there an alternative to compiling and installing a previous version of GnuGP?
The problem can be reproduced with following snippet:
# Backup your keyring
$ mv .gnupg gnupg_bak
# create a new (pub/private) key.
$ gpg --full-gen-key
# I'm choosing the default encryption
gpg: directory '/home/yousry/.gnupg' created
gpg: new configuration file '/home/yousry/.gnupg/gpg.conf' created
gpg: WARNING: options in '/home/yousry/.gnupg/gpg.conf' are not yet active during this run
gpg: keybox '/home/yousry/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
# On modern CPUs you can use the maximum key size
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
# The key should expire after one year
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Dec 26 07:51:28 2015 CET
Is this correct? (y/N) y
# Now you are asked for your personal data
GnuPG needs to construct a user ID to identify your key.
Real name: Max Muster
Email address: MaxMuster@example.com
Comment: Not a real email adress.
# If your input was OK you can create the key:
You selected this USER-ID:
"Max Muster (Not a real email adress.) <MaxMuster@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
# A password dialog appears
# Let's say we use following passphrase (generated for easy counting purposes):
aaaaaaaaaa1111111111----------bbbbbbbbbb2222222222----------cccccccccc3333333333----------ddddddddddYou will get the error message: "Pass Phrase too long."
Offline
I ended up by installing and using gpg1. It is albeit remarkable that the internal data-structures of gnugp2 allow a pass-phrase length of 1002 characters (1000 + CR + LF). I also haven't found a senseful explanation for the gpg-agent/pin-entry limitation to 99 characters (see example from previous post). I just found a snippy answer that someone cannot remember pass-phrases of that length. A counter-example was also given in the previous post.
If you nonetheless want to use gpg2 and also have a "long pass-phrase", here is the work-flow to switch to gpg Version > 2.1.1
- Install GPG 1.4
To avoid name clashes use ./configure with --prefix=dirname and rename the binary from gpg to gpg1
- Change your pass-phrase
gpg1 --edit-key keyID
>passwd
...
>save
Interestingly my keyring was still unusable with gpg2 at this point. It was also necessary to export (--export-secret-keys) all keys from gpg1 and re-import them into a new keyring.
The question, if pass-phrases with length < 99 characters could be hacked with low discrepancy sequences and other heuristics in reasonable time (weeks/month) can be discussed elsewhere.
Offline