getting rid of blowfishes (was Re: Windoze PGP Compatability)
Tue, 25 Apr 2000 13:15:36 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 25 Apr 2000, Andreas Schamanek wrote:
> How can I move from the default BLOWFISH to some other cipher? Since my
> key is encrypted with BLOWFISH I can't just disable it, can I?
> I thought the trick is to remove the password, export the keys and
> import them again with BLOWFISH disabled. But when I try to reprotect my
> secret key GnuPG says
> gpg: protect_secret_key failed: unknown cipher algorithm
> Probably, I misunderstood some basics. Any clarification appreciated.
I *think*, that if you delete your self sigs, set --s2k-cipher-algo to be
a differenyt cipher, --disable-cipher-algo BLOWFISH, re-self-sign the
keys, export with no password, import, assign a password, you should be
While you are at it, --disable-pubkey-algo ELG-S is another good
> Last question: If we should avoid BLOWFISH what cipher should we use?
> I know that this question cannot be dealt with in detail here. But maybe
> somebody can write a short note about her or his preferences (without
> being flamed by others ;) from an average user's point of view.
3DES is slow, but it is the most extensively reviewed, and it required to
be in all OpenPGP products. IDEA and CAST5 are pretty well respected, are
"SHOULDs" in the OpenPGP spec, and are faster than 3DES. IDEA has patent
issues, and not all GnuPG users will have it enabled. So I would nix
that. CAST5 is a good choice; fairly fast, fairly well respected (more so
than Blowfish, not as trusted as 3DES).
Twofish is the fastest of all of these, and also the newest. PGP 6.x and
before does not support it.
All versions of PGP greater than 1 support IDEA.
PGP 5.x and up, as well as GnuPG, support CAST5 and 3DES.
Take your pick...
> The alternatives so far are: 3DES, CAST5 and TWOFISH.
> -- Andreas
System Administrator |
Technology Consultant | [This space for rent]
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi |
-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----