Order of keys attempted to decrypt

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jun 18 15:43:57 CEST 2014


On 06/18/2014 04:46 AM, Richard Ulrich wrote:
> $ gpg -d test.txt.gpg 
> gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 0AE275A9 …
> gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.91
> gpg: Anonymer Empfänger; Versuch mit geheimem Schlüssel 8760DB3E …
> gpg: Alles klar, wir sind der ungenannte Empfänger.
> gpg: verschlüsselt mit RSA Schlüssel, ID 00000000
> 
> It first tries to decrypt using the primary key. And since the card with
> the primary key is not plugged in, it outputs an error, before it tries
> the sub key that succeeds.

> I tried using the -r option to specify the key to use, but it was
> seemingly ignored.
> 
> Is there a way to specify which key to try first?

see the --try-secret-key option or the --default-key option as described
in gpg(1).

> PS: out of curiosity: What does the "ID 00000000" mean in the output
> from gpg : 
> gpg: verschlüsselt mit RSA Schlüssel, ID 00000000

This is a "hidden recipient" in the public key encrypted session key packet.

from https://tools.ietf.org/html/rfc4880#section-5.1 :

   An implementation MAY accept or use a Key ID of zero as a "wild card"
   or "speculative" Key ID.  In this case, the receiving implementation
   would try all available private keys, checking for a valid decrypted
   session key.  This format helps reduce traffic analysis of messages.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140618/8067a4f7/attachment-0001.sig>


More information about the Gnupg-users mailing list