[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP/GnuPG unsecure, should be replaced?



Hi,

On 7/19/19 1:34 PM, Stephan Seitz wrote:
I found the following article about PGP/GnuPG:
https://latacora.singles/2019/07/16/the-pgp-problem.html

In short you should drop GnuPG because it doesn’t do anything really the right way. It should be replaced with different tools for different situations.

I checked that article. For e.g. the article says, "If you’re lucky, your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher in CFB, ..."

Wrong. The current implementation of GnuPG shipped by Debian Buster - version 2.2.12 - does support modern cryptographic standards for symmetric encryption, not only CAST5. For e.g., it does support twofish and aes. Both of which use 128-bit block sizes, AFAIK. See command output for gpg below about supported algorithms:

"

qmi@qmiacer:~$ gpg --version

gpg (GnuPG) 2.2.12
(...)
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
(...)
"

So it's good enough, apparently.


Debian is using GnuPG for signing files. From the article:

Signing Packages

Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what

You may be right, though. That tool might have better bindings for modern programming languages.

Regards,
--
qmi
Email: lista@miklos.info


Reply to: