> On 01/05/2011 01:37 PM, freej...@is-not-my.name wrote: > > Hi, it appears --digest-algo is ignored for symmetric encryption using > > gpg 1.4.9. > > Using --digest-algo is pretty dangerous. It's easy to create messages > your recipients can't parse. --personal-digest-preferences is what you > want to use instead.
I was playing around with --digest-algo after seeing something odd when I looked at a symmetrically encrypted file I was experimenting with. In the case I encrypt to somebody else then I do use --personal-digest-preferences. I understand the difference because I read the postings from Werner, David, and you. :-) > Anyway, I can't recreate this bug: > > [...@localhost]$ gpg --list-packets test.asc > :symkey enc packet: version 4, cipher 2, s2k 3, hash 2 > salt 6cbb4c1e2c0fbae1, count 65536 (96) > gpg: 3DES encrypted data > :encrypted data packet: > length: unknown > gpg: encrypted with 1 passphrase > :compressed packet: algo=1 > :literal data packet: > mode b (62), created 1294253512, name="test.txt", > raw data: 2385 bytes > gpg: WARNING: message was not integrity protected > > > SHA-1 is used in the symmetric packet, as is expected. See RFC4880, > section 5.13: "Symmetrically Encrypted Integrity Protected Data Packet": > SHA-1 is the only option for digest algorithms for this particular packet. Then something is very odd. Here's my output, only I used IDEA instead of 3DES for my test: user:~$ gpg --version gpg (GnuPG) 1.4.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 user:~$ user:~$ gpg -c -ao test.asc --digest-algo sha1 --cipher-algo idea test.txt Enter passphrase: 12345 Repeat passphrase: 12345 user:~$ gpg --list-packets test.asc :symkey enc packet: version 4, cipher 1, s2k 3, hash 3 salt 349d4381bb80d1f7, count 65536 (96) gpg: IDEA encrypted data Enter passphrase: 12345 :encrypted data packet: length: 33 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1294256753, name="test.txt", raw data: 5 bytes gpg: WARNING: message was not integrity protected user:~$ pgpdump test.asc Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes) New version(4) Sym alg - IDEA(sym 1) Iterated and salted string-to-key(s2k 3): Hash alg - RIPEMD160(hash 3) Salt - 34 9d 43 81 bb 80 d1 f7 Count - 65536(coded count 96) New: Symmetrically Encrypted Data Packet(tag 9)(33 bytes) Encrypted data [sym alg is specified in sym-key encrypted session key] > > --digest-algo will let you determine which algorithm to use, whenever > there is a choice of which algorithm to use. There is no choice here. Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES instead of IDEA and got the same thing. RIPEMD160 is being used, not SHA1. Thanks for looking at this. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
