Anonymous Servers - JBN2: How to auto-decrypt attachments?

Author

JBN2: How to auto-decrypt attachments?

Anonymous

2005-01-09, 5:45 pm

JBN2 performs automatic message decryption but not for attachments.
Does anyone know of a way to autodecrypt attachments in JBN2?

Sometimes I get many attachments in one single message,
it is a real pain to enter the passphrase for each one in JBN2.

I realize that the attachments can be saved and
then decrypted in the file manager with pgp
after selecting them as a group. However, most passphrases
that are really strong, because of good random composition,
are quite difficult to remember. This means that a file must be
opened to get the impossible to remember passphrase and then
type it into pgp. (PGP does not allow pasting of passphrases)

Pgp does not allow any automated way -that I know of-
to take a passphrase from a file and pass it to pgp.
JBN2 does do this with messages but strangely not with attachments.

One of the great features of JBN2 is that very strong
-and hence almost impossible to remember- passphrases
can be stored in JBN2, its files can be stored and protected
in a ScramDisk container file.

This is super for using really strong passphrases to protect
pgp messages and attachments but a big pain when it comes
to decrypting attachments.

Maybe Panta-rhei, who has done an excellent job on modifying
JBN2 might put this on the list of future mods?

In the interim, if there is a way to solve this problem with a
utility or otherwise I would appreciate the knowledge of it.
There must be others who suffer from this problem as well.

Thanks in advance to all who make relevant replies. (:> )

-=-
This message was sent via two or more anonymous remailing services.

Thomas J. Boschloo

2005-01-09, 5:45 pm

-----BEGIN PGP SIGNED MESSAGE-----

Anonymous wrote:

| I realize that the attachments can be saved and
| then decrypted in the file manager with pgp
| after selecting them as a group. However, most passphrases
| that are really strong, because of good random composition,
| are quite difficult to remember. This means that a file must be
| opened to get the impossible to remember passphrase and then
| type it into pgp. (PGP does not allow pasting of passphrases)

PGP 2.6.2/2.6.3i:
Environmental Variable for Pass Phrase
- --------------------------------------

Normally, PGP prompts the user to type a pass phrase whenever PGP
needs a pass phrase to unlock a secret key. But it is possible to
store the pass phrase in an environmental variable from your
operating system's command shell. The environmental variable PGPPASS
can be used to hold the pass phrase that PGP will attempt to use
first. If the pass phrase stored in PGPPASS is incorrect, PGP
recovers by prompting the user for the correct pass phrase.

For example, on MSDOS, the shell command:

~ SET PGPPASS=zaphod beeblebrox for president

would eliminate the prompt for the pass phrase if the pass phrase
were indeed "zaphod beeblebrox for president".

This dangerous feature makes your life more convenient if you have to
regularly deal with a large number of incoming messages addressed to
your secret key, by eliminating the need for you to repeatedly type
in your pass phrase every time you run PGP.

I added this feature because of popular demand. However, this is a
somewhat dangerous feature, because it keeps your precious pass
phrase stored somewhere other than just in your brain. Even worse,
if you are particularly reckless, it may even be stored on a disk on
the same computer as your secret key. It would be particularly
dangerous and stupid if you were to install this command in a batch
or script file, such as the MSDOS AUTOEXEC.BAT file. Someone could
come along on your lunch hour and steal both your secret key ring and
the file containing your pass phrase.

I can't emphasize the importance of this risk enough. If you are
contemplating using this feature, be sure to read the sections
"Exposure on Multi-user Systems" and "How to Protect Secret Keys from
Disclosure" in this volume and in the Essential Topics volume of the
PGP User's Guide.

If you must use this feature, the safest way to do it would be to
just manually type in the shell command to set PGPPASS every time you
boot your machine to start using PGP, and then erase it or turn off
your machine when you are done. And you should definitely never do
it in an environment where someone else may have access to your
machine. Someone could come along and simply ask your computer to
display the contents of PGPPASS.

Sometimes you want to pass the pass phrase into PGP from another
application, such as an E-mail package. In some cases, it may not
always be desirable to use the PGPPASS variable for that purpose.
There is another way to pass your pass phrase into PGP from another
application. Use the "-z" command line option. This option is
designed primarily for invoking PGP from inside an E-mail package.
The pass phrase follows the -z option on the command line. There are
risks associated with using this approach, similar to those risks
described above for using the PGPPASS variable.

GnuPG 1.4.0a:
- --passphrase-fd n
Read the passphrase from file descriptor n. If you use 0 for
n, the passphrase will be read from stdin. This can
only be used if only one passphrase is supplied. Don't use
this option if you can avoid it.

So you can use these tools to decrypt using all your passphrases using a
batchfile. You might also want to specify +batchmode and +force in pgp
2.x or --batch and --yes in GnuPG 1.4.0a.

HTH,
Thomas
- --
The Thraddash: "So, what's this? SNORT! An unknown alien species?"
"How wonderful! Someone new to fight!"
Full Game Win/Mac/Linux: <http://sc2.sourceforge.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQeGOCwEP2l8iXKAJAQHxlgMgotD1moFp
zHfZes6nTZvomp3z2qdoYzLX
NpWFBvFX/ KV7pEkpwmkJHWdCxKHCKxB9acw0OVovxZrctwg2f
xkcTgswRKVkeaoC
O9SY1nFMwLZjtTb+lBEMw+eBhUhQJ6vb9v8ydA==

=VBFh
-----END PGP SIGNATURE-----