subject:"cipher used when both \-\-encrypt and \-\-symmetric is specified"

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-29 Thread vedaal

On 2/29/2016 at 5:51 AM, "Martin Ilchev"  wrote:

>There is one thing I would like to understand - the man page says:
>   --s2k-cipher-algo name
>  Use  name as the cipher algorithm used to protect 
>secret
>keys.  The default cipher is CAST5. This cipher is also used for
>conventional encryption if --personal-cipher-pref‐
>  erences and --cipher-algo is not given.
>
>So CAST5 is the preferred cipher for secret keys and is also the 
>default
>for symmetric. On the other hand using --personal-cipher-
>preferences does
>not seem to apply to symmetric + public encryption. Is this by 
>design?

=

Sort-of, yes ...

The user's most important part of GnuPG, is the user's private key.

So it seems reasonable, that the symmetric algorithm the user picked to protect 
the private key,  (--s2k-algo ciphername),
is the symmetric algorithm that the user would prefer for symmetric encryption, 
as long as the receiver can decrypt it.

In practice, (standard, not hacked, non-customized ) GnupG, can decrypt ANY of 
the symmetric algorithms any GnuPG user can use.

Since the original user, the sender, is encrypting the message, 
it is again reasonable that the sender be able to choose the algorithm with 
which the sender feels most comfortable.

vedaal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-29 Thread Martin Ilchev

Hi Peter,

Thanks for the advice. I will have a look at the mailing list. For now I am
happy that I have a working solution.

Thank you and Vedaal for the help.

Regards,
Martin

On Mon, 29 Feb 2016 at 11:12 Peter Lebbing  wrote:

> On 29/02/16 11:51, Martin Ilchev wrote:
> > So CAST5 is the preferred cipher for secret keys and is also the default
> > for symmetric. On the other hand using --personal-cipher-preferences
> > does not seem to apply to symmetric + public encryption. Is this by
> design?
>
> For me, GnuPG 1.4 behaves as you indicate, which is counterintuitive,
> especially given the text in the man page. But GnuPG 2.1 correctly gives
> me the preferred algo from the intersection of
> --personal-cipher-preferences and key prefs. It's a bit difficult for me
> to test GnuPG 2.0 at the moment. I should do something about that.
>
> I faintly recall some discussion about this, but that's it, I don't
> remember more than that. You could try a search on this mailing list.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-29 Thread Peter Lebbing

On 29/02/16 11:51, Martin Ilchev wrote:
> So CAST5 is the preferred cipher for secret keys and is also the default
> for symmetric. On the other hand using --personal-cipher-preferences
> does not seem to apply to symmetric + public encryption. Is this by design?

For me, GnuPG 1.4 behaves as you indicate, which is counterintuitive,
especially given the text in the man page. But GnuPG 2.1 correctly gives
me the preferred algo from the intersection of
--personal-cipher-preferences and key prefs. It's a bit difficult for me
to test GnuPG 2.0 at the moment. I should do something about that.

I faintly recall some discussion about this, but that's it, I don't
remember more than that. You could try a search on this mailing list.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-29 Thread Martin Ilchev

Hi Vedaal,

You are correct that is not my real key ID.

Funny enough the key was generated in Nov-2015. However you are absolutely
correct about the --s2k-cipher-algo option. I added that to my gpg.conf and
after that symmetric + public works exactly as I expected. I get AES256
every time.

There is one thing I would like to understand - the man page says:
   --s2k-cipher-algo name
  Use  name as the cipher algorithm used to protect secret
keys.  The default cipher is CAST5. This cipher is also used for
conventional encryption if --personal-cipher-pref‐
  erences and --cipher-algo is not given.

So CAST5 is the preferred cipher for secret keys and is also the default
for symmetric. On the other hand using --personal-cipher-preferences does
not seem to apply to symmetric + public encryption. Is this by design?

Regards,
Martin

On Fri, 26 Feb 2016 at 14:52  wrote:

>
> On 2/26/2016 at 5:48 AM, "Martin Ilchev"  wrote:
>
> >I did set my key preferences a few months ago and made sure the
> >key had
> >them as well. Here is the output of showperf:
> >
> > Cipher: AES256, AES192, AES, CAST5, 3DES
> .
>
> >> > 2. Symmetrically encrypt and also encrypt for my own public
> >key:
> >> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF
>
> >> > decrypting the file shows that the cipher used is CAST5
>
> =
>
> 0x1234567890ABCDEF is obviously not your real key id.
>
> I suspect the key was generated some time ago, when the default cipher to
> protect one's secret key, was CAST5
>
> GnuPG's default choice for the encryption algorithm for a symmetric cipher
> will be what the s2k-cipher-algo is.
>
> In your case for that key, it is CAST 5
>
>
> Try This:
>
> gpg2  --s2k-cipher-algo AES256 --symmetric --encrypt --sign -r
> 0x1234567890ABCDEF  filename
>
> The encryptions should now be with AES256 for both the symmetric part and
> the part encrypted to your key.
>
>
> vedaal
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-26 Thread vedaal

On 2/26/2016 at 5:48 AM, "Martin Ilchev"  wrote:

>I did set my key preferences a few months ago and made sure the 
>key had
>them as well. Here is the output of showperf:
>
> Cipher: AES256, AES192, AES, CAST5, 3DES
.

>> > 2. Symmetrically encrypt and also encrypt for my own public 
>key:
>> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF 

>> > decrypting the file shows that the cipher used is CAST5

=

0x1234567890ABCDEF is obviously not your real key id.

I suspect the key was generated some time ago, when the default cipher to 
protect one's secret key, was CAST5

GnuPG's default choice for the encryption algorithm for a symmetric cipher will 
be what the s2k-cipher-algo is.

In your case for that key, it is CAST 5

Try This:

gpg2  --s2k-cipher-algo AES256 --symmetric --encrypt --sign -r 
0x1234567890ABCDEF  filename

The encryptions should now be with AES256 for both the symmetric part and the 
part encrypted to your key.

vedaal

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-26 Thread Martin Ilchev

Hi Peter,

Thanks for the reply.

I did browse the man pages quite a bit (I am a bit afraid I browsed too
much and touched stuff I should leave well alone :))

I did set my key preferences a few months ago and made sure the key had
them as well. Here is the output of showperf:

 Cipher: AES256, AES192, AES, CAST5, 3DES


 Digest: SHA512, SHA384, SHA256, SHA224, SHA1


 Compression: ZLIB, BZIP2, ZIP, Uncompressed
 Features: MDC, Keyserver no-modify

Also here is all the stuff I have in my gpg.conf:
```
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192
CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 AES256 AES192
AES CAST5 ZLIB BZIP2 ZIP Uncompressed
s2k-digest-algo SHA512
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options
ca-cert-file=/home/martin/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyid-format 0xlong
with-fingerprint
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB BZIP2 ZIP Uncompressed
use-agent
```

Let me know if you need more info.

Regards,
Martin

On Fri, 26 Feb 2016 at 09:55 Peter Lebbing  wrote:

> On 25/02/16 15:42, Martin Ilchev wrote:
> > I am looking for some help to figure out what cipher is used for
> > symmetric encryption when both pass phrase and public keys are used. I
> > have configured my gpg.conf with my preferred cipher algorithms as
> follows:
> > personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192
> > CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES
>
> Those preferences are not what is used when encrypting to your own key.
> To see those do:
>
> $ gpg2 --edit-key {KEYID}
> > showpref
>
> To change them do:
>
> > setpref 
>
> Note that this refers to all types of preferences, not just ciphers.
>
> To set a default preference list for setpref, include in your gpg.conf:
>
> default-preference-list 
>
> I'd suggest a bit of browsing through the man page with a search term of
> "preference" :). Note that these key preferences are part of your public
> key, and if you want others to respect them as well, they need to
> refresh your public key with the new preferences if you change them.
>
> > 2. Symmetrically encrypt and also encrypt for my own public key:
> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile
> > decrypting the file shows that the cipher used is CAST5
>
> It would be helpful to know what your key preferences are, since it
> might just be the most preferred algorithm from the intersection of
> personal preferences and key preferences.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

2016-02-26 Thread Peter Lebbing

On 25/02/16 15:42, Martin Ilchev wrote:
> I am looking for some help to figure out what cipher is used for
> symmetric encryption when both pass phrase and public keys are used. I
> have configured my gpg.conf with my preferred cipher algorithms as follows:
> personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192
> CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES

Those preferences are not what is used when encrypting to your own key.
To see those do:

$ gpg2 --edit-key {KEYID}
> showpref

To change them do:

> setpref 

Note that this refers to all types of preferences, not just ciphers.

