Re: PGP/GnuPG unsecure, should be replaced?
Hi,
On 7/19/19 1:34 PM, Stephan Seitz wrote:
I found the following article about PGP/GnuPG:
https://latacora.singles/2019/07/16/the-pgp-problem.html
In short you should drop GnuPG because it doesn’t do anything really
the right way. It should be replaced with different tools for
different situations.
I checked that article. For e.g. the article says, "If you’re lucky,
your local GnuPG defaults to 2048-bit RSA, the 64-bit-block CAST5 cipher
in CFB, ..."
Wrong. The current implementation of GnuPG shipped by Debian Buster -
version 2.2.12 - does support modern cryptographic standards for
symmetric encryption, not only CAST5. For e.g., it does support twofish
and aes. Both of which use 128-bit block sizes, AFAIK. See command
output for gpg below about supported algorithms:
"
qmi@qmiacer:~$ gpg --version
gpg (GnuPG) 2.2.12
(...)
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
(...)
"
So it's good enough, apparently.
Debian is using GnuPG for signing files. From the article:
Signing Packages
Use Signify/Minisign. Ted Unangst will tell you all about it. It’s what
You may be right, though. That tool might have better bindings for
modern programming languages.
Regards,
--
qmi
Email: lista@miklos.info
Reply to: