Moving away from SHA1 in GnuPG using existing PGP8 key pairs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"John W. Moore III" wrotes on 24/10/2006 at 06:32:39 +1100
subject "Moving away from SHA1 in GnuPG using existing PGP8 key pairs"; :

> Hendrik Oesterlin wrote:

>> Thank you for pointing out the edit-key menu. Unfortunately, if I
>>; select setpref and click OK nothing happens....
>>

> setpref must be followed with the preferred Preference string.

> ??????????????????????????????????????????????????????????
> ? Cipher-Algos: ? Digest-Algos: ? Compress-Algos: ?
> ??????????????????????????????????????????????????????????
> ? ? ? Z0 Uncompressed ?
> ? S1 IDEA ? H1 MD5 ? Z1 ZIP ?
> ? S2 3DES ? H2 SHA1 ? Z2 ZLIB ?
> ? S3 CAST5 ? H3 RIPEMD160 ? Z3 BZIP2 ?
> ? S4 BLOWFISH ? ? ?
> ? ? ? ?
> ? ? H6 TIGER192 ? ?
> ? S7 AES ? ? ?
> ? S8 AES192 ? H8 SHA256 ? ?
> ? S9 AES256 ? H9 SHA384 ? ?
> ? S10 TWOFISH ? H10 SHA512 ? ?
> ? ? H11 SHA224 ? ?
> ??????????????????????????????????????????????????????????

> Just use a space between each entry and then click Enter/OK.

> Remember to type 'save' prior to 'quitting' the procedure. Also
> remember that TIGER192 & IDEA are *not* native to GnuPG.

Thank you for this table!

But do you talk about some graphic front-end (I have WinPT and GPG
installed) or do you talk about the command line from within the

c:Program FilesGNUGnuPG folder

and then typing

gpg --edit-key 0x4FA2B379

- --
Sincerely
Hendrik Oesterlin - email hendrikmail2002%40yahoo.de">hendrikmail2002yahoo.de
Jabber-IM: hendrik-jabber%40amessage.info">hendrik-jabberamessage.info
ICQ 215599852 - MSN moimeme666fr%40yahoo.fr">moimeme666fryahoo.fr - YIM moimeme666fr - AIM moimeme666fr
TheBat! 3.86.03 ALPHA (beta) on Windows 2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFPVtUxn3Vrk+is3kRAgoEAJ9/0iDz6qMRDLiXCHxDTVjGKOKeqQCeMThd
K64YNvx78gsUc1sdIv89dvw=
=uiJO
-----END PGP SIGNATURE-----


__________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

Messages in this topic (6) Reply (via web post) | Start a new topic

.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hendrik Oesterlin wrote:

> gpg --edit-key 0x4FA2B379

Correct; from here is where you'll be able to 'setpref' on your Key.
You might first try using 'showpref' just to see what your current
preferences are in verbose English. Just using the command 'pref' will
also show the Preferences, but will display them in 'Preference String'
format. (Good for visualizing how your 'setpref' string should appear)

JOHN ;)
Timestamp: Monday 23 Oct 2006, 20:38 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6-svn4315: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: http://www.gswot.org
Comment: My Homepage: http://tinyurl.com/yzhbhx
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCgAGBQJFPWCsAAoJEBCGy9eAtCsPb70H/A4I6j/sdz5QgjvsnP5lo2b/
sa/mU1yOOZsvAT7lB/6xUgS2if4nqVZTaXaEoMXg1p6nJqY00UIcrn2Jvw2/T6zd
ZBFvn1WczTCnuqRywbfUFLgCewlqSNugR+xK8C9RTXXBVwlI+;X+VvgF4382Hu68P
kAog9tjCcEz93nTAVRTp7ojN45VFYZhIA60mTynKhubgDh8NzC/HHnYOfijdPv8T
VmITIGaG+y61LT87n/kB6zga7YYN+ufnfDdJq+;jg8YAfoZmV1ghf5ze740PDWkSU
70RSTLOzaSuwnMdqj/2jFfHyAlMcZ1Y0tAab1IUEgqHdNpubf+VeofM2Wjd+tjQ=
=4Y3s
-----END PGP SIGNATURE-----

