Re: Default hash
I believe that within the next five years someone will discover an academic attack against Rijndael. I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic. So while I have serious academic reservations about Rijndael, I do not have any engineering reservations about Rijndael. -- Bruce Schneier, Cryptogram Newsletter, October, 2000. >From Schneier/Ferguson's 2003 book, "Practical Cryptography": We don't quite trust the security...No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES. However, even though he has reservations about Rijndael, he has said publicly numerous times that he prefers everyone to use AES instead of the other finalists, no doubt because it has had undeniably more analysis thrown its way. -- View this message in context: http://old.nabble.com/Default-hash-tp31002378p31033879.html Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/26/2011 04:37 PM, Faramir wrote: > Because its author says you should move to Twofish? Dammit! I meant Twofish, not Blowfish. I knew what I meant, but I didn't type it. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-02-2011 20:07, Aaron Toponce escribió: ... > Thoughts? > > http://eprint.iacr.org/2010/023.pdf In this section, the attack assumptions are described. ² Correct and faulty ciphertexts calculated from the same plaintext are known. ² One pair of correct plaintext and ciphertext is known. But GnuPG uses a randomly generated session key each time it encrypts something, so if an attacker has plaintext and ciphertext, he already has what he wants, and retrieving the key is useless, since it won't be used again. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNaZB6AAoJEMV4f6PvczxAFDUH/RwBmHXHfR8c5PqVwsxTbqgd /dq86kESEalley2NMe2wGxupWfnwW+B6KwFsr48UANYfB80r/yC2naduDYLACfVm w5yDxztwrK6c9hSRM7NTc0h+qJegqSeC8z6dBiv2XrS71x7O+c80hR/2OQGgJ8rn I3MXnqk8/fZp0jr586fljaaDK5wX+5G61UBVZk00dSoqYLunhsXCcviF9GZ9b1sn B3kB7FFWIXICecKZMymjqgz2YXZ70e+thrZC8ZEhFSG/+JlqyHGn1nXiLiGKgHGV Z4IjM7nBsSDEIhOFTnhNVmq1pXcOz6pfahhjYQexFnDhHmh0n8rUwHwryevOV2k= =7s5k -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-02-2011 19:44, Aaron Toponce escribió: ... > Fortunately for me, this is my personal GnuPG preferences, and not those > of my employer. Blowfish is good crypto, and I still haven't found a > good reason to not using it. AES is the federal standard. Great. I'm not Because its author says you should move to Twofish? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNaY7BAAoJEMV4f6PvczxAyl0H/RyMCqLSJ7jIyH6QaO2C0JZF CBNYPX5y2DMxX+kSevgK9lPJ7Cn3I2DDljPUcQsjVEAJ1wv2WnDm4w8PnMO1BTRm PaExxsFj8MvRTQSG4NguLXylfvBu7fa6FQuglM+6Ufj3//xP8tbFIsOmN8AKLxvY u3Itr0N3fKs4xw5B/xzQfbwP6IcWSnRq6AJklzI4nkIN8Leyi277CRo9xgCS4zVv y6jDGA65UgKiPw0+zZGrF7qgFu1aZvTygMObWh9dr8G6Z86M06/tqF5WnArOAdfv LTQrcaNncIC3c6ZMo0ROHA6QgVKZjyiRa56Hm8SziX3Lts+FQbzlIbxbUAc2sG8= =t/RB -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/26/2011 02:27 PM, Faramir wrote: > Here he says Twofish has speed comparable with AES, without some > vulnerabilities (but Serpent is considered even more secure). However, > he says if AES fails, you won't be blamed for using it (so is the safest > for your career). If you chose Twofish, and it is broken, you will be > blamed for choosing it Thoughts? http://eprint.iacr.org/2010/023.pdf -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/26/2011 02:27 PM, Faramir wrote: > Here he says Twofish has speed comparable with AES, without some > vulnerabilities (but Serpent is considered even more secure). However, > he says if AES fails, you won't be blamed for using it (so is the safest > for your career). If you chose Twofish, and it is broken, you will be > blamed for choosing it Fortunately for me, this is my personal GnuPG preferences, and not those of my employer. Blowfish is good crypto, and I still haven't found a good reason to not using it. AES is the federal standard. Great. I'm not the feds. :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-02-2011 15:59, Simon Ward escribió: > On Sat, Feb 26, 2011 at 07:49:41AM -0300, Faramir wrote: ... >> There is an interview somewhere (I was looking for it to provide >> citation, but I was unable to find it. I think it used to be in his blog). > > This one[1]? It doesn’t mention AES though… The topic was discussed on > this list a couple of years ago (and probably many other times)[2]. > > [1]: http://www.schneier.com/news-048.html Right, my fault, as always I mixed things. But the following link the the one > [2]: http://lists.gnupg.org/pipermail/gnupg-users/2008-September/034622.html Here he says Twofish has speed comparable with AES, without some vulnerabilities (but Serpent is considered even more secure). However, he says if AES fails, you won't be blamed for using it (so is the safest for your career). If you chose Twofish, and it is broken, you will be blamed for choosing it Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNaXAyAAoJEMV4f6PvczxAvTsH/i2Lf4Fg3fhIFfWQv6286PxF W3l23IqRHiBnmuoTN2t1iv4CDR0yro/w/qoj/c4+oTSFklXt8d+jFepcUkwqc2O1 jhBDsWx/6e2W9j/G6ApyO76w1F8JiAsN84IQZGLMQ3qgbTKt/7oAwuF540ZDVX3C 2lNaOZeegj7xnNfLwUPgTzGnM1qDSHNhne+wk82jUPSD0xfEm7ILZbr7aomdkGL1 31Bw5WwXucG4RkW3UlOHFi0EG+MKtUBbA5frx5JPzjMPFrT29rH3+pEa92SbLpKk m6V3fv/jIrSagNauFZWr8odRp/vFWypf6o94rsMor7j9oKm6NZCcVEczEnWQhCs= =YgI5 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Sat, Feb 26, 2011 at 07:49:41AM -0300, Faramir wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > El 26-02-2011 0:27, Aaron Toponce escribió: > > On 02/25/2011 07:39 PM, Robert J. Hansen wrote: > >> Bruce himself recommends AES over TWOFISH. > > > > [citation needed] > > > > I know that he's recommended AES-128 over AES-256, but I've not read > > where he's recommended AES over TWOFISH. > > There is an interview somewhere (I was looking for it to provide > citation, but I was unable to find it. I think it used to be in his blog). This one[1]? It doesn’t mention AES though… The topic was discussed on this list a couple of years ago (and probably many other times)[2]. [1]: http://www.schneier.com/news-048.html [2]: http://lists.gnupg.org/pipermail/gnupg-users/2008-September/034622.html Simon -- A complex system that works is invariably found to have evolved from a simple system that works.—John Gall signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Feb 26, 2011, at 9:10 AM, Aaron Toponce wrote: >> 3DES's history is instructive. NIST has declared it "dead in 20 years" >> more often than Netcraft has declared BSD to be dying.[*] At this >> point, I'm unaware of anyone who seriously believes 3DES will be gone in >> 20 years. Most people seem to be of the belief that in about fifteen >> years NIST will say, "and 3DES is believed strong through 2050." > > Great! If it has that sort of security, then maybe I'll give it a second > thought. I was always under the impression that due to DES being cracked > by the EFF in what, 9 months?, that 3DES, just using 3 of the same > 56-bit key, wasn't long before we had the hardware to break it in 9 > months also. I'll give reconsideration. Not nine months - 4.5 days on average. At least that was the performance of the DES cracker in 1998. If it were done today, it would probably do better (or at least do it cheaper). 3DES doesn't use 3 of the same 56-bit key. 3DES (at least the 3DES used in OpenPGP) uses three different 56-bit keys. 3DES is still quite secure. It's main problem is that it's *slow*. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Feb 25, 2011, at 6:05 PM, Aaron Toponce wrote: > Also, my understanding on how the preferences are chosen by GnuPG is the > following: > > 1. User wishes to encrypt mail to me, so my cipher preferences in my > public key are pulled. > 2. My first preference, Twofish, is used, only if the sender supports > the Twofish algorithm. > 3. If not, the next cipher in my preference list, Camellia256, is then > chosen, so long as the sender also supports Camellia256. > 4. Proceed inductively, until a matching cipher that can be agreed on > between the two parties is chosen. > 5. Message is encrypted using the agreed algorithm. > 6. The same is used for signatures and compression. > > Is this accurate? No. It works like this (not literally in this order, but conceptually): 1. User wishes to encrypt mail to you, so your cipher preferences in your public key are pulled. 