Bug#1001956: popcon: gpg: 5B1A07804DD558242CF5538215A07BA5233E3E85: skipped: unusable public key

Sun, 19 Dec 2021 13:51:17 -0800 

Bill Allombert dixit:

>What about the underlying hash functions ?

They’re not used with the keys themselves, merely stated as preferences.

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The public key to encrypt to specifies its ordered preferences.
The ones from the OpenPGP standard are always added at the end
of the list if not manually stated, and they’re pretty low, so
it makes sense to pick ones from this list.

I once found someone arguing (with data) why AES256 might be,
on average, worse than AES192 on GNU/Linux. I unfortunately did
not note any link, just the result. You probably can get good
results with:

personal-digest-preferences SHA384 SHA512 SHA256
personal-cipher-preferences AES192 AES256 AES
personal-compress-preferences ZLIB Uncompressed
(or just Uncompressed, but the relevant attack won’t work here)
# H9 H10 S8 Z2 Z0 H8 S9 S7
default-preference-list SHA384 SHA512 AES192 ZLIB Uncompressed SHA256 AES256 AES

YMMV, of course.

stretch has the same list:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

gpg2 on bullseye has:
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The difference is addition of ECC variants and removal of MD5.

Implied preferences are 3DES SHA1 Uncompressed.

HTH & HAND,
//mirabilos
-- 
„Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund,
mksh auf jedem System zu installieren.“
        -- XTaran auf der OpenRheinRuhr, ganz begeistert
(EN: “[…]uhr.gz is a reason to install mksh on every system.”)

Reply via email to