Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
On Tue, 17 Nov 2020 02:28, Gao Xiaohui said: > conf.conf". At present, the "--s2k-count" option can be used in both > gpg.exe and gpg-agent.exe.Thank you. In gpg.conf this is used for deriving a passphrase for symmetric encryption. In gpg-agent.conf it is used to override the calibrated iteration code for protecting keys in gpg-agent. There is no need to change the algorithms. For interoperability and maintenance reasons we try to limit the number of user modifiable parameters. Eventually there will be change to an AEAD algorithm, howver interoperability is the main concern and not theoretical attacks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
Thank you for your reply to my question. In "https://dev.gnupg.org/T1800;, Werner responded: "It is an open question whether gpg should be allowed to change the s2k options because the keys are a property of the agent and not of gpg. For export it might hwoever make sense to be able to change that (think export for use on a slower box)."Excuse me, why not use "--s2k-digest-algo" and "--s2k-cipher-algo" and other options for gpg-agent.exe, so you can also write these options in "gpg- conf.conf". At present, the "--s2k-count" option can be used in both gpg.exe and gpg-agent.exe.Thank you. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
On Thu, 12 Nov 2020 09:27, A NiceBoy said: > 1. The solution is also in this report. Just install gpg version 2.0.x, Don't! 2.0 reached end-of-life 3 years ago - there are no security fixes etc. You shall not use that version anymore. > Then you can see the algo changed to AES256 and digest changed to SHA512. If you want to convey secret keys do not rely on the passphrase protection of OpenPGP but use a secure transport channel. Which may be just a gpg encrypted file. The problem with the passphrase is that you need to transport a secure passphrase via another secured medium and in this case you can also a transport the secret key with a "weaker" passphrase. Whether you use SHA256 or SHA512 does not matter. The iteration count matters more but in any case you can't create better security from a weak passphrase - the iteration count is a failstop thing but not a proper cryptographic replacement for a weak passphrase. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
Hello Gao, Your question could be stated more clearly as in this bug report: https://dev.gnupg.org/T1800 1. The solution is also in this report. Just install gpg version 2.0.x, which prior to version 2.1, then run the following command to generate the key: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 > --s2k-count 6500 --gen-key Then export, using the s2k options in case they're needed here instead: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 > --s2k-count 6500 --export-secret-keys | gpg2 --list-packets Then you can see the algo changed to AES256 and digest changed to SHA512. 2. To modify the existing key, you still have to install gpg version 2.0.x first, which prior to version 2.1, then add the following options into your gpg.conf: > #- > # algorithm and ciphers > #- > # Limits the algorithms used > personal-cipher-preferences AES256 > personal-digest-preferences SHA512 > default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH > BLOWFISH ZLIB BZIP2 ZIP Uncompressed > cipher-algo AES256 > digest-algo SHA512 > cert-digest-algo SHA512 > compress-algo ZLIB > disable-cipher-algo 3DES > #weak-digest SHA1 > s2k-cipher-algo AES256 > s2k-digest-algo SHA512 > s2k-mode 3 > s2k-count 65011712 Then reset the passphrase of the private key, using the above settings, then export the private key to file. Here is the output of command of --list-packets : > iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024 > protect count: 65011712 (255) This idea comes from the links: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 , https://security.stackexchange.com/a/90617 3. There is a small tool along with the command of --list-packets, called pgpdump which is available at http://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of the private key file. Best regards On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users wrote: > > Hello, > Excuse me,When using "gpg --list-packets [private secret key file]",it print > "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ", > how to change "algo:7" and "hash:2"? > I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" command > with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" options could > change them, but I tested,It could not change them. Tell me the correct way > please.Thank you very much. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
Hello Gao, Your question could be stated more clearly as in this bug report: https://dev.gnupg.org/T1800 1. The solution is also in this report. Just install gpg version 2.0.x, which prior to version 2.1, then run the following command to generate the key: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 6500 --gen-key Then export, using the s2k options in case they're needed here instead: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 6500 --export-secret-keys | gpg2 --list-packets Then you can see the algo changed to AES256 and digest changed to SHA512. 2. To modify the existing key, you still have to install gpg version 2.0.x first, which prior to version 2.1, then add the following options into your gpg.conf: > #- > # algorithm and ciphers > #- > # Limits the algorithms used > personal-cipher-preferences AES256 > personal-digest-preferences SHA512 > default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed > cipher-algo AES256 > digest-algo SHA512 > cert-digest-algo SHA512 > compress-algo ZLIB > disable-cipher-algo 3DES > #weak-digest SHA1 > s2k-cipher-algo AES256 > s2k-digest-algo SHA512 > s2k-mode 3 > s2k-count 65011712 Then reset the passphrase of the private key, using the above settings, then export the private key to file. Here is the output of command of --list-packets : > iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024 > protect count: 65011712 (255) This idea comes from the links: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 , https://security.stackexchange.com/a/90617 3. There is a small tool along with the command of --list-packets, called pgpdump which is available at https://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of the private key file. Best regards On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users < gnupg-users@gnupg.org> wrote: > Hello, > Excuse me,When using "gpg --list-packets [private secret key file]",it > print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: > ", how to change "algo:7" and "hash:2"? > I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" > command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" > options could change them, but I tested,It could not change them. Tell me > the correct way please.Thank you very much. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users