please change the default hashing algorithm

Ben McGinnes ben at adversary.org
Tue Jul 14 23:49:25 CEST 2015


On 15/07/2015 6:20 am, Robert J. Hansen wrote:
>>> Speaking of, what *are* the current default preference lists, as
>>> of GnuPG 2.1.6?  It's been quite some time since I've looked at
>>> them, and I suspect they may have changed.
>>
>> Good question ...
>>
>> I checked, they're still pretty lame with the default RSA key type:
> 
> No, I meant the personal-digest-preferences,
> personal-cipher-preferences, etc.

Yeah, but that's what gets generated when you override the homedir to
an empty directory that doesn't have a gpg.conf file at all.  Hence
that is the default.

My regular gpg.conf file has this:

default-preference-list TWOFISH CAMELLIA256 AES256 CAMELLIA192 AES192
CAMELLIA128 AES BLOWFISH IDEA 3DES CAST5 SHA512 SHA384 SHA256 SHA224
RIPEMD160 SHA1 ZLIB BZIP2 ZIP Uncompressed
personal-cipher-preferences TWOFISH CAMELLIA256 AES256 CAMELLIA192
AES192 CAMELLIA128 AES BLOWFISH IDEA 3DES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed

> With respect to the key preference defaults, I don't know about you
> but it looks pretty solid to me.  AES is still the best thing going,
> and 256-bit hash algorithms are recommended for use with 3072-bit
> keys.

Really?  I distinctly recall you recommending TWOFISH to me on
gnupg-users some time ago (following which I did a good deal of
reading on the AES selection process before moving TWOFISH ahead of
Rijndael.  Though after reading all that I'd've probably used Serpent
if it had been included with GPG, but it isn't and we don't need to go
through that debate again.  Although it is included with gpgsm, but
anyway.

What else?  Oh yeah, ignore the Camellia bits (as most of you do
anyway), that's more because over here in the antipodes and APAC,
there's a greater likelihood of running across correspondents who do
use it and putting it ahead of AES makes it easier to get that
selection through.


Regards,
Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150715/5910f174/attachment.sig>


More information about the Gnupg-devel mailing list