Mailing List Archive: GnuPG: users

Selecting cipher to generate a key pair

Index | Next | Previous | View Threaded

cathy.smith at pnl

Apr 30, 2009, 2:54 PM

Post #1 of 22 (2613 views)
Permalink

Selecting cipher to generate a key pair

Is it possible to select a specific cipher, such as Triple-DES or
Blowfish, to use to generate a key pair?

I've read email posted in the archives, and FAQ that indicates this is
possible. I don't see an option to do that just running
pgp --gen-key

Thanks.

Cathy

---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal at hush

Apr 30, 2009, 5:01 PM

Post #2 of 22 (2530 views)
Permalink

re: Selecting cipher to generate a key pair [In reply to]

>Is it possible to select a specific cipher, such as >Triple-DES or
Blowfish, to use to generate a key pair?

if, by selection, you mean to choose that cipher as the one
protecting your secret key, then yes

use the following options:

--expert
--s2k-cipher-algo name
(either Blowfish or 3DES, or any other one you wish)

n.b.

[1] a key generated this way will still be able to use any cipher
while decrypting or encrypting a pgp message

[2] do not add '--s2k-cipher-algo name' to your gpg.conf,
unless you want all symmetric messages (not encrypted to a Public
Key) to be the same as the cipher of your secret key

vedaal

any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link

--
Save big on Stock Trading Fees. Click Now!
http://tagline.hushmail.com/fc/BLSrjkqa2gbQZjvQvfwfqPj2p6No8bU1TUERhp1RsUquoWLdpYh4lrVcPGA/

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

allen.schultz at gmail

Apr 30, 2009, 8:08 PM

Post #3 of 22 (2534 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

vedaal [at] hush wrote:
> (either Blowfish or 3DES, or any other one you wish)

What's the default to encrypting/hashing the secret key? And how good is it?

Allen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkn6Z7kACgkQV5r3Eu55xjanrACfVimubOHp5KgXJGEg1elOoTml
jisAn1OYTpLp8Dz9V6Ld/ppp9gL4OpXS
=o0AU
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Apr 30, 2009, 9:13 PM

Post #4 of 22 (2533 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

Allen Schultz wrote:
> What's the default to encrypting/hashing the secret key? And how good is it?

CAST5-128.

It's hard to talk about how good it is. Cryptography is an intensively
mathematical discipline, and most people are not very well-equipped to
discuss those details.

Ultimately, it would be like arguing whether King Kong or Godzilla is
better at urban destruction. Biologists can argue until the cows come
home which one would be better and why, but from the perspective of your
average inhabitant of Tokyo or New York City the answer is, "Who cares?
Get out of town _right now_!"

>From the perspective of the overwhelming majority of OpenPGP users,
CAST5-128 does the job just fine. The only instances I'm aware of in
which CAST5-128 doesn't do the job well are ones where bureaucratic
rules require specific algorithms, and CAST5-128 isn't on that
checklist. That's a bureaucratic failing, though, not a failing of
CAST5-128.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 1, 2009, 9:08 AM

Post #5 of 22 (2516 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

My apologies to the group. I meant to say
gpg --gen-key

I have a customer who can not accept our pgp public key. They are
asking for a specific cipher to be used in generating the public key.
After some reading yesterday, it seemed that gpg might be the solution.

I don't have any experience with gpg, and limited pgp experience.

Regards,

Cathy
---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: Smith, Cathy
Sent: Thursday, April 30, 2009 2:54 PM
To: 'gnupg-users [at] gnupg'
Subject: Selecting cipher to generate a key pair

Is it possible to select a specific cipher, such as Triple-DES or
Blowfish, to use to generate a key pair?

I've read email posted in the archives, and FAQ that indicates this is
possible. I don't see an option to do that just running
pgp --gen-key

Thanks.