Messages in this topic (7) Reply (via web post) | Start a new topic

.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"John W. Moore III" wrotes on 24/10/2006 at 11:39:10 +1100
subject "Moving away from SHA1 in GnuPG using existing PGP8 key pairs"; :

> Hendrik Oesterlin wrote:

>> gpg --edit-key 0x4FA2B379

> Correct; from here is where you'll be able to 'setpref' on your Key.
> You might first try using 'showpref' just to see what your current
> preferences are in verbose English. Just using the command 'pref' will
> also show the Preferences, but will display them in 'Preference String'
> format. (Good for visualizing how your 'setpref' string should appear)

I obtain the following output from the command line:

> Secret key is available.
>
>; pub 1024D/4FA2B379 created: 2004-03-26 expires: never usage: SCA
> trust: ultimate validity: ultimate
> sub 4096g/31F4297E created: 2004-03-26 expires: never usage: E
> [ultimate] (1). Hendrik Oesterlin < hendrikmail2002%40yahoo.de">hendrikmail2002yahoo.de>
>
Command>;> showpref
> [ultimate] (1). Hendrik Oesterlin < hendrikmail2002%40yahoo.de">hendrikmail2002yahoo.de>
> Cipher: 3DES
> Digest: SHA512, SHA1
> Compression: ZIP, Uncompressed
> Features: MDC, Keyserver no-modify
>
Command>>

But the produced Sig still uses SHA1. No matter if I sign using the
WinPT clipboard or the GnuPG/PGP-Support in TheBat!

Why this?

- --
Sincerely
Hendrik Oesterlin - email hendrikmail2002%40yahoo.de">hendrikmail2002yahoo.de
Jabber-IM: hendrik-jabber%40amessage.info">hendrik-jabberamessage.info
ICQ 215599852 - MSN moimeme666fr%40yahoo.fr">moimeme666fryahoo.fr - YIM moimeme666fr - AIM moimeme666fr
TheBat! 3.86.03 ALPHA (beta) on Windows 2000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFPWZmxn3Vrk&#43;is3kRAlKSAKCf77mle5jutxVwJbiKIMCg/zv6WwCeNgB7
NZbW0woT2qd&#43;kqVm8QPLEzQ=
=tcDK
-----END PGP SIGNATURE-----


__________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

Messages in this topic (8) Reply (via web post) | Start a new topic

.

Hendrik Oesterlin wrote:
&gt; Why this?

Because this is the most confusing thing in all of GnuPG.

First, your key preferences are hints _to other people_ about what
algorithms to use. For instance, when I do 'showpref' on my own key, I get:

[ultimate] (2) Robert J. Hansen
Cipher: BLOWFISH, 3DES, AES256, AES192, AES, CAST5, IDEA
Digest: SHA256, SHA512, SHA384, RIPEMD160, SHA1, MD5
Compression: BZIP2, ZLIB, ZIP, Uncompressed
Features: MDC, Keyserver no-modify

... The idea of cipher preferences is misnamed. The list shows both
what you're capable of doing, algorithm-wise, _and_ what order you
prefer your recipients to use them in. As you can see from the
preferences above, I can handle Blowfish, 3DES, the AESen, CAST5 and
IDEA for encryption algorithms; and I _most_ prefer people to send me
Blowfish-encrypted traffic, followed by 3DES, followed by... etc., all
the way to IDEA.

Likewise with the digests. All the digest algorithms I can read are
given here, in the order which I prefer people to use them. I most
prefer SHA256, then on down to MD5.

Likewise with the compression. I most prefer BZIP2, then ZLIB, then
ZIP, then no compression.

Etcetera, etcetera.

The point here is that my key advertises my capabilities. It tells my
recipients what I can do and in what order I prefer them to be used.

For that reason, I'd like to ask a question: why are you telling your
recipients that you can only understand 3DES as an algorithm and SHA512
as a digest algorithm? You're not advertising your capabilities, which
is the entire point of the preference list.

It's possible you have an excellent reason for this. It's possible it's
just a braino. Doesn't matter. Just think about it some. It's
usually a good idea to advertise all your capabilities, not just some of
them.

