I figured out how to change the algorithms,

Robert J. Hansen rjh at sixdemonbag.org
Mon Mar 20 06:29:30 CET 2017


No, you didn't figure out how to change the algorithms.

Key preferences are the capabilities you advertise to the world.  What
you've done is told the world, "I only understand AES256, 3DES, SHA512,
and SHA1."  Which is great if the entire world understands AES256 and
SHA512 -- but the moment you have a correspondent who doesn't (or who
refuses to use it) you'll silently degrade to 3DES or SHA1.

Imagine you're corresponding with someone who doesn't trust AES256,
thinking it's tainted by association with NIST.  (This is crazy talk,
but unfortunately common.)  They've configured GnuPG to never use
AES256, but to prefer TWOFISH and CAMELLIA256 instead.  Despite the fact
your GnuPG is plenty capable of CAMELLIA256 and TWOFISH, since you're
not advertising that capability your correspondent's GnuPG will silently
drop to 3DES.

Notably, GnuPG never looks at your own key preferences.  That's what you
advertise to the world as your capabilities.  GnuPG looks to
personal-cipher-preferences, et al, to determine which algos to use when
creating traffic, which is why you were advised to set
personal-cipher-preferences, etc., in your gpg.conf.

If you want to generate 256-bit traffic, put AES256, TWOFISH, and
CAMELLIA256 in your personal-cipher-preferences.  Which is exactly what
you were advised to do earlier.




More information about the Gnupg-users mailing list