2. The cipher preferences for all other recipients to that mail are also pulled (very frequently, the sender is also encrypting to his or herself, so that is another recipient). 3. If not already present, 3DES is added to the end of all lists. 4. All the cipher preferences are grouped together into a set. The sender then compares the list of ciphers that exist in their version of OpenPGP with the list of ciphers in this set. Any cipher that is not in both groups is discarded. This is because we don't know if all recipients can handle it. 5. Now we rank the ciphers that haven't been thrown out yet by using the scores given to them by the users. The first cipher in the list gets 1 point, the second cipher in the list gets 2, etc. 6. Pick the lowest numbered cipher. This gives us three things: A) A guarantee that no cipher will be used that cannot be handled by all recipients. This is crucial, as if we used a cipher that wasn't available for everyone, we'd cut off communication. B) A guarantee that all users can communicate. Since every user can handle 3DES, by defintion, it is not possible that the above algorithm will finish without picking a cipher. C) We will pick the cipher that recipients like the most, overall. A) & B) are vital, and required by the OpenPGP standard. C) is optional, but nice to have. So the bottom line here is to set your preferences to the list of ciphers that you are willing to use, in the order in which you like them. You will only get messages encrypted to one of these ciphers, and, at least if your correspondents are using GnuPG, will tend to favor the ciphers that you rank higher. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/25/2011 08:46 PM, Robert J. Hansen wrote: > On 2/25/11 10:27 PM, Aaron Toponce wrote: >> On 02/25/2011 07:39 PM, Robert J. Hansen wrote: >>> Bruce himself recommends AES over TWOFISH. >> >> [citation needed] > > _Practical Cryptography_. Read it. Other people on this list can > provide a page ref: I'm at a funeral in the middle of nowhere and don't > have my books handy. > >> I know that he's recommended AES-128 over AES-256, but I've not read >> where he's recommended AES over TWOFISH. > > Many times. It's not hard to find these recommendations: Google is your > friend. I'm using Google. I'm not seeing it. I'll keep digging. Best I can find is in 2008, he recommends Twofish over Blowfish: http://goo.gl/D3Diq > Regardless, you really need to pay attention to the fine print. First, > the numbers you cite are for *two*-key 3DES, and OpenPGP specifies > *three*-key 3DES be used. 3DES's meet-in-the-middle is at 112 bits of > security -- plenty enough for almost any purpose. > > Second, that meet-in-the-middle on 3DES requires 2**32 known plaintexts, > 2**113 operations, 2**90 encryptions and 2**88 memory. This is so > unrealistic it deserves to be called fantasy. Miss any of those and > you're up to a work factor of 2**168. > > So, yeah. 3DES's effective security is 168 bits, unless you're up > against the space aliens from Zarbnulax, in which case you're SOL no > matter what algorithm you use. Heh. I don't believe in aliens. So, good luck with that. I'm not saying 3DES isn't practical, I just said I'm not interested in using it, and I stated why. I'm also not interested in using SHA1 for my signing hash, but for all _practical_ purposes, it fits the bill just fine. Did you know OpenSSH uses SHA1 by default for their hash, and for the MAC it's MD5 or SHA1! Then again, what's the _practicality_ of your OpenSSH connection being broken by the baddies? The fact of the matter is, GnuPG supports these stronger algorithms, so why not use them? If you have the hardware that can do the math in trivial time, I don't see why you shouldn't use 256-bit or 512-bit crypto. I understand just looking at just key length for security is retarded, but GnuPG ships solid, well researched, highly available, strong crypto. > 3DES's history is instructive. NIST has declared it "dead in 20 years" > more often than Netcraft has declared BSD to be dying.