choice of encryption algorithms

David Shaw dshaw at
Wed Jun 20 20:30:20 CEST 2012

On Jun 20, 2012, at 1:18 PM, Robert J. Hansen wrote:

> On 6/20/12 1:10 PM, John wrote:
>> When someone uses my public key to encrypt a message to me, what
>> prevents them from trying to use an encryption algorithm of his choice.
> Nothing.  They can use --cipher-algo to force whatever symmetric algorithm they wish.  This may wind up with a message that you're unable to read -- for instance, if your recipient forces AES256 and you're using PGP 7.0, you'll be unable to read it.  (This is why most of us advise against using --cipher-algo.)
> The certificate does list what algorithms you're capable of reading, and most well-behaved OpenPGP applications will interpret that as ranked preferences ("I most prefer this, then that, then the other").  However, this is purely advisory and the sender can easily ignore it.

Note that just the ranking of preferences is advisory.  The use of algorithms that are on the list, however, is required by the spec:

  An implementation MUST NOT use a symmetric algorithm that is not in the recipient's preference list. 

and later

   If an implementation can decrypt a message that a keyholder doesn't
   have in their preferences, the implementation SHOULD decrypt the
   message anyway, but MUST warn the keyholder that the protocol has
   been violated.

So if you ever get a warning message like:

  gpg: WARNING: cipher algorithm AES256 not found in recipient preferences

That means the sender violated the spec (perhaps most likely by having an old copy of your key with a pref that you removed at some point, but you never know).


More information about the Gnupg-users mailing list