From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/55744 Path: main.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: netrc.el now supports encoded files Date: Tue, 06 Jan 2004 21:24:28 +0100 Sender: ding-owner@lists.math.uh.edu Message-ID: References: <4n3caut1yy.fsf@collins.bwh.harvard.edu> <2268.217.208.174.213.1073395735.squirrel@217.208.174.213> <4n8ykkzw59.fsf@collins.bwh.harvard.edu> NNTP-Posting-Host: deer.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: sea.gmane.org 1073420729 6282 80.91.224.253 (6 Jan 2004 20:25:29 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Tue, 6 Jan 2004 20:25:29 +0000 (UTC) Original-X-From: ding-owner+M4284@lists.math.uh.edu Tue Jan 06 21:25:23 2004 Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by deer.gmane.org with esmtp (Exim 3.35 #1 (Debian)) id 1AdxlT-0001c5-00 for ; Tue, 06 Jan 2004 21:25:23 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1Adxkk-0000e8-00; Tue, 06 Jan 2004 14:24:38 -0600 Original-Received: from justine.libertine.org ([66.139.78.221] ident=postfix) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1Adxkg-0000e3-00 for ding@lists.math.uh.edu; Tue, 06 Jan 2004 14:24:34 -0600 Original-Received: from yxa.extundo.com (178.230.13.217.in-addr.dgcsystems.net [217.13.230.178]) by justine.libertine.org (Postfix) with ESMTP id D6BDF3A0026 for ; Tue, 6 Jan 2004 14:24:31 -0600 (CST) Original-Received: from latte.josefsson.org (yxa.extundo.com [217.13.230.178]) (authenticated bits=0) by yxa.extundo.com (8.12.10/8.12.10) with ESMTP id i06KOUAU025722 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 6 Jan 2004 21:24:30 +0100 Original-To: "Ding Mailing List" X-Hashcash: 0:040106:ding@gnus.org:99a1a309fe49815d In-Reply-To: <4n8ykkzw59.fsf@collins.bwh.harvard.edu> (Ted Zlatanov's message of "Tue, 06 Jan 2004 14:58:58 -0500") User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3.50 (gnu/linux) Precedence: bulk Xref: main.gmane.org gmane.emacs.gnus.general:55744 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:55744 Ted Zlatanov writes: > On Tue, 6 Jan 2004, jas@extundo.com wrote: > >> IMHO, use GnuPG instead of OpenSSL. I'm trying to remove the last >> OpenSSL dependencies from Gnus (ssl.el and sha1-el.el are done, I'm >> working on starttls.el, smime.el is the next step). Perhaps >> supporting OpenSSL as well is OK, but I think the defaults should be >> to use GNU tools where available. > > Sure. I don't use GnuPG, so if someone who does could give me the > command lines I'll be glad to add the Lisp code to netrc.el. > Actually I may move it all to gnus-encrypt.el or something like that. Or a crypt+++.el. It is a generally useful feature, so perhaps it is worth the effort to separate it from Gnus. >> I wrote an elisp AES implementation some time ago >> () but I'm not sure using it is a good >> idea, password based file encryption is more complicated than the >> block cipher primitive. > > That looks useful in theory, but it's very slow. I was hoping for a > faster cipher. Should I just turn down rijndael-monte-carlo-limit > and rijndael-monte-carlo-loop or would that make the cipher > significantly less secure? I don't know AES so I can't judge that. The monte carlo stuff is only for the self-tests. The self tests are very slow, but encrypting a few kilobytes of a .netrc should not be a problem speed-wise. > The interface is pretty complicated (the string and key lengths are > limited). Can we have a simple encrypt/decrypt function? The AES specification limit the key lengths and block lengths, if you need arbitrary data lengths or password-to-key derivation, you must invent your own -- or preferably, use something prepackaged, like CMS or OpenPGP. I'm not sure the current netrc.el approach should be advertised as secure, there is more to file encryption than using some block cipher in CBC mode, and deriving the key and iv from a password. It is more like obfuscation. OTOH, obfuscation is what people seem to want. If the reason people want obfuscation is that real security is too costly to set up, using GnuPG for .netrc is probably a good idea -- it is as easy to use as the current nerc.el appear to be, and at least it aspires to be secure.