Robert J. Hansen said something like this:
> > On 1/5/2011 4:00 PM, freej...@is-not-my.name wrote:
> > Then something is very odd. Here's my output, only I used IDEA instead
> > of 3DES for my test:
>
> You might want to reconsider using IDEA: although it was the bee's knees
> for the early 1990s, the past twenty years (good /grief/ it's so strange
> to say that!) have not been kind to it. Don't misunderstand me: I am
> not saying "IDEA is broken, move away from it." IDEA's margin of safety
> is presently razor-thin, but it still holds up. It's just that nobody
> likes a razor-thin safety margin. :)
Ok, thanks for the insight on cipher choice, but let's not get distracted
;-) The issue is gnupg 1.4.9 doesn't seem to honor --digest-algo. I take
your point maybe it shouldn't in some/all cases but it accepts a
specification and verifies it and gives you a message if you specify an
invalid choice. Then it silently ignores what you specified. Best case it's
a usability error, worst case it's a bug.
Has anybody tried this using 1.4.9?
>
> > gpg: WARNING: message was not integrity protected
>
> Notice that? That's present in your packet list, but not in mine.
> You're not using integrity-protected symmetric encryption, so the bit of
> the RFC I quoted at you doesn't apply. :)
Well according to what you posted, you did get this message. So I'm not sure
what one of us is smoking ;) Please check your post Message-ID:
<4d24bff6.3030905__43652.2631127902$1294254146$gmane$...@sixdemonbag.org>
>
> > Sounds reasonable but then why is it using RIPEMD160? I tested with 3DES
> > instead of IDEA and got the same thing. RIPEMD160 is being used, not
> > SHA1. Thanks for looking at this.
>
> Try sharing your gpg.conf file. The answer is probably found in there
> somewhere.
I'll do better than that. Here's a test with no .gnupg folder at all,
starting from scratch.
user:~$ gpg -c -ao test.asc --digest-algo sha512 --cipher-algo 3des test.txt
gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during
this run
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
Enter passphrase: 12345
Repeat passphrase: 12345
user:~$ gpg --list-packets test.asc
gpg: keyring `/home/user/.gnupg/secring.gpg' created
:symkey enc packet: version 4, cipher 2, s2k 3, hash 2
salt b3a9a45872132be3, count 65536 (96)
gpg: 3DES encrypted data
Enter passphrase: 12345
:encrypted data packet:
length: 33
gpg: encrypted with 1 passphrase
:compressed packet: algo=1
:literal data packet:
mode b (62), created 1294337333, name="test.txt",
raw data: 5 bytes
gpg: WARNING: message was not integrity protected
user:~$ gpg -v --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
user:~$ pgpdump test.asc
Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes)
New version(4)
Sym alg - Triple-DES(sym 2)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - b3 a9 a4 58 72 13 2b e3
Count - 65536(coded count 96)
New: Symmetrically Encrypted Data Packet(tag 9)(33 bytes)
Encrypted data [sym alg is specified in sym-key encrypted session key]
user:~$
>From this it's pretty clear --digest-algo isn't being honored by 1.4.9. And
it's clear it has nothing to do with IDEA, this example uses 3DES just like
your example and anyway since I didn't load it (no conf) IDEA is completely
out of the picture. I had said earlier it fails the same way when I used
3DES but here it is in black and white just to reinforce that.
What do you say to me now, Mr. Robert J. Hanson? I demand to talk to the
management! Where's Werner and David, still out on holiday vacation? ;-)
Now to answer 2 posts in one:
vedaal wrote:
> There sort-of is, but in an out of the way place,
> and it's not apparent that the digests and ciphers for symmetric
> encryption are determined from there.
>
> It's in the s2k preferences:
> (the default is CAST5 and SHA1)
>
> vedaal
Thanks for your example, it may help if somebody had a gpg.conf, but given
my test was run with no .gnupg folder or gpg.conf and used all the defaults,
looks to me like there is some problem.
Thanks guys!
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
