Symmetric encryption - options?

Robert J. Hansen rjh at
Tue Mar 13 14:50:48 CET 2012

On 3/13/2012 8:36 AM, Hauke Laging wrote:
> Would you explain that? Do symmetric algorithms never have an MDC or does just 
> CAST5 not (why is it the default then)?

Back when PGP5 was first released, PRZ needed a symmetric cipher to
replace the patent-encumbered IDEA.  He could've used 3DES but didn't,
apparently because there were still some (now-addressed) concerns about
the NSA's involvement in DES.  He could've chosen Blowfish but didn't,
for reasons unknown to me.  He fell in love with CAST5, an algorithm
which is conceptually quite similar to Blowfish, and figured to use that
instead.  PGP 5+ all used CAST5 for symmetric encryption, although they
could also read 3DES traffic.  Twofish was introduced in PGP 7.0, and
AES was introduced in 7.1, I think.

When GnuPG came along, Werner decided to mimic PGP's behavior in the
interests of interoperability.

Many years later, the MDC was introduced.  It was generally not possible
to retrofit this to older versions of PGP and/or GnuPG; it required some
changes in how messages were created and processed.  As a result, GnuPG
will only use the MDC if you're using Twofish, AES, or another one of
the newer ciphers.  At that point GnuPG essentially says, "ah, I see
you're using Twofish.  Clearly this message isn't meant for a PGP5
recipient, so I'll put an MDC on that, then...".

For further details, see RFC4880, section 5.14.

More information about the Gnupg-users mailing list