dshaw at jabberwocky.com
Tue Feb 10 12:28:39 CET 2004
On Tue, Feb 10, 2004 at 12:00:01PM -0500, Adam Pavelec wrote:
> Personally, I didn't do or see anything. My organization has a key
> that was created with GPG version 1.2.3 using the default options.
> The party who is attempting to encrypt data to this key "has
> determined that the version of PGP that is being used (PGP 7.0.1)
> contains a bug that prevents it from generating a ciphertext file as
> output when the AES256, AES192, and AES128 symmetric algorithms are
> defined as the preferred symmetric Algorithms in an imported PGP
> key. The exact nature of the bug is unknown at this time."
> Their report goes on to state that they "have demonstrated that the
> bug affects keys generated with PGP v8.0.2 and all GnuPG versions
> due to the default options... Specifically, these products
> apparently default to generating keys that specify the AES symmetric
> algorithms as the first three preferred algorithms."
Interesting. I've heard what I thought was every possible variation
on the "this product won't handle files from that product because of
suchandsuch preference" problem, and it's always turned out to be a
misunderstanding of the problem. This might just be the first time
That they cannot use GnuPG *or* PGP 8 generated keys is interesting.
PGP 7.0.1 does support AES (it was the first version to do so). I
wonder if there is something else going on (are they using PGP 7.0.1
straight or via the SDK, etc).
> Again, I am uncertain to the validity of this claim, but I have
> since created a new key that I have set (and updated) the
> preferences to exclude any AES algorithms. If you are
> interested, I will let you know if this new key is interoperable
> with their current PGP install.
Please do. I'd be very interested to see what happens.
More information about the Gnupg-users