choice of encryption algorithms
Laurent Jumet
laurent.jumet at skynet.be
Thu Jun 21 06:03:37 CEST 2012
Hello John !
"John" <jw722531.1.5izon.net> wrote:
> When someone uses my public key to encrypt a message to me, what prevents
> them from trying to use an encryption algorithm of his choice. In other
> words, does the public key itself limit the options available to the person
> sending the message? Thanks.
First of all, you can list all the allowed protocols on your system using:
GPG --version --verbose
It looks like this:
??????????????????????????????????????????????????????????
? Cipher-Algos: ? Digest-Algos: ? Compress-Algos: ?
??????????????????????????????????????????????????????????
? ? ? Z0 Uncompressed ?
? S1 IDEA ? H1 MD5 ? Z1 ZIP ?
? S2 3DES ? H2 SHA1 ? Z2 ZLIB ?
? S3 CAST5 ? H3 RIPEMD160 ? Z3 BZIP2 ?
? S4 BLOWFISH ? ? ?
? ? ? ?
? ? ? ?
? S7 AES ? ? ?
? S8 AES192 ? H8 SHA256 ? ?
? S9 AES256 ? H9 SHA384 ? ?
? S10 TWOFISH ? H10 SHA512 ? ?
? S11 CAMELLIA128 ? H11 SHA224 ? ?
? S12 CAMELLIA192 ? ? ?
? S13 CAMELLIA256 ? ? ?
??????????????????????????????????????????????????????????
Using the EditKey command with "pref" and "showpref" on your own key, shows you what are the actual settings.
Using the list above, you can choose the order you want those algorithms to be used. You can establish your own list that means "I'd like that one first if possible, and if not the 2nd; and if not the 3rd; and so on". GPG compares your wishes to the receipient ones, and chooses the first that match.
So, using the board above, you can set GPG.CONF with something like this:
default-preference-list S7 S11 S12 S13 S1 S10 S3 S4 S2 S9 S8 H3 H8 H9 H10 H11 H2 H1 Z1 Z2 Z3 Z0
personal-cipher-preferences S7 S11 S12 S13 S1 S10 S3 S4 S2 S9 S8
personal-digest-preferences H3 H8 H9 H10 H11 H2 H1
personal-compress-preferences Z1 Z2 Z3 Z0
If you set an unsupported preference, GPG complaints.
When you made all your choices, you can brand your public key with them, using the EditKey menu and "setpref default-preference-list"; after that, you can send your public key to servers in order to update them.
From that moment, anybody who wants to send you a message knows what algorithms you are preferently using, and he will take the first of your choices that matches his choices.
That works, as I experimented it: a previous version of GPG didn't accepted algorithm Z3 (BZIP2) and as I had it branded in my public key on servers, I couldnt decrypt messages any more... Changing my "setpref" without Z3 an uploading my key on servers, restored the functionality as no more messages came in Z3.
--
Laurent Jumet
KeyID: 0xCFAF704C
More information about the Gnupg-users
mailing list