[*] At this > point, I'm unaware of anyone who seriously believes 3DES will be gone in > 20 years. Most people seem to be of the belief that in about fifteen > years NIST will say, "and 3DES is believed strong through 2050." Great! If it has that sort of security, then maybe I'll give it a second thought. I was always under the impression that due to DES being cracked by the EFF in what, 9 months?, that 3DES, just using 3 of the same 56-bit key, wasn't long before we had the hardware to break it in 9 months also. I'll give reconsideration. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 26-02-2011 0:27, Aaron Toponce escribió: > On 02/25/2011 07:39 PM, Robert J. Hansen wrote: >> Bruce himself recommends AES over TWOFISH. > > [citation needed] > > I know that he's recommended AES-128 over AES-256, but I've not read > where he's recommended AES over TWOFISH. There is an interview somewhere (I was looking for it to provide citation, but I was unable to find it. I think it used to be in his blog). He said something like "use AES, that is the standard, and no one is fired for using AES", but that doesn't mean AES is better, it just mean it is safer (for you) to be able to say "I used the standard, it was not my fault...". But he also said something suggesting that for personal stuff, maybe you should consider using other things (but again, he didn't said explicitly "for personal stuff I recommend Twofish"). But that was before vulnerabilities were discovered in AES-256 and AES-192. I have no idea what he would recommend now. If you find the interview, please post the link, I was unable to find it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJNaNrFAAoJEMV4f6PvczxARikH/3c2EheWVWz0ee59+oVoXnHE dQCXc89pT3Wa+75adlacyyQL8RTXYsR4M3IDbrzS3GTTtm5qjtiO0VCsd3FiuWw6 dLk/h401PvAAGyznpK/saSHX+3wAd6I40z0L3RyPa+mtvCzWLLnEGAYg9KEOcGbS oUT8IEHHCXtoxC02F9opoljX7TKXPdRds0SfIfrl1jnuAaid3AgnYld1psfvyQQK Ip1FouX5OaL1j/gWc68WgUnH9FHtrnjyM32qXCnkQEI91o2BGQoIN0E/7S0SDyze MM9oFDckXi6YGl4hLE63G2S5CLtlCLjUpBsZuoB7dYhiIp9wVAM/2yGHFk/NGYQ= =1hId -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 2/26/11 12:41 AM, John Clizbe wrote: > pg 64. Sect 4.5.7 - Which Block Cipher Should I Use? And, I forgot: I have my Kindle with me. _Practical Cryptography_ isn't available on Kindle, but _Cryptography Engineering_ is (also by Schneier). Quoting from 3.5.6, "Which Block Cipher Should I Choose?" The recent cryptanalytic advances against AES make these a tough choice. Despite these cryptanalytic advances, AES is still what we recommend. It is fast. All known attacks are theoretical, not practical. Even though AES is now broken academically, these breaks do not imply a significant security degradation of real systems in practice. ... There are probably circumstances in which 3DES still is the best solution. If you have to be backward-compatible, or are locked into a 64-bit block size by other parts of the system, then 3DES is still your best choice. ... So, yeah. There's Schneier himself, saying "use AES if at all possible: and if you have to have a 64-bit block size cipher, use 3DES even over Blowfish, CAST5, IDEA, or any other 64-bit block cipher I mentioned in _Applied Cryptography_." Hopefully this puts the nail in the coffin, and we can end this thread. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
Robert J. Hansen wrote: > On 2/25/11 10:27 PM, Aaron Toponce wrote: >> On 02/25/2011 07:39 PM, Robert J. Hansen wrote: >>> Bruce himself recommends AES over TWOFISH. >> >> [citation needed] > > _Practical Cryptography_. Read it. Other people on this list can > provide a page ref: I'm at a funeral in the middle of nowhere and don't > have my books handy. pg 64. Sect 4.5.7 - Which Block Cipher Should I Use? -John PS: Rob, peer with my new SKS box, sks.keyservers.net when you get home. I'll look for you on the IM networks later. -- John P. Clizbe Inet: John (a) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 2/25/11 10:27 PM, Aaron Toponce wrote: > On 02/25/2011 07:39 PM, Robert J. Hansen wrote: >> Bruce himself recommends AES over TWOFISH. > > [citation needed] _Practical Cryptography_. Read it. Other people on this list can provide a page ref: I'm at a funeral in the middle of nowhere and don't have my books handy. > I know that he's recommended AES-128 over AES-256, but I've not read > where he's recommended AES over TWOFISH. Many times. It's not hard to find these recommendations: Google is your friend. > Again, [citation needed]. 