To set a default preference list for setpref, include in your gpg.conf:

default-preference-list 

I'd suggest a bit of browsing through the man page with a search term of
"preference" :). Note that these key preferences are part of your public
key, and if you want others to respect them as well, they need to
refresh your public key with the new preferences if you change them.

> 2. Symmetrically encrypt and also encrypt for my own public key:
> gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile
> decrypting the file shows that the cipher used is CAST5

It would be helpful to know what your key preferences are, since it
might just be the most preferred algorithm from the intersection of
personal preferences and key preferences.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

cipher used when both --encrypt and --symmetric is specified

2016-02-25 Thread Martin Ilchev

I am looking for some help to figure out what cipher is used for symmetric
encryption when both pass phrase and public keys are used. I have
configured my gpg.conf with my preferred cipher algorithms as follows:
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192
AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES

I have ran the following tests:
1. Symmetrically encrypt a file:
$gpg2 --symmetric somefile
decrypting that file shows the correct cipher being used (I am looking at
symkey enc packet field cipher 9 - aes256):
$ gpg2 -vvv --decrypt somefile.gpg
gpg: using character set `utf-8'
:symkey enc packet: version 4, cipher 9, s2k 3, hash 10
salt 7ff4f273bd71e14e, count 24117248 (231)
gpg: AES256 encrypted data
:encrypted data packet:
length: 360
mdc_method: 2
gpg: encrypted with 1 passphrase
:compressed packet: algo=1
:literal data packet:
mode b (62), created 1456410134, name="somefile",
raw data: 1551 bytes
gpg: original file name='somefile'

2. Symmetrically encrypt and also encrypt for my own public key:
gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile
decrypting the file shows that the cipher used is CAST5 (again looking at
the same symkey enc packet field cipher 3 - CAST5):
$ gpg2 -vvv --decrypt somefile.gpg
gpg: using character set `utf-8'
:pubkey enc packet: version 3, algo 1, keyid 1234567890ABCDEF
data: [4096 bits]
gpg: public key is 0x1234567890ABCDEF
gpg: using subkey 0x1234567890ABCDEF instead of primary key
0x1234567890ABCDEF
gpg: selecting openpgp failed: Card not present
:symkey enc packet: version 4, cipher 3, s2k 3, hash 10, seskey 256 bits
salt 7fa903ae28975d77, count 24117248 (231)
gpg: CAST5 encrypted session key
:encrypted data packet:
length: unknown
mdc_method: 2
gpg: encrypted with 1 passphrase
gpg: using subkey 1234567890ABCDEF instead of primary key 1234567890ABCDEF
gpg: encrypted with 4096-bit RSA key, ID 1234567890ABCDEF, created
2018-13-34
  "Martin"
gpg: public key decryption failed: Operation cancelled
gpg: AES256 encrypted data
:compressed packet: algo=2
:onepass_sig packet: keyid 1234567890ABCDEF
version 3, sigclass 0x00, digest 10, pubkey 1, last=1
:literal data packet:
mode b (62), created 1456410193, name="somefile",
raw data: 1551 bytes
gpg: original file name='somefile'

To get the cipher name from the cipher numbers I check RFC4880 (
https://tools.ietf.org/html/rfc4880#section-9.2).

My expectation is that symmetric encryption should use the same cipher
(AES256) in both cases.

Can someone please explain if the above is the expected behaviour or if my
expectations are wrong?

I am running Debin 8.3 with gnupg2 2.0.26-6. I use gpg2 because my 4096b
public/private keys are on a smart card.

I also apologies for the really long e-mail.

Kind Regards,
Martin
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

Re: cipher used when both --encrypt and --symmetric is specified

cipher used when both --encrypt and --symmetric is specified

8 matches

Site Navigation

Mail list logo

Footer information