Question about Algorithm Validations

Werner Koch wk at
Tue Sep 22 11:09:36 CEST 2009

On Mon, 21 Sep 2009 22:36, tschaible at said:

> 1. I'm working under the assumption that libgcrypt is a library that
> encapsulates the cryptographic algorithms and that libgcrypt is used
> only by gpg 2.x or greater.  gpg 1.4.x does not use libgcrypt and
> updates to libgcrypt are not necessarily being patched back into the
> gpg 1.4 codebase.  Is this correct?

Right.  However we have added support for newer algorithms also to gpg
1.4 (e.g. Camellia).

> 2. I've read some forum posts that state that libgcrypt is tested
> against the NIST CAVS test suite and that 1.4.4 has passed and all
> tests and is validated by NIST?  Is this correct?  If so, does anyone
> know which algorithms/validation #'s libgcrypt was validated under?  I
> can't seem to find them in the NIST database.

It is still under evaluation; on the NIST site you find a list of such
modules.  However before a final evaluation is done the testlabs do
internal testings and it happens that I know that Libgcrypt passed them.

> 3. Assuming gpg 1.4.x doesn't use libgcrypt directly, what are the
> procedures for validating its algorithms (NIST or otherwise)?

If you want to do that a lot of work is waiting for you and you have to
spend quite some money on that.

BTW, it seems that a evaluation of GnuPG-2 is going on in Japan.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list