3DES has an effective security of only 80 bits > due to the meet-in-the-middle attack and known- or chosen-plaintext > attacks I don't have the exact quote from sci.crypt handy (as mentioned, I'm in the middle of nowhere). I'll look for it once I'm back on the East Coast. I'm sure there are many people here who could provide it for you, though. Regardless, you really need to pay attention to the fine print. First, the numbers you cite are for *two*-key 3DES, and OpenPGP specifies *three*-key 3DES be used. 3DES's meet-in-the-middle is at 112 bits of security -- plenty enough for almost any purpose. Second, that meet-in-the-middle on 3DES requires 2**32 known plaintexts, 2**113 operations, 2**90 encryptions and 2**88 memory. This is so unrealistic it deserves to be called fantasy. Miss any of those and you're up to a work factor of 2**168. So, yeah. 3DES's effective security is 168 bits, unless you're up against the space aliens from Zarbnulax, in which case you're SOL no matter what algorithm you use. > and NIST is only willing to back the algo through 2030. 3DES's history is instructive. NIST has declared it "dead in 20 years" more often than Netcraft has declared BSD to be dying.[*] At this point, I'm unaware of anyone who seriously believes 3DES will be gone in 20 years. Most people seem to be of the belief that in about fifteen years NIST will say, "and 3DES is believed strong through 2050." [*] A humorous reference to a Slashdot meme. BSD partisans, relax, I'm not seriously suggesting this... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/25/2011 07:39 PM, Robert J. Hansen wrote: > Bruce himself recommends AES over TWOFISH. [citation needed] I know that he's recommended AES-128 over AES-256, but I've not read where he's recommended AES over TWOFISH. >> I don't trust 3DES > > Why? Bruce himself has said that if speed isn't a concern, nothing else > comes close to the trust level of 3DES. Again, [citation needed]. 3DES has an effective security of only 80 bits due to the meet-in-the-middle attack and known- or chosen-plaintext attacks, and NIST is only willing to back the algo through 2030. The cryptanalysis seems pretty strong, and it is a slow algo. To each their own, but I'll pass. > FWIW, I don't much care for the Cult of Schneier. He's a good cryppie, > a good writer, a top-notch communicator -- but the idea of "supporting" > him is, IMO, a little crazy. Okay, "support" might have been the wrong word. twofish performance is fast, and his new Skein algorithm, based off threefish, is crazy fast. That said, AES is comparable. twofish is implemented in a crazy amount of crypto software as well. Cryptanalysis is minimal, and the open license of the algorithm is commendable. > A modified Borda count is used. Ah. Okay. That works. > With respect to your prefs, my standard advice applies: unless you know > what you're doing and why, stick with the defaults. Well, I wanted the defaults, but then I couldn't use the SHA2 signing algorithms, now could I? :) -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 2/25/11 6:05 PM, Aaron Toponce wrote: > I chose Twofish as my first 256-bit cipher, as I support Bruce Schneier > and it's shown to be a very robust and capable cipher, both in terms of > speed and memory usage. Bruce himself recommends AES over TWOFISH. > I don't trust 3DES Why? Bruce himself has said that if speed isn't a concern, nothing else comes close to the trust level of 3DES. FWIW, I don't much care for the Cult of Schneier. He's a good cryppie, a good writer, a top-notch communicator -- but the idea of "supporting" him is, IMO, a little crazy. > 1. User wishes to encrypt mail to me, so my cipher preferences in my > public key are pulled. > 2. My first preference, Twofish, is used, only if the sender supports > the Twofish algorithm. No. A modified Borda count is used. With respect to your prefs, my standard advice applies: unless you know what you're doing and why, stick with the defaults. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/25/2011 03:22 PM, Ben McGinnes wrote: > You shouldn't need to worry about changing the preferred order. GPG > will determine the most compatible combination of ciphers and hashes > based on the keys used to encrypt messages. For example, my preferred > symmetric cipher is AES-256, but on a certain mailing list I'm on > encrypted messages sent there use Triple-DES because of the > preferences/limitations of other recipients' keys. That's all the > settings I listed were, an order of preference and not forcing one > particular algorithm to the exclusion of all else. Yeah. I'm not one that tends to break from default much, so if GnuPG has a good sane default set of cipher, signing and compression preferences, then who am I to argue? However, I did generate an RSA subkey, so I could get those SHA2 signing algos, and I want to use them. So, with that said, here's what I came up with for my own personal preference: Cipher: TWOFISH, CAMELLIA256, AES256, CAMELLIA192, AES192, CAMELLIA128, AES, BLOWFISH, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, RIPEMD160, SHA1, MD5 Compression: BZIP2, ZLIB, ZIP, Uncompressed I chose Twofish as my first 256-bit cipher, as I support Bruce Schneier and it's shown to be a very robust and capable cipher, both in terms of speed and memory usage. I then put Camellia over AES due to the low power consumption. I don't trust 3DES, and I don't know much about CAST5 other than what Wikipedia has. Also, my understanding on how the preferences are chosen by GnuPG is the following: 1. User wishes to encrypt mail to me, so my cipher preferences in my public key are pulled. 2. My first preference, Twofish, is used, only if the sender supports the Twofish algorithm. 3. If not, the next cipher in my preference list, Camellia256, is then chosen, so long as the sender also supports Camellia256. 4. Proceed inductively, until a matching cipher that can be agreed on between the two parties is chosen. 5. Message is encrypted using the agreed algorithm. 6. The same is used for signatures and compression. Is this accurate? Thoughts on the order of my prefs? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 25/02/11 12:48 AM, Aaron Toponce wrote: > > I wanted to avoid breaking from default, which was the main reason > for my post, but it appears that it's not possible if I want to use > the stronger hashes, which is fine. As long as I know the > limitations of my keys, and don't force preferences when sending > encrypted/signed mail to others, I'm good. You shouldn't need to worry about changing the preferred order. GPG will determine the most compatible combination of ciphers and hashes based on the keys used to encrypt messages. For example, my preferred symmetric cipher is AES-256, but on a certain mailing list I'm on encrypted messages sent there use Triple-DES because of the preferences/limitations of other recipients' keys. That's all the settings I listed were, an order of preference and not forcing one particular algorithm to the exclusion of all else. Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 2/24/11 4:31 PM, Aaron Toponce wrote: > If I run 'setpref S9 S10 S13 ...' when editing my key, then is adding > all this to the gpg.conf file really necessary? Yes. "setpref" is, IMO, a badly misnamed command. The preferences you attach to your certificate are more like a ranked set of capabilities: they are what you advertise to the world as what you're capable of accepting, and (to an extent) in which order you prefer them.[*] The default-*-pref in your gpg.conf file is how you tell GnuPG what algorithms you wish to use, and in which order. E.g., if you encrypt a message to someone, the setprefs on your certificate are never even looked at: after all, you're only using your *recipient's* certificate. But if you have a default-*-pref, then GnuPG will (almost) always read and respect that. [*] The OpenPGP spec does not require it be treated as a preference list, but only as a capability set. GnuPG does a modified Borda count, IIRC, to determine which algorithm to use -- basically, the union of sender and recipient capabilities is considered, and each of sender and recipient get to cast a "vote" on which algorithm is used. This is GnuPG-specific behavior: don't expect other OpenPGP implementations to do likewise. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Thu, Feb 24, 2011 at 08:37:50PM +1100, Ben McGinnes wrote: > Cipher: AES256, TWOFISH, CAMELLIA256, AES192, CAMELLIA192, AES, > CAMELLIA128, 3DES, CAST5, BLOWFISH, IDEA > Digest: SHA512, SHA384, SHA256, SHA224, RIPEMD160, SHA1, MD5 > Compression: BZIP2, ZLIB, ZIP, Uncompressed > Features: MDC, Keyserver no-modify > > Then added this to gpg.conf: > > enable-dsa2 > default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 H10 H9 H8 > H11 H3 H2 H1 Z3 Z2 Z1 Z0 > personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 > personal-digest-preferences H10 H9 H8 H11 H3 H2 H1 > personal-compress-preferences Z3 Z2 Z1 Z0 If I run 'setpref S9 S10 S13 ...' when editing my key, then is adding all this to the gpg.conf file really necessary? I would think that adding all this to the config would be only if you didn't want to change the preferences in your key. Then again, now that I think about it, if you don't set the preferences, then how is a sender supposed to know what you support? -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Thu, Feb 24, 2011 at 10:32:11AM -0500, Daniel Kahn Gillmor wrote: > On 02/24/2011 04:03 AM, Doug Barton wrote: > > You're using a 1024 bit DSA key, which won't allow for 256 bit hashes. > > RIPEMD-160 is the largest you can use, and works well for that kind of key. > > This isn't actually the case. Aaron's primary key (0x8086060F) is > indeed 1024-bit DSA, but his mail is signed with a 2048-bit RSA subkey > (0xFC04088F), which is perfectly capable of using the stronger digests. I just ran 'setpref' without any arguments, and it told me that SHA256 would be the default signing algorithm. So, when attempting at doing the signatures, I found SHA1 was coming out. In the past (and now future), I signed all my mail with SHA512, just because I can. The message that started this thread, however, is signed with SHA1, as I wanted to show what was happening (run 'gpg -v --list-packets' on the sig). I didn't want to break from the defaults that GnuPG provided. Due to my 1024-bit DSA key, it appears that RIPEMD-160, SHA1 and MD5 are my only options for signatures. So, with my 2048-bit RSA subkey, I can use all the sHA2 hashes. I had just thought that with the recent update of GnuPG, the SHA2 hashes were available to my DSA key as well. No worries. I'll stick with the non-default prefs in my ~/.gnupg/gpg.conf. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/24/2011 04:03 AM, Doug Barton wrote: > On 02/23/2011 22:26, Aaron Toponce wrote: >> Given the release of v1.4.10, the SHA256 hashing algorithm is preferred >> over SHA1. Yet, after updating my default preferences with 'setpref' and >> signing some text, SHA1 is still used as the default hashing algorithm. >> Is there something else I need to do to ensure that I'm using SHA256 by >> default for the hash? > > You're using a 1024 bit DSA key, which won't allow for 256 bit hashes. > RIPEMD-160 is the largest you can use, and works well for that kind of key. This isn't actually the case. Aaron's primary key (0x8086060F) is indeed 1024-bit DSA, but his mail is signed with a 2048-bit RSA subkey (0xFC04088F), which is perfectly capable of using the stronger digests. --dkg signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On Thu, Feb 24, 2011 at 08:37:50PM +1100, Ben McGinnes wrote: > On 24/02/11 8:03 PM, Doug Barton wrote: > > You're using a 1024 bit DSA key, which won't allow for 256 bit > > hashes. RIPEMD-160 is the largest you can use, and works well for > > that kind of key. Okay. That's understandable. That was why I generated a 2048-bit RSA subkey, so I could take advantage of the SHA2 algorithms. For some reason, I was thinking that with the update of GPG, my 1024-bit DSA key now had access to them. > Well, he can use SHA256 or SHA512, but like mine it will be truncated > to 160 bits, as was explained to me on this list a couple of months ago. > > As I recall, I edited the key with setpref to this: > > Cipher: AES256, TWOFISH, CAMELLIA256, AES192, CAMELLIA192, AES, > CAMELLIA128, 3DES, CAST5, BLOWFISH, IDEA > Digest: SHA512, SHA384, SHA256, SHA224, RIPEMD160, SHA1, MD5 > Compression: BZIP2, ZLIB, ZIP, Uncompressed > Features: MDC, Keyserver no-modify > > Then added this to gpg.conf: > > enable-dsa2 > default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 H10 H9 H8 > H11 H3 H2 H1 Z3 Z2 Z1 Z0 > personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 > personal-digest-preferences H10 H9 H8 H11 H3 H2 H1 > personal-compress-preferences Z3 Z2 Z1 Z0 I wanted to avoid breaking from default, which was the main reason for my post, but it appears that it's not possible if I want to use the stronger hashes, which is fine. As long as I know the limitations of my keys, and don't force preferences when sending encrypted/signed mail to others, I'm good. > IDEA is only included because of one or two freaks I know who still > use it. Oh and some ancient stuff I encrypted around fifteen years > ago, but have yet to convert. Yeah, no interest in IDEA here. :) Thanks for your help. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
> Given the release of v1.4.10, the SHA256 hashing algorithm is preferred > over SHA1. Yet, after updating my default preferences with 'setpref' and > signing some text, SHA1 is still used as the default hashing algorithm. > Is there something else I need to do to ensure that I'm using SHA256 by > default for the hash? Add these two lines to your gpg.conf file: enable-dsa2 personal-digest-preferences SHA256 (enable-dsa2 may no longer be necessary as of recent GnuPG versions, but it will certainly not harm anything.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 24/02/11 8:03 PM, Doug Barton wrote: > On 02/23/2011 22:26, Aaron Toponce wrote: >> >> Given the release of v1.4.10, the SHA256 hashing algorithm is >> preferred over SHA1. Yet, after updating my default preferences >> with 'setpref' and signing some text, SHA1 is still used as the >> default hashing algorithm. Is there something else I need to do to >> ensure that I'm using SHA256 by default for the hash? > > You're using a 1024 bit DSA key, which won't allow for 256 bit > hashes. RIPEMD-160 is the largest you can use, and works well for > that kind of key. Well, he can use SHA256 or SHA512, but like mine it will be truncated to 160 bits, as was explained to me on this list a couple of months ago. As I recall, I edited the key with setpref to this: Cipher: AES256, TWOFISH, CAMELLIA256, AES192, CAMELLIA192, AES, CAMELLIA128, 3DES, CAST5, BLOWFISH, IDEA Digest: SHA512, SHA384, SHA256, SHA224, RIPEMD160, SHA1, MD5 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Then added this to gpg.conf: enable-dsa2 default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 H10 H9 H8 H11 H3 H2 H1 Z3 Z2 Z1 Z0 personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 personal-digest-preferences H10 H9 H8 H11 H3 H2 H1 personal-compress-preferences Z3 Z2 Z1 Z0 IDEA is only included because of one or two freaks I know who still use it. Oh and some ancient stuff I encrypted around fifteen years ago, but have yet to convert. Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Default hash
On 02/23/2011 22:26, Aaron Toponce wrote: Given the release of v1.4.10, the SHA256 hashing algorithm is preferred over SHA1. Yet, after updating my default preferences with 'setpref' and signing some text, SHA1 is still used as the default hashing algorithm. Is there something else I need to do to ensure that I'm using SHA256 by default for the hash? You're using a 1024 bit DSA key, which won't allow for 256 bit hashes. RIPEMD-160 is the largest you can use, and works well for that kind of key. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Default hash
Given the release of v1.4.10, the SHA256 hashing algorithm is preferred over SHA1. Yet, after updating my default preferences with 'setpref' and signing some text, SHA1 is still used as the default hashing algorithm. Is there something else I need to do to ensure that I'm using SHA256 by default for the hash? Thanks, -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users