Cathy

---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal at hush

May 1, 2009, 11:41 AM

Post #6 of 22 (2520 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

"Smith, Cathy" <cathy.smith () pnl ! gov> wrote on
Date: 2009-05-01 16:08:44 :

>I have a customer who can not accept our pgp public key.
>They are asking for a specific cipher to be used in generating the
public key.

this sounds like there might be a 'problem' ...

there are people who 'can' use 'any' cipher, but prefer a
particular one,
or have a company policy to use a specific one, e.g . AES-256 or
3DES

and there are people whose programs can use only 'one' cipher, and
no others

at the risk of taking 'wild guesses' ;-)
the only situations i can think of where a person 'cannot' accept
anything other than one cipher are:

[1] a die-hard pgp 2.x user who needs a v3 key using IDEA
(yes, they still exist, but probably won't survive the move to 64
bit systems)

[2] a company that is bound by some standard to use AES or 3DES
(i can't imagine any company really insisting on 'only Blowfish'
and nothing else ;-) )
[. anyway, it was 'cracked on 24' and shown on network tv to have a
'backdoor' ;-) ]

{please excuse the 'semi-off' geek humor,
blowfish has 'no' backdoor and is still quite secure,
no matter what hollywood writers say ;-)) }

if you have situation [1], you are out of luck using any current
gnupg or pgp,
(there was a post on how to do this with an older gnupg version,
but it would be much simpler to just use pgp2.x to generate it)

if you have situation [2],
it is much easier,

temporarily put the following 2 lines in your gpg.conf

expert
s2k-cipher-algo name ('name' is the name of the cipher your client
wants)

then save your gpg.conf
and run

gpg --gen-key

the key will be generated with the cipher your client wants

if this still doesn't help,
then please post 'exactly' what you need done

vedaal

any ads or links below this message are added by hushmail without
my endorsement or awareness of the nature of the link

--
Click to learn about options trading and get the latest information.
http://tagline.hushmail.com/fc/BLSrjkqecvgtaqxBQoBwCwuiy1xiCJDJ0xgdXq4JeQ5VIifkutIcKtAkaYI/

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 1, 2009, 2:42 PM

Post #7 of 22 (2513 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

Is there a brief explanation available as to how the cipher is used in
generating the private/public keys? It seems this is separate from the
cipher that is chosen to encrypt my data.

Thanks.

Cathy

---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: gnupg-users-bounces [at] gnupg
[mailto:gnupg-users-bounces [at] gnupg] On Behalf Of Robert J. Hansen
Sent: Thursday, April 30, 2009 9:14 PM
To: Allen Schultz
Cc: gnupg-users
Subject: Re: Selecting cipher to generate a key pair

Allen Schultz wrote:
> What's the default to encrypting/hashing the secret key? And how good
is it?

CAST5-128.

It's hard to talk about how good it is. Cryptography is an intensively
mathematical discipline, and most people are not very well-equipped to
discuss those details.

Ultimately, it would be like arguing whether King Kong or Godzilla is
better at urban destruction. Biologists can argue until the cows come
home which one would be better and why, but from the perspective of your
average inhabitant of Tokyo or New York City the answer is, "Who cares?
Get out of town _right now_!"

>From the perspective of the overwhelming majority of OpenPGP users,
CAST5-128 does the job just fine. The only instances I'm aware of in
which CAST5-128 doesn't do the job well are ones where bureaucratic
rules require specific algorithms, and CAST5-128 isn't on that
checklist. That's a bureaucratic failing, though, not a failing of
CAST5-128.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 1, 2009, 3:57 PM

Post #8 of 22 (2514 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

Smith, Cathy wrote:
> Is there a brief explanation available as to how the cipher is used in
> generating the private/public keys? It seems this is separate from the
> cipher that is chosen to encrypt my data.

rjh [at] chronicle:~$ gpg --enable-dsa2 --gen-key
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

If you choose #1, you will be using, by default, DSA as a signature
algorithm, AES256 as a general-purpose message encryption algorithm,
Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm.

None of these algorithms are actually used to generate the
private/public keys, though. The private and public keys are just
numbers. GnuPG generates those numbers from a cryptographically secure
pseudorandom number generator, then subjects the numbers to a battery of
mathematical tests to make sure the keys are safe to use.

