Thursday, August 30, 2007


There are several posts and publications out there on the net about why not to use IDEA with gpg, and how to install the idea.dll plugin if you do it anyway. Yet we did not finde any information about what to do if a certain private/public key pair wants to use IDEA only, possibly, because it was created with pgp2 compatibility. Yet there are some easy steps to change the preferred ciphers of a key, and thus to avoid IDEA when using the key for encryption (especially encrypting to self and thus for all gpg mails that the person sends).

gpg --edit-key 0x12345678
pub  1024D/######## created: 2007-02-03  expires: never     usage: SC
                     trust: unknown      validity: unknown
sub  2048g/########  created: 2007-02-03 expires: never     usage: E
[ unknown] (1). user <mail>

Command> showpref
[ unknown] (1). user <mail>
     Cipher: [1], CAST5, AES256, AES192, AES, 3DES, TWOFISH
     Digest: SHA1
     Compression: ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
the [1] stands for IDEA as the (first) preferred cipher, though it is not a known one in the current gpg installation ... otherwise, IDEA should stand there. So, just set the prefs ... unfortunately, all of them have to be set in one command as a string ...
Command> setpref AES256 AES192 AES CAST5 3DES SHA1 SHA256 RIPEMD160 ZLIB
BZIP2 ZIP Uncompressed MDC
You can do this only with your own key, of course, and need to enter your passphrase (1). Test it, and publish the key anew to the usual key servers. As the preferences are set per user id, and one key may contain a bunch of them, you might have to set the prefs for all user ids seperately ... I didn't try yet. if anything breaks, use setpref w/o any parameters to reset to default values.
Command> setpref
Maybe this helps you as well, if no one else can decrypt the mails you wrote with thunderbird, enigmail and gpgp ... (1) If you are running on windows and use German Umlauts or other diacritical characters, don't be surprised if your passphrase is not accepted in a shell, while enigmail or some other GUI accepts it ... windows cmd.exe has a different character set/code page than the windows system usually uses!

Graphical user interfaces for GPG

BTW, some nice gpg software for windows (linux/unix has gpa, anyway).


Russell said...

Do you know the command lines to do this with PGP? When I use pgp -ke (for key edit), I don't get a command prompt so that I can do "SHOWPREFS" or "ADDPREFS," it just asks some questions (do you want this as the default signing key, do you want to ultimately trust it, do you want to add a new user, etc. Once you answer all the questions, the key edit is over and I can't do preference editing.

Russell said...

When I follow these instrutions for GPG, it gives me the message "There are no preferences on a PGP 2.x-style user ID. Does that mean even if I setpref that it won't make a difference? Also, when I do a setpref without specifying, it looks to offer a default set of preferences that I can just answer "Y" to accept. When I hit Y and showprefs again, it still shows (1) and the warning about 2.x-style user IDs instead of showing the changes.

See the output below.

Command> showpref
[ultimate] (1). MyUserId [myemail@mycompany]
There are no preferences on a PGP 2.x-style user ID.

Command> setpref
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA1, SHA256, RIPEMD160
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y