Making it simple

David Shaw
Sat May 11 00:07:01 2002

On Fri, May 10, 2002 at 02:35:58PM -0700, Steve Butler wrote:
> Finally looked the preferences on all the public keys from the folks with
> whom we exchange data.  Most of them did not have any preference for HASH
> and COMPRESS methods.  What will gpg use?

No preference for hash means "SHA1".  No preference for compress means
"ZIP, Uncompressed".

Hash doesn't matter much, since nobody uses the hash preference yet.

> And, those two folks having RSA keys have no preferences whatsoever!  What
> is the default for this case?

It depends if they have v3 (PGP2-style) or v4 self-sigs.  If the
self-sig is v4, they have the same default preferences as any v4 key:
3DES for cipher, SHA1 for hash, and ZIP+Uncompressed for compression.
If they have a v3 self-sig, they have no preferences at all, but
generally this is interpreted as IDEA for cipher, MD5 for hash and ZIP
for compression.

At least this is GnuPG's behavior.  PGP seems to ignore the compress
preference completely and uses ZIP for everything.

> I've set our preferences to be:
>      Cipher: CAST5, AES, AES192, AES256, 3DES
>      Hash: SHA1, RIPEMD160, MD5
>      Compression: ZLIB, ZIP
> PGP 7.0.1 on a Unix box had problems when our preference list was empty.  As
> an interim measure I had set our preferences at CAST5, 3DES, SHA1,
> RIPEMD160, ZIP, ZLIB until earlier today when it was expanded since one
> client was sending to us using AES (even though it wasn't in our list).

This client is violating the standard.  Ah well.  It doesn't actually
hurt you since you can decrypt AES (though GnuPG will warn you that
someone is using a cipher that isn't in your preferences).

> Is there a utility that I can use to quickly cycle down through all the
> encrypted files we have received and report back the Cipher, Hash, and
> Compression actually used?

You might be able to script something with gpg --list-packets, but the
problem is that the data you need is usually inside the encrypted
block.  You have to decrypt the message to see them.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson