> Which algorithm is most secure/is there more non-college-math info > on the web somewhere (no wikipedia please)? IDEA, 3DES, CAST5, > BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, > CAMELLIA256
It's kind of like asking whether King Kong or Godzilla is the best at urban demolition. There are no clear answers here, and all rankings will be hotly contentious. Just discussing the different facets of the problem requires college-level math: one might be slightly superior in its resistance to differential cryptanalysis, another in impossible-differentials, and so on. The good news: all the ciphers in GnuPG are believed strong even in the face of well-funded and highly-skilled adversaries. > How sensitive is an email to assumption based deciphering? These are called "known-plaintext attacks." All the ciphers in GnuPG are believed to provide strong protection against known-plaintext attacks. > So, how hard is it, knowing some of the message, to discover the > whole thing and/or the private key of the user? Really, really hard. Like, "it would make the earth uninhabitable." http://www.gnupg.org/faq/gnupg-faq.html#brute_force > Is it polite to post saying that you want to sign keys with somebody > on a random mailing list? Depends a lot on the mailing list. I wish I could give clearer advice than that. > Is there a way to tell gpg2 to encrypt the body of a message with > something other then AES? (I've read that it uses AES for the body > and I've read that AES is a fast, but not very good method of > encryption.) Sure. --personal-cipher-preferences will do this. That said, you read wrong: AES is considered one of the gold standards of strong cryptography. It's fast and believed highly resistant against cryptanalysis. > If my key expires, is using the same passpharse on another key a > safe/ok thing to do? So long as you're confident your passphrase is still a secret, yes. > Is there a limit practical or imposed on the lenght of a passpharse? > I'm thinking of a 740 char passphrase that, though containing > sentences and, therefore, making sense, (though perhaps only to some > sick people like me,) and also containing repetitions of words 4+ > chars long, is really easy for me to remember. Do you think that it > would be a good passphrase? No. English has about 1.5 bits of entropy per glyph. Past about 384 letters you're not making things any harder to guess. Long passphrases also silently encourage users to do risky things like cut-and-paste them. (It's very easy for malware to look at the contents of your clipboard buffer.) > Is exporting a public key a great way to announce that you can't > wait to be spammed? (Your email is included in the output, as is > your name.) No. That's a 1995-2000 model of how spammers work. Email address harvesting got replaced by Markov models about 15 years ago. > If multiple people sign a cert and return it to me how do I merge > all the signatures back into my key on my computer? GnuPG will do it automatically. Just import the certs. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
