Removing AES

David Shaw dshaw at jabberwocky.com
Tue Feb 10 12:28:39 CET 2004


On Tue, Feb 10, 2004 at 12:00:01PM -0500, Adam Pavelec wrote:

> Personally, I didn't do or see anything.  My organization has a key
> that was created with GPG version 1.2.3 using the default options.
> The party who is attempting to encrypt data to this key "has
> determined that the version of PGP that is being used (PGP 7.0.1)
> contains a bug that prevents it from generating a ciphertext file as
> output when the AES256, AES192, and AES128 symmetric algorithms are
> defined as the preferred symmetric Algorithms in an imported PGP
> key.  The exact nature of the bug is unknown at this time."
> 