Weak encryption keys

jsmith9810 at gmx.com jsmith9810 at gmx.com
Wed Mar 24 17:03:00 CET 2021

> Sent: Tuesday, March 23, 2021 at 9:44 AM
> From: "Ingo Klöcker" <kloecker at kde.org>
> It's defined in the separate libgpg-error library. It corresponds to the 
> symbol GPG_ERR_WEAK_KEY. This symbol occurs in libgcrypt (the low-level crypto 
> library of GnuPG), e.g. in blowfish.c, and in gnupg.

Okay, I think I have figured out the reason for this behavior.
The libgcrypt library that's used by GnuPG had completely
disabled the use of weak keys for symmetric ciphers. I believe
it previously just issued a warning, but still allowed the use
of the weak keys. This is causing the setkey operation to fail
in GnuPG.
I also noticed that libgcrypt gas now introduced a mechanism
to allow the use of weak keys through a recent commit:
2020-02-02: 5beadf201312d0c649971b0c1d4c3827b434a0b5
So it's now possible to leverage this feature and support
importing of existing PGP keys protected with a weak symmetric
key, that were generated with the older version of GnuPG. If 
there is an appetite to address this issue, I can create a task
in the tracker.


More information about the Gnupg-users mailing list