Wiktor Kwapisiewicz wrote: > Hello, > > > On Wed, Jan 02, 2019 at 04:02:03PM +1100, gn...@raf.org wrote: > >> For some dumb reason I think I was hoping that the RSA > >> algorithm wasn't really used to encrypt all the data. I > >> thought it was probably used to encrypt a per-file > >> randomly-generated symmetric key which was then used to > >> encrypt the file (and was encrypted along with the > >> file) because it could be faster. But I think I'm > >> confusing it with network protocols like TLS. > >> > >> Is that what happens with RSA in gpg? [Probably not] > > > > Actually yes, that’s exactly what happens. The data (in your > > case, the contents of your file) is symmetrically encrypted using > > a randomly generated “session key”, and *that* key is > > asymmetrically encrypted using the RSA public key. > > Yep, to see this behind-the-scenes thing in action check out > "--show-session-key" and "--override-session-key" options. Described here: > > https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html > > Kind regards, > Wiktor
Thanks for that. Unfortunately, it's still not NIST 800-57 compliant because the session key is encrypted using an asymmetric key. But I guess I'll just have to choose not to worry about that. Another question: I was googling the default symmetric algorithm and https://security.stackexchange.com/questions/86305/what-is-the-default-cipher-algorithm-for-gnupg says: For GnuPG 1.0 and 2.0, default is Cast5, for GnuPG 2.1 it is AES-128 But when I use gpg --list-packets --show-session-key -v on files encrypted via RSA keys with gpg-1.4.23 (macOS/macports) and gpg-2.1.18 (debian9), they both say: gpg: AES256 encrypted data Which is great but why is that? I haven't done anything in gpg.conf to override any defaults. Is the symmetric algorithm used with RSA keys unrelated to the default symmetric algorithm used by gpg when the --symmetric option is used? Hmm, when I encrypt a file with gpg -c and then --list-packets -v, the one encrypted with gpg-1.4.23 says: gpg: AES encrypted data and the one encrypted with gpg-2.1.18 says: gpg: AES256 encrypted data I guess that stackexchange page is wrong or out of date. The manpage for gpg on both systems says that the default symmetric algorithm is AES128 which seems correct for gpg-1.4.23 but incorrect for gpg-2.1.18. cheers, raf _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users