Verifying Encryption Algorithms

zerious M8R-6mgbf6 at sogetthis.com
Tue Sep 20 05:15:09 CEST 2011 

Hi. I am relatively new to gpg and i have a few questions about it. I'm using
1.4.11 on Ubuntu and 2.0.17 on windows(gpg4win).

My main question is: how can i get a warm fuzzy that a file has
[i]really[/i] been encrypted 
using the cipher and digest that i specify and not something else? I was
thinking there might be some kind of -vv decrypt mode that would show in
detail what it's using to decrypt a file or some file metadata or something.

So far, based on some reading and experimentation, ive found that i can use
--list-packets to get some of this information. For symmetric files, it will
show the cipher-algo, the s2k mode, the s2k-digest-algo, the s2k-count, and
compression-algo. This is very helpful, but it doesn't confirm the
digest-algo that is being used. This is important to me because I want to
make sure it isn't somehow using SHA1 or MD5 behind my back.

With asymmetric, i get even less information: just the type of key used(RSA
2048) and maybe the compression algorithm. 

As you probably know, gpg does 2 layers of encryption: it symmetrically
encrypts your data, then asymmetrically encrypts the symmetric keys(the
session keys).

Right now, --list-packets shows me that the session keys are encrypted using
the correct asymmetric algorithm, but I want to see that the symmetric
portion of the output used the correct cipher-algo, digest-algo,
s2k-digest-algo, s2k-mode, s2k-count. I'm not sure that the s2k stuff is
applicable because the session keys are randomly generated on the spot, is
that right?

I think i've found a good way to verify the cipher-algo using
--show-session-key. the first digit of the output indicates the symmetric
algorithm being used:
	10:123456789ABCDEFFFFFFFFFFFFFFFFFFFFFF
	would indicate that it's a TWOFISH key. Also, the length of the key is a
good hint.

Basically, I just want some way to look at my encrypted data and see that it
actually uses the algorithms that I specified before I send it out somewhere
that it could be intercepted and compromised. I have a few methods for
checking, but they a few leave key pieces of information out. If anybody has
a good method for verification or even knows of some 3rd party tool that can
analyze encrypted data, I would really appreciate your input.
-- 
View this message in context: http://old.nabble.com/Verifying-Encryption-Algorithms-tp32500003p32500003.html
Sent from the GnuPG - User mailing list archive at Nabble.com.

More information about the Gnupg-users mailing list