getting rid of blowfishes (was Re: Windoze PGP Compatability)

L. Sassaman
Tue, 25 Apr 2000 13:15:36 -0700 (PDT)

Hash: SHA1

On Tue, 25 Apr 2000, Andreas Schamanek wrote:

> How can I move from the default BLOWFISH to some other cipher? Since my
> key is encrypted with BLOWFISH I can't just disable it, can I?
> I thought the trick is to remove the password, export the keys and
> import them again with BLOWFISH disabled. But when I try to reprotect my
> secret key GnuPG says
> gpg: protect_secret_key failed: unknown cipher algorithm
> Probably, I misunderstood some basics. Any clarification appreciated.
I *think*, that if you delete your self sigs, set --s2k-cipher-algo to be a differenyt cipher, --disable-cipher-algo BLOWFISH, re-self-sign the keys, export with no password, import, assign a password, you should be fine. While you are at it, --disable-pubkey-algo ELG-S is another good precaution.
> Last question: If we should avoid BLOWFISH what cipher should we use?
> I know that this question cannot be dealt with in detail here. But maybe
> somebody can write a short note about her or his preferences (without
> being flamed by others ;) from an average user's point of view.
3DES is slow, but it is the most extensively reviewed, and it required to be in all OpenPGP products. IDEA and CAST5 are pretty well respected, are "SHOULDs" in the OpenPGP spec, and are faster than 3DES. IDEA has patent issues, and not all GnuPG users will have it enabled. So I would nix that. CAST5 is a good choice; fairly fast, fairly well respected (more so than Blowfish, not as trusted as 3DES). Twofish is the fastest of all of these, and also the newest. PGP 6.x and before does not support it. All versions of PGP greater than 1 support IDEA. PGP 5.x and up, as well as GnuPG, support CAST5 and 3DES. Take your pick...
> The alternatives so far are: 3DES, CAST5 and TWOFISH.
> Regards,
> -- Andreas
__ L. Sassaman System Administrator | Technology Consultant | [This space for rent] icq.. 10735603 | pgp.. finger:// | -----BEGIN PGP SIGNATURE----- Comment: For info see iD8DBQE5Bfz3PYrxsgmsCmoRAhbJAKCQxSKkB2A5aoQZ1Ys6jzvfvRfw9ACgwLEh rPLASUr1NJbCzucdvaJzA5Y= =aYTy -----END PGP SIGNATURE-----