=====

But now that you've read all of that... all of that's irrelevant.
(Sorry.) You may have noticed this, if you read it very closely: "it
tells _my recipients_ what I can do...";

GnuPG doesn't actually use it for stuff you generate yourself.

For that, you need to tell GnuPG what algorithms you prefer it to use.
And this goes in your gpg.conf file. For instance, in my file I have
the lines:

personal-cipher-preferences S4 S2 S9 S8 S7 S3
personal-digest-preferences H8 H10 H9 H3 H2 H1

... So when I send someone encrypted traffic, I _most_ prefer to send
Blowfish-encrypted messages ("S4&quot;), followed by 3DES ("S2&quot;), followed by
the AESen ("S9 S8 S7") and CAST5 ("S3&quot;). I don't have IDEA listed here.
I don't need to--I'm only listing the algorithms I _want_ to use, not
the algorithms I _can_ use. If someone who only understands IDEA wants
to communicate with me, GnuPG is smart enough to shrug and say "well, it
doesn't really matter if Rob likes IDEA or not, it's the only thing this
other guy understands, so IDEA it is."

On the other hand, let's say the other person has 3DES and IDEA as
capabilities. GnuPG is now smart enough to say "hey, 3DES is Rob's
number two choice, and this other guy's number one choice. That sounds
like a good plan to me."

The mathematical process by which different preferences are matched up
with each other is called the "stable marriage problem&quot;. You can learn
a lot more about it on Wikipedia:

http://en.wikipedia.org/wiki/Stable_marriage_problem

... Anyway. To make a long story short: you might want to fix your key
preferences, and you might want to add two lines to your gpg.conf file.
That's all.

Messages in this topic (9) Reply (via web post) | Start a new topic

.

Hendrik Oesterlin wrote:
&gt; I am glad that it is confusing for other to, not only for me...

While I'm very fond of GnuPG on UNIX (including OS X, which is where I'm
writing this now), GnuPG suffers from the near-universal failing of
open-source software:

Lousy human interface.

> I have now applied the same setting as you. The IDEA is not available
> at my installation, but I think it will not be free.

Keep in mind there's nothing magical about that order--just because I
use it is no real reason for you to use it, too. Unless you're doing it
because you think I have a clue, in which case I'll just tell you to be
careful with all self-styled experts.

> For which reason why you prefer SHA256 to SHA512 ? Bigger should be
> better?

Not really. There are two ideas in amateur cryptography which I think
are harmful:

1. All parts of a system need to be 'in balance'. Since a 2048-bit key
is about equal to a 112-bit key in difficulty, there's no sense in using
AES256 with a 2048-bit key.

2. Bigger is better. RSA/4096 is more secure than RSA/2048, and SHA512
is better than SHA256.

Both of these are, if you'll forgive the language, utter crocks.

Your goal in crypto is to make sure you meet or exceed a threshold of
security. But once you hit that point, who cares about going further?

A strong 160-bit hash meets my security threshold. Unfortunately,
there's a dearth of really good 160-bit hashes in the world. That means
the next-generation SHAs are the best bet.

Now, why do I prefer SHA256 over SHA512? Two reasons: it's a shorter
hash, which often means a shorter signature; and I'd prefer people
started using SHA256 as opposed to SHA384 or SHA512, since PGP 8.1 can
verify SHA256. It can't verify the others.

> But normally all of this choices should be usable by (up do date
> version 8 or 9) PGP, not only by GnuPG ?

By PGP and GnuPG, yes. But there are _lots_ of OpenPGP applications out
there--PGP and GnuPG are just the two most visible ones.

The only cipher you have to support to be OpenPGP-compliant is 3DES.
The only hash algorithm you have to support is SHA1. And it's a
certainty that there's at least one brain-damaged mutant funny-looking
Son of Frankenstein OpenPGP implementation out there that supports only
those algorithms--I know, because I wrote it.

Moral of the story: the OpenPGP world is a lot bigger than just GnuPG
and PGP.

(In 1999, McLeodUSA needed an OpenPGP implementation but didn't want to
use GPLed code and didn't want to pay Network Associates for a site
license. I and one other programmer were given the job of implementing
it. Its in-house development name was The Thing of Evil. If you've
never tried to write OpenPGP entirely in PHP3, I suggest you do your
sanity a big favor and not even think about it.)

