Re: Selecting cipher to generate a key pair
From: Smith, Cathy cathy.smith () pnl ! gov Date: 2009-04-30 21:54:15 Message-ID: 255999BBAD1AEE4EA6AA193F66611642AEAA0A () EMAIL03 ! pnl ! Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? yes, (temporarily) put the following options into your gpg.conf file; s2k-cipher-algo Blowfish expert (you can comment it out with a # in front of it after you generate the key, if you plan to use this often or change ciphers) caveats: [1] if you do this, then if you encrypt anything symmetrically (i.e. not to a public key), it will use the same cipher unless you specifically mention which cipher to use when you encrypt symmetrically [2] might not need the option of 'expert', am not sure (but if you want to do custom stuff, just leave it there anyway, and more choices will show up at the gpg prompt ;-) ) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
I wanted to provide closure on this thread. The customer was able to accept the public key that I generated using this method. I learned from the customer yesterday that they are using Bouncy Castle, bcpg v. 1.33. Thanks vey much for your help. Regards, Cathy --- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 4:39 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Dear Robert J. Hansen, Robert J. Hansen wrote: Smith, Cathy wrote: Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. r...@chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. I'd like to know more about the process by which unsigned packages become signed packages. This matters, I think, when using SELinux, which is what I do. Some packages are unsigned, e.g. Xcas, a computer algebra system by Bernard Parisse at a university in France: http://www-fourier.ujf-grenoble.fr/~parisse/english.html I had to tell the SELinux motor that she must trust two modules loaded dynamically when Xcas is launched. I succeeded after many hours. It would be easier, I think, if Xcas (the application) had a electronic signature by someone that Fedora 10 trusts ... Thanks a lot, David Bernier ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
David Bernier wrote: I'd like to know more about the process by which unsigned packages become signed packages. This matters, I think, when using SELinux, which is what I do. This process will vary from operating system to operating system. What works for Fedora isn't the same as what works for Ubuntu isn't the same as what works for FreeBSD isn't the same as what works for Windows. I don't know how Fedora works, so I'm not able to answer this question. I would suggest asking on a Fedora mailing list. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
My apologies to the group. I meant to say gpg --gen-key I have a customer who can not accept our pgp public key. They are asking for a specific cipher to be used in generating the public key. After some reading yesterday, it seemed that gpg might be the solution. I don't have any experience with gpg, and limited pgp experience. Regards, Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Smith, Cathy Sent: Thursday, April 30, 2009 2:54 PM To: 'gnupg-users@gnupg.org' Subject: Selecting cipher to generate a key pair Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? I've read email posted in the archives, and FAQ that indicates this is possible. I don't see an option to do that just running pgp --gen-key Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Smith, Cathy cathy.smith () pnl ! gov wrote on
Date: 2009-05-01 16:08:44 :
I have a customer who can not accept our pgp public key.
They are asking for a specific cipher to be used in generating the
public key.
this sounds like there might be a 'problem' ...
there are people who 'can' use 'any' cipher, but prefer a
particular one,
or have a company policy to use a specific one, e.g . AES-256 or
3DES
and there are people whose programs can use only 'one' cipher, and
no others
at the risk of taking 'wild guesses' ;-)
the only situations i can think of where a person 'cannot' accept
anything other than one cipher are:
[1] a die-hard pgp 2.x user who needs a v3 key using IDEA
(yes, they still exist, but probably won't survive the move to 64
bit systems)
[2] a company that is bound by some standard to use AES or 3DES
(i can't imagine any company really insisting on 'only Blowfish'
and nothing else ;-) )
[ anyway, it was 'cracked on 24' and shown on network tv to have a
'backdoor' ;-) ]
{please excuse the 'semi-off' geek humor,
blowfish has 'no' backdoor and is still quite secure,
no matter what hollywood writers say ;-)) }
if you have situation [1], you are out of luck using any current
gnupg or pgp,
(there was a post on how to do this with an older gnupg version,
but it would be much simpler to just use pgp2.x to generate it)
if you have situation [2],
it is much easier,
temporarily put the following 2 lines in your gpg.conf
expert
s2k-cipher-algo name ('name' is the name of the cipher your client
wants)
then save your gpg.conf
and run
gpg --gen-key
the key will be generated with the cipher your client wants
if this still doesn't help,
then please post 'exactly' what you need done
vedaal
any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link
--
Click to learn about options trading and get the latest information.