Is it possible for you to tell us what algorithms your correspondent
expects you to use? Knowing that might help us out quite a bit.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 1, 2009, 4:04 PM

Post #9 of 22 (2514 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

The customer stated that he can accept a public key generated with
either Blowfish or Triple-DES. I wasn't sure what he needed because all
I've dealt with in generating a key pair before is selecting the DSA or
RSA option. Our PGP version doesn't offer the DSA and Elgamal option.

I've sent him a GnuPG-generated key, and asked him to find out if they
are using GnuPG. I haven't heard from him today.

Cathy
---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: Robert J. Hansen [mailto:rjh [at] sixdemonbag]
Sent: Friday, May 01, 2009 3:58 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair

Smith, Cathy wrote:
> Is there a brief explanation available as to how the cipher is used in

> generating the private/public keys? It seems this is separate from
> the cipher that is chosen to encrypt my data.

rjh [at] chronicle:~$ gpg --enable-dsa2 --gen-key Please select what kind of
key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

If you choose #1, you will be using, by default, DSA as a signature
algorithm, AES256 as a general-purpose message encryption algorithm,
Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash
algorithm.

None of these algorithms are actually used to generate the
private/public keys, though. The private and public keys are just
numbers. GnuPG generates those numbers from a cryptographically secure
pseudorandom number generator, then subjects the numbers to a battery of
mathematical tests to make sure the keys are safe to use.

Is it possible for you to tell us what algorithms your correspondent
expects you to use? Knowing that might help us out quite a bit.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 1, 2009, 4:21 PM

Post #10 of 22 (2519 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

Smith, Cathy wrote:
> The customer stated that he can accept a public key generated with
> either Blowfish or Triple-DES. I wasn't sure what he needed because all
> I've dealt with in generating a key pair before is selecting the DSA or
> RSA option. Our PGP version doesn't offer the DSA and Elgamal option.

It probably does, actually; PGP just, for marketing reasons, calls it
Diffie-Hellman/DSS. (Long story, but yes, they're the exact same thing.)

That said, your customer does not appear to understand how GnuPG or PGP
work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others)
can handle 3DES; and 3DES has absolutely nothing to do with how you
generate your public key.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 1, 2009, 4:31 PM

Post #11 of 22 (2516 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

I agree that with the lack of understanding. It's been difficult to get
specific information from the customer. I don't have the option of
saying it's their problem. The GnuPG was a guess after I read something
about specifying the cipher algorithm.

The customer said they have a proprietary implementation that only
supports Blowfish or 3DES for the key. I'm still trying to find out
exactly what that means. I've talked to the folks here at work who
understand these things better than I, and all have shook their head.

I appreciate your assistance.

Cathy
---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: Robert J. Hansen [mailto:rjh [at] sixdemonbag]
Sent: Friday, May 01, 2009 4:22 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users
Subject: Re: Selecting cipher to generate a key pair

Smith, Cathy wrote:
> The customer stated that he can accept a public key generated with
> either Blowfish or Triple-DES. I wasn't sure what he needed because
> all I've dealt with in generating a key pair before is selecting the
> DSA or RSA option. Our PGP version doesn't offer the DSA and Elgamal
option.

It probably does, actually; PGP just, for marketing reasons, calls it
Diffie-Hellman/DSS. (Long story, but yes, they're the exact same
thing.)

That said, your customer does not appear to understand how GnuPG or PGP
work. _All_ OpenPGP-conformant applications (GnuPG, PGP, and others)
can handle 3DES; and 3DES has absolutely nothing to do with how you
generate your public key.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 1, 2009, 4:39 PM

Post #12 of 22 (2513 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.

Okay, that much makes sense now.

I would suggest adding:

cipher-algo 3DES

... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.

Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 1, 2009, 4:41 PM

Post #13 of 22 (2508 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

Thanks. I'll try that.

Cathy

---
Cathy L. Smith
Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: Robert J. Hansen [mailto:rjh [at] sixdemonbag]
Sent: Friday, May 01, 2009 4:39 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair

Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.

Okay, that much makes sense now.

I would suggest adding:

cipher-algo 3DES

... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.

Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

jmoore3rd at bellsouth

May 1, 2009, 4:49 PM

Post #14 of 22 (2506 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert J. Hansen wrote:
> Smith, Cathy wrote:
>> The customer said they have a proprietary implementation that only
>> supports Blowfish or 3DES for the key. I'm still trying to find out
>> exactly what that means.
>
> Okay, that much makes sense now.
>
> I would suggest adding:
>
> cipher-algo 3DES
>
> ... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
> not one I'd generally recommend; however, the downsides are pretty
> minimal. Then encrypt a message using their public key and send it on
> to them. If they can read it, great. If they can't, then the problem
> is their proprietary implementation of OpenPGP is shoddy.

Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES
must be used [and they are associating it with their Key] then wouldn't
this mean that the *only* preference broadcast by their Key is 3DES? If
this is the case then wouldn't GPG automatically select this cipher
algorithm by default as the only compatible one between the two parties?
:-\

JOHN ;)
Timestamp: Friday 01 May 2009, 19:49 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4987: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage: http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJ+4qAAAoJEBCGy9eAtCsP3o8H/ja6jCWz1bYjjTNXbhLzd5OE
BIgvdlCCsR0Nrm4VY5jGXiOPbk9NYse/43F/DZyQQyyowuRBj3whtpUx6Ueacy+o
u5R6skOdk5AG+HKPVwQ4Zgb4LZhl1Fu4VxOOxWXSW01MnJoxVdtwpj5ylZU5vC7C
EtytAK4HOh1DuQLQYLICupYXhK4TvnbeDRR9s2n6s9n+q1JXFpOEIk5w5d1iJfOk
vn2p8TQ9PrTkMFxweA9gbNoTesH9U5tqmXockb1Mp6JoUz1n56pPWLCyWMxub6f2
GyQNc17RZ/J5qwiY+qK+Mf1L1ONJO3y2zCJfJQxqL0MpODaZFYiOyr3Ws9tVafU=
=A7I6
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 1, 2009, 4:59 PM

Post #15 of 22 (2522 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

John W. Moore III wrote:
> Riddle Me this, Robert; _if_ "The Customer" has a requirement that
> 3DES must be used [and they are associating it with their Key] then
> wouldn't this mean that the *only* preference broadcast by their Key
> is 3DES?

You're assuming the customer's key is correctly advertising their
preferences. If their proprietary implemention is a shoddy one, then
maybe it advertises capabilities they don't really have.

> If this is the case then wouldn't GPG automatically select this
> cipher algorithm by default as the only compatible one between the
> two parties?

You'd hope so, yes -- but I think we might want to consider the
possibility the customer's implementation is terribly broken.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

faramir.cl at gmail

May 1, 2009, 5:31 PM

Post #16 of 22 (2506 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribió:
> Smith, Cathy wrote:
>> The customer said they have a proprietary implementation that only
>> supports Blowfish or 3DES for the key. I'm still trying to find out
>> exactly what that means.
>
> Okay, that much makes sense now.
>
> I would suggest adding:
>
> cipher-algo 3DES

But... isn't GPG expected to recognise the preferences (or
capabilities) in the customer's key and use the right algo automatically?

Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJ+5RfAAoJEMV4f6PvczxAWw8IAJ5sC1DHLeG+AujAPlCw2OUV
LhsgMuPpA/fc5A4UpA4fuZMAWdKYS/xhFiJ8c/aLTJrK3CToCXaR9NVdJLMzNNaq
cRISV2Qfe8HVxVttVyk2pDIUHFxt6yIvAn8BomC6MDu2Mo/VUwm9WcUfdR4nsspI
jetzKZmxKLpckpoOCTW7IHNpD83LGsyksPI5hJq5AMHfcHIWGelTYGeyeFnUdQaN
o9c42ibDx/GjInzRWxt+9JtY9wqGzLfHopdDvxTPGpm9r+PnZ/qxJeIdGB7UJjcj
JvC/c7QSLQ8CvAbuPGYl6c7ZaM6/IsZKeBifxkZwaxfr/epkWqDBvcK3KUZLe38=
=XEB/
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

faramir.cl at gmail

May 1, 2009, 5:34 PM

Post #17 of 22 (2509 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John W. Moore III escribió:
...
> Riddle Me this, Robert; _if_ "The Customer" has a requirement that 3DES
> must be used [and they are associating it with their Key] then wouldn't
> this mean that the *only* preference broadcast by their Key is 3DES? If
> this is the case then wouldn't GPG automatically select this cipher
> algorithm by default as the only compatible one between the two parties?