&gt; If I remember well, the reason for this is that SHA256/512is not
> standard conform with DSA keys?

The original DSA requires the use of a 160-bit hash. DSA2 allows for
larger keys, but it is not enabled by default in GnuPG. Add
";enable-dsa2" to your gpg.conf and you may be able to use SHA256
truncated down to 160 bits--I know there was some talk about this on
gnupg-devel, but I don't know if it was actually done.

However, DSA2 signatures cannot be verified with anything prior to PGP
9.x, if memory serves.

Messages in this topic (11) Reply (via web post) | Start a new topic

.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Robert J. Hansen wrote:

> First, your key preferences are hints _to other people_ about what
> algorithms to use. For instance, when I do 'showpref' on my own key, I get:
>
> [ultimate] (2) Robert J. Hansen
&gt; Cipher: BLOWFISH, 3DES, AES256, AES192, AES, CAST5, IDEA
> Digest: SHA256, SHA512, SHA384, RIPEMD160, SHA1, MD5
> Compression: BZIP2, ZLIB, ZIP, Uncompressed
> Features: MDC, Keyserver no-modify
>
> ... The idea of cipher preferences is misnamed. The list shows both
> what you're capable of doing, algorithm-wise, _and_ what order you
> prefer your recipients to use them in. As you can see from the
> preferences above, I can handle Blowfish, 3DES, the AESen, CAST5 and
> IDEA for encryption algorithms; and I _most_ prefer people to send me
> Blowfish-encrypted traffic, followed by 3DES, followed by... etc., all
> the way to IDEA.
>;
> Likewise with the digests. All the digest algorithms I can read are
> given here, in the order which I prefer people to use them. I most
> prefer SHA256, then on down to MD5.
>
> Likewise with the compression. I most prefer BZIP2, then ZLIB, then
> ZIP, then no compression.

Sorry for the long quote but it's been a while since that was posted and
I have a question. I'm a long time user of PGP/GnuPG but tend to use it
sporadically.

You've pretty much explained your Hash choice in later messages but I'm
curious as to why you chose the encryption algorithms you did. I'm not
judging them I'm just curious.

Thanks!

- --
Jim
OpenPGP KeyID: 0x006921e
Keyserver: ldap://keyserver.pgp.com

-----BEGIN PGP SIGNATURE-----

iD8DBQFFQE8fygKI8gBpGS4RAw8cAKDasASeBNAO7BE7MGYHIzA3;230lkQCcCnpQ
Prl3;NSsNg+;RuiWv27khll8I=
=O2YU
-----END PGP SIGNATURE-----

Messages in this topic (12) Reply (via web post) | Start a new topic

.

Jim Dever wrote:
&gt; You've pretty much explained your Hash choice in later messages but I'm
> curious as to why you chose the encryption algorithms you did. I'm not
> judging them I'm just curious.

Personal preference. All the ciphers in GnuPG provide equivalent
real-world security. You could reorder them randomly and things would
still be just fine.

I'm fond of Blowfish for a few reasons. First, the algorithm is dead
simple, so much so that I can carry it in my head and implement it in
just about any language out there. I've written it for everything from
IEEE Scheme to PowerPC Assembler, SML/NJ to Erlang. The benefit of a
very simple algorithm is ... well ... its simplicity: there are fewer
places for a bug to hide. It also has well over a decade of
cryptanalysis, none resulting in any attacks of significance.

3DES is my follow-up choice. All OpenPGP systems are guaranteed to
support it. It's the common fallback for a reason: after 30 years of
intensive cryptanalysis, it's _still_ turning brilliant young graduate
students into burned-out alcoholic wrecks.

The other algorithms are just "I can support this, too". If you're
using GnuPG, then your traffic to me will probably be
Blowfish-encrypted. If you're not, it'll probably be 3DES-encrypted.
Either way, I'm happy as a clam.

Let me emphasize: these are just personal preferences. _There is not a
shred of empirical data suggesting it matters in the slightest._
(Unless, of course, you're doing bulk data encryption, in which case
3DES should be avoided just because it's dog-slow.)

Messages in this topic (13) Reply (via web post) | Start a new topic

.