http://tagline.hushmail.com/fc/BLSrjkqecvgtaqxBQoBwCwuiy1xiCJDJ0xgdXq4JeQ5VIifkutIcKtAkaYI/
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. Thanks. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: gnupg-users-boun...@gnupg.org [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Robert J. Hansen Sent: Thursday, April 30, 2009 9:14 PM To: Allen Schultz Cc: gnupg-users Subject: Re: Selecting cipher to generate a key pair Allen Schultz wrote: What's the default to encrypting/hashing the secret key? And how good is it? CAST5-128. It's hard to talk about how good it is. Cryptography is an intensively mathematical discipline, and most people are not very well-equipped to discuss those details. Ultimately, it would be like arguing whether King Kong or Godzilla is better at urban destruction. Biologists can argue until the cows come home which one would be better and why, but from the perspective of your average inhabitant of Tokyo or New York City the answer is, Who cares? Get out of town _right now_! From the perspective of the overwhelming majority of OpenPGP users, CAST5-128 does the job just fine. The only instances I'm aware of in which CAST5-128 doesn't do the job well are ones where bureaucratic rules require specific algorithms, and CAST5-128 isn't on that checklist. That's a bureaucratic failing, though, not a failing of CAST5-128. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Smith, Cathy wrote: Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. r...@chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. I've sent him a GnuPG-generated key, and asked him to find out if they are using GnuPG. I haven't heard from him today. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 3:58 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: Is there a brief explanation available as to how the cipher is used in generating the private/public keys? It seems this is separate from the cipher that is chosen to encrypt my data. r...@chronicles:~$ gpg --enable-dsa2 --gen-key Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) If you choose #1, you will be using, by default, DSA as a signature algorithm, AES256 as a general-purpose message encryption algorithm, Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm. None of these algorithms are actually used to generate the private/public keys, though. The private and public keys are just numbers. GnuPG generates those numbers from a cryptographically secure pseudorandom number generator, then subjects the numbers to a battery of mathematical tests to make sure the keys are safe to use. Is it possible for you to tell us what algorithms your correspondent expects you to use? Knowing that might help us out quite a bit. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Smith, Cathy wrote: The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
I agree that with the lack of understanding. It's been difficult to get specific information from the customer. I don't have the option of saying it's their problem. The GnuPG was a guess after I read something about specifying the cipher algorithm. The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. I've talked to the folks here at work who understand these things better than I, and all have shook their head. I appreciate your assistance. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 4:22 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: The customer stated that he can accept a public key generated with either Blowfish or Triple-DES. I wasn't sure what he needed because all I've dealt with in generating a key pair before is selecting the DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal option. It probably does, actually; PGP just, for marketing reasons, calls it Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.) That said, your customer does not appear to understand how GnuPG or PGP work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others) can handle 3DES; and 3DES has absolutely nothing to do with how you generate your public key. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Selecting cipher to generate a key pair
Thanks. I'll try that. Cathy --- Cathy L. Smith Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.2330 Email: cathy.sm...@pnl.gov -Original Message- From: Robert J. Hansen [mailto:r...@sixdemonbag.org] Sent: Friday, May 01, 2009 4:39 PM To: Smith, Cathy Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr Subject: Re: Selecting cipher to generate a key pair Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Incidentally, if your customer is a telecommunications firm, I think I may know the implementation they're using and some of its more egregious misfeatures. Other than that one and PGP Corporation's offering, though, I have no experience with proprietary OpenPGP offerings. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Robert J. Hansen wrote: Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and not one I'd generally recommend; however, the downsides are pretty minimal. Then encrypt a message using their public key and send it on to them. If they can read it, great. If they can't, then the problem is their proprietary implementation of OpenPGP is shoddy. Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? :-\ JOHN ;) Timestamp: Friday 01 May 2009, 19:49 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10-svn4987: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJ+4qAAAoJEBCGy9eAtCsP3o8H/ja6jCWz1bYjjTNXbhLzd5OE BIgvdlCCsR0Nrm4VY5jGXiOPbk9NYse/43F/DZyQQyyowuRBj3whtpUx6Ueacy+o u5R6skOdk5AG+HKPVwQ4Zgb4LZhl1Fu4VxOOxWXSW01MnJoxVdtwpj5ylZU5vC7C EtytAK4HOh1DuQLQYLICupYXhK4TvnbeDRR9s2n6s9n+q1JXFpOEIk5w5d1iJfOk vn2p8TQ9PrTkMFxweA9gbNoTesH9U5tqmXockb1Mp6JoUz1n56pPWLCyWMxub6f2 GyQNc17RZ/J5qwiY+qK+Mf1L1ONJO3y2zCJfJQxqL0MpODaZFYiOyr3Ws9tVafU= =A7I6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
John W. Moore III wrote: Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? You're assuming the customer's key is correctly advertising their preferences. If their proprietary implemention is a shoddy one, then maybe it advertises capabilities they don't really have. If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? You'd hope so, yes -- but I think we might want to consider the possibility the customer's implementation is terribly broken. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John W. Moore III escribió: ... Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? If this is the case then wouldn't GPG automatically select this cipher algorithm by default as the only compatible one between the two parties? Yes, I was thinking the same thing... But don't forget the customer can handle Blowfish too (but GPG can handle it too, so the question remains the same). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5UqAAoJEMV4f6PvczxAjCsH/RhAjA+2N62EnIetXz2PXQoS dOxLLIVmOB0eDKdm/E2lP2rb5Wtn2T6AESyDjlgNS+YviUeiMdmmN7uwaiEkmr0d RFBlqnTrs3OwlGzgR4mP9hx6MHQZo7+7rb1/9BwxWv9oOrD6Zelts5MbKHvn1DnW JPFi+lLP8CenkvDsB6XThv5tCavNXaVGFnE6gC2tUqmhQsCNqo5MB0LAPiNjpmPw hSybaPXEOboD3zZrVX1Wyl0+oZ8r1Q/DHrn6mSfoo14KmxVujoKcPxwyw1i0cNEN +59G0RlRmDsyNtDRy0Z8k29sgDNyRZGgqOKoI7mJ2HKkWQcOsvW4RPsLpnCj5T4= =ekv7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: Smith, Cathy wrote: The customer said they have a proprietary implementation that only supports Blowfish or 3DES for the key. I'm still trying to find out exactly what that means. Okay, that much makes sense now. I would suggest adding: cipher-algo 3DES But... isn't GPG expected to recognise the preferences (or capabilities) in the customer's key and use the right algo automatically? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5RfAAoJEMV4f6PvczxAWw8IAJ5sC1DHLeG+AujAPlCw2OUV LhsgMuPpA/fc5A4UpA4fuZMAWdKYS/xhFiJ8c/aLTJrK3CToCXaR9NVdJLMzNNaq cRISV2Qfe8HVxVttVyk2pDIUHFxt6yIvAn8BomC6MDu2Mo/VUwm9WcUfdR4nsspI jetzKZmxKLpckpoOCTW7IHNpD83LGsyksPI5hJq5AMHfcHIWGelTYGeyeFnUdQaN o9c42ibDx/GjInzRWxt+9JtY9wqGzLfHopdDvxTPGpm9r+PnZ/qxJeIdGB7UJjcj JvC/c7QSLQ8CvAbuPGYl6c7ZaM6/IsZKeBifxkZwaxfr/epkWqDBvcK3KUZLe38= =XEB/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Robert J. Hansen escribió: John W. Moore III wrote: Riddle Me this, Robert; _if_ The Customer has a requirement that 3DES must be used [and they are associating it with their Key] then wouldn't this mean that the *only* preference broadcast by their Key is 3DES? You're assuming the customer's key is correctly advertising their preferences. If their proprietary implemention is a shoddy one, then maybe it advertises capabilities they don't really have. Ahh... Ok, that explains it. Is it possible to change the preferences (edit the public key) without having the private key? Or maybe to set a rule somewhere to force gpg to use Blowfish or 3DES, but just for that specific customer? Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJ+5WmAAoJEMV4f6PvczxAuskH/iM7aDpvm5ijLT/HPKpdQheO lJdXl5LOe20uWQDYg3enkFGtOBsaAq9z2kvvmQfV2aSpll90M3QBTjk7hPk1iQfp FqkZe/G6L2ato7QbO+hb4yrQXhjJrgUI52CH5LAr1BjaOauVJO7TTLwHzxIg37c9 R6ojXoZitwjLo5kKvWHewg+WGaBCjZIfx6oPaLLSG2Ehw2cyGtl2NwPX5t7mlakW A6CYL5mZ4XtyDw5D/jbFpddQl3Y8LDeliw9li52C5E1K1hOgjdtwUL/UXDJ6CiKS 8iVbwqXmp384tVTqZHsWpgpx56/dsovErmUVkd9jZbfeOjLnlBsdkDG79E/YUzg= =7mDX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
re: Selecting cipher to generate a key pair
Is it possible to select a specific cipher, such as Triple-DES or Blowfish, to use to generate a key pair? if, by selection, you mean to choose that cipher as the one protecting your secret key, then yes use the following options: --expert --s2k-cipher-algo name (either Blowfish or 3DES, or any other one you wish) n.b. [1] a key generated this way will still be able to use any cipher while decrypting or encrypting a pgp message [2] do not add '--s2k-cipher-algo name' to your gpg.conf, unless you want all symmetric messages (not encrypted to a Public Key) to be the same as the cipher of your secret key vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Save big on Stock Trading Fees. Click Now! http://tagline.hushmail.com/fc/BLSrjkqa2gbQZjvQvfwfqPj2p6No8bU1TUERhp1RsUquoWLdpYh4lrVcPGA/ ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ved...@hush.com wrote: (either Blowfish or 3DES, or any other one you wish) What's the default to encrypting/hashing the secret key? And how good is it? Allen -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn6Z7kACgkQV5r3Eu55xjanrACfVimubOHp5KgXJGEg1elOoTml jisAn1OYTpLp8Dz9V6Ld/ppp9gL4OpXS =o0AU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Selecting cipher to generate a key pair
Allen Schultz wrote: What's the default to encrypting/hashing the secret key? And how good is it? CAST5-128. It's hard to talk about how good it is. Cryptography is an intensively mathematical discipline, and most people are not very well-equipped to discuss those details. Ultimately, it would be like arguing whether King Kong or Godzilla is better at urban destruction. Biologists can argue until the cows come home which one would be better and why, but from the perspective of your average inhabitant of Tokyo or New York City the answer is, Who cares? Get out of town _right now_! From the perspective of the overwhelming majority of OpenPGP users, CAST5-128 does the job just fine. The only instances I'm aware of in which CAST5-128 doesn't do the job well are ones where bureaucratic rules require specific algorithms, and CAST5-128 isn't on that checklist. That's a bureaucratic failing, though, not a failing of CAST5-128. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