Yes, I was thinking the same thing... But don't forget the customer
can handle Blowfish too (but GPG can handle it too, so the question
remains the same).

Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJ+5UqAAoJEMV4f6PvczxAjCsH/RhAjA+2N62EnIetXz2PXQoS
dOxLLIVmOB0eDKdm/E2lP2rb5Wtn2T6AESyDjlgNS+YviUeiMdmmN7uwaiEkmr0d
RFBlqnTrs3OwlGzgR4mP9hx6MHQZo7+7rb1/9BwxWv9oOrD6Zelts5MbKHvn1DnW
JPFi+lLP8CenkvDsB6XThv5tCavNXaVGFnE6gC2tUqmhQsCNqo5MB0LAPiNjpmPw
hSybaPXEOboD3zZrVX1Wyl0+oZ8r1Q/DHrn6mSfoo14KmxVujoKcPxwyw1i0cNEN
+59G0RlRmDsyNtDRy0Z8k29sgDNyRZGgqOKoI7mJ2HKkWQcOsvW4RPsLpnCj5T4=
=ekv7
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

faramir.cl at gmail

May 1, 2009, 5:36 PM

Post #18 of 22 (2514 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribió:
> John W. Moore III wrote:
>> Riddle Me this, Robert; _if_ "The Customer" has a requirement that
>> 3DES must be used [and they are associating it with their Key] then
>> wouldn't this mean that the *only* preference broadcast by their Key
>> is 3DES?
>
> You're assuming the customer's key is correctly advertising their
> preferences. If their proprietary implemention is a shoddy one, then
> maybe it advertises capabilities they don't really have.

Ahh... Ok, that explains it. Is it possible to change the preferences
(edit the public key) without having the private key? Or maybe to set a
rule somewhere to force gpg to use Blowfish or 3DES, but just for that
specific customer?

Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJ+5WmAAoJEMV4f6PvczxAuskH/iM7aDpvm5ijLT/HPKpdQheO
lJdXl5LOe20uWQDYg3enkFGtOBsaAq9z2kvvmQfV2aSpll90M3QBTjk7hPk1iQfp
FqkZe/G6L2ato7QbO+hb4yrQXhjJrgUI52CH5LAr1BjaOauVJO7TTLwHzxIg37c9
R6ojXoZitwjLo5kKvWHewg+WGaBCjZIfx6oPaLLSG2Ehw2cyGtl2NwPX5t7mlakW
A6CYL5mZ4XtyDw5D/jbFpddQl3Y8LDeliw9li52C5E1K1hOgjdtwUL/UXDJ6CiKS
8iVbwqXmp384tVTqZHsWpgpx56/dsovErmUVkd9jZbfeOjLnlBsdkDG79E/YUzg=
=7mDX
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

david250 at videotron

May 2, 2009, 3:01 AM

Post #19 of 22 (2503 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

Dear Robert J. Hansen,

Robert J. Hansen wrote:
> Smith, Cathy wrote:
>
>> Is there a brief explanation available as to how the cipher is used in
>> generating the private/public keys? It seems this is separate from the
>> cipher that is chosen to encrypt my data.
>>
>
>
> rjh [at] chronicle:~$ gpg --enable-dsa2 --gen-key
> Please select what kind of key you want:
> (1) DSA and Elgamal (default)
> (2) DSA (sign only)
> (5) RSA (sign only)
>
>
> If you choose #1, you will be using, by default, DSA as a signature
> algorithm, AES256 as a general-purpose message encryption algorithm,
> Elgamal as an asymmetric encryption algorithm, and SHA1 as a hash algorithm.
>
> None of these algorithms are actually used to generate the
> private/public keys, though. The private and public keys are just
> numbers. GnuPG generates those numbers from a cryptographically secure
> pseudorandom number generator, then subjects the numbers to a battery of
> mathematical tests to make sure the keys are safe to use.
>
> Is it possible for you to tell us what algorithms your correspondent
> expects you to use? Knowing that might help us out quite a bit.
>

I'd like to know more about the process by which unsigned packages become
signed packages. This matters, I think, when using SELinux, which is what
I do.

Some packages are unsigned, e.g. Xcas, a computer algebra system by
Bernard Parisse at a university in France:

< http://www-fourier.ujf-grenoble.fr/~parisse/english.html >

I had to tell the SELinux motor that she must trust two modules loaded
dynamically
when Xcas is launched. I succeeded after many hours.

It would be easier, I think, if Xcas (the application) had a electronic
signature by someone that Fedora 10 trusts ...

Thanks a lot,

David Bernier

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

May 2, 2009, 8:42 AM

Post #20 of 22 (2470 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

David Bernier wrote:
> I'd like to know more about the process by which unsigned packages become
> signed packages. This matters, I think, when using SELinux, which is what
> I do.

This process will vary from operating system to operating system. What
works for Fedora isn't the same as what works for Ubuntu isn't the same
as what works for FreeBSD isn't the same as what works for Windows.

I don't know how Fedora works, so I'm not able to answer this question.
I would suggest asking on a Fedora mailing list.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cathy.smith at pnl

May 7, 2009, 11:27 AM

Post #21 of 22 (2268 views)
Permalink

RE: Selecting cipher to generate a key pair [In reply to]

I wanted to provide closure on this thread. The customer was able to
accept the public key that I generated using this method.

I learned from the customer yesterday that they are using Bouncy Castle,
bcpg v. 1.33.

Thanks vey much for your help.

Regards,

Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith [at] pnl

-----Original Message-----
From: Robert J. Hansen [mailto:rjh [at] sixdemonbag]
Sent: Friday, May 01, 2009 4:39 PM
To: Smith, Cathy
Cc: Allen Schultz; gnupg-users; Hallquist, Roy S Jr
Subject: Re: Selecting cipher to generate a key pair

Smith, Cathy wrote:
> The customer said they have a proprietary implementation that only
> supports Blowfish or 3DES for the key. I'm still trying to find out
> exactly what that means.

Okay, that much makes sense now.

I would suggest adding:

cipher-algo 3DES

... to your .gnupg/gpg.conf file. This is a sledgehammer solution, and
not one I'd generally recommend; however, the downsides are pretty
minimal. Then encrypt a message using their public key and send it on
to them. If they can read it, great. If they can't, then the problem
is their proprietary implementation of OpenPGP is shoddy.

Incidentally, if your customer is a telecommunications firm, I think I
may know the implementation they're using and some of its more egregious
misfeatures. Other than that one and PGP Corporation's offering,
though, I have no experience with proprietary OpenPGP offerings.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

vedaal at hush

Sep 9, 2009, 11:20 AM

Post #22 of 22 (1559 views)
Permalink

Re: Selecting cipher to generate a key pair [In reply to]

From: "Smith, Cathy" <cathy.smith () pnl ! gov>
Date: 2009-04-30 21:54:15
Message-ID: 255999BBAD1AEE4EA6AA193F66611642AEAA0A () EMAIL03 ! pnl
!

>Is it possible to select a specific cipher, such as Triple-DES or
>Blowfish, to use to generate a key pair?

yes,

(temporarily) put the following options into your gpg.conf file;

s2k-cipher-algo Blowfish
expert

(you can comment it out with a # in front of it after you generate
the key, if you plan to use this often or change ciphers)

caveats:

[1] if you do this, then if you encrypt anything symmetrically
(i.e. not to a public key), it will use the same cipher unless you
specifically mention which cipher to use when you encrypt
symmetrically

[2] might not need the option of 'expert', am not sure
(but if you want to do custom stuff, just leave it there anyway,
and more choices will show up at the gpg prompt ;-) )

vedaal

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads