jsmith9810--- via Gnupg-users wrote:
Hello all,
I have a private key protected by blowfish cipher that despite a random salt and several rounds of
RIPEMD160 iterations is still considered "weak" by GnuPG and it refuses to do anything
with it. When I try to import this key manually (--import), gpg throws a "weak encryption
key" error and refuses to import it. ...which I find ironic, because it has no problem
importing unprotected plain-text keys. Also, it's worth pointing out that GnuPG applies its default
protection scheme to the private keys imported this way regardless of what encryption these keys
used earlier - which means that the issue that it's complaining about will actually be resolved
simply by importing this key.
I still managed to force this key into GnuPG's private key store through the
secring.gpg migration route which preserves the key in its openpgp-native
format, but now gpg refuses any operation involving this private key - sign,
encrypt, etc. It won't even let me change the password - which would actually
make this issue go away. I tested with GnuPG 1.4.23 as well and it does not
have a problem either importing or using this key.
I am not looking for a solution as I can easily work around this problem by changing
password using GnuPG 1.x prior to importing this key in GnuPG 2.x, but should this be
logged as a product defect? This doesn't look like reasonable way to deal with these
so-called "weak" encryption keys when importing these keys would actually
address the issue at hand.
Thanks!
The problem is that a private key protected by a weak cipher is still
potentially compromised if an attacker can get any copy of the key prior
to migrating it to a stronger cipher. In other words, if an attacker is
able to obtain your current key blob, the attacker can still compromise
your key by cracking that copy, even after you have migrated your copy
to a stronger wrapping.
If an attacker was interested in you, your key is lost and the best path
forwards is to revoke it and generate a new key. You could sign the new
key with the old one before revoking the old key.
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
