Hello List I'm new to this list and joined because I have some security doubts regarding encryption preferences (setpref/showpref).
According to the gpg2 man page, 3DES is added always as kind of least common denominator: 8<--- When setting preferences, you should list the algorithms in the order which you'd like to see them used by someone else when encrypting a message to your key. If you don't include 3DES, it will be automatically added at the end. Note that there are many factors that go into choosing an algorithm (for example, your key may not be the only recipient), and so the remote OpenPGP application being used to send to you may or may not follow your exact chosen order for a given message. It will, however, only choose an algorithm that is present on the preference list of every recipient key. See also the INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below. --->8 In my opinion this design decision can lead to serious security troubles. If someone, knowingly or not, removed all his/her symmetric encryption algorithms in his/her public key, our conversation would only be 3DES encrypted. In a situation in which there are several recipients, e.g. a encrypted mailing list, one participating public key/person can downgrade the whole encrypted conversation to every recipient to 3DES instead of lets say AES256. I think the same goes for the hashing algorithm SHA1. Is my understanding correct or do I miss an important fact? What are your thoughts about this behaviour? Wouldn't it be great to raise the minimum encryption and hashing level to a more secure cipher? Thanks in advance and best regards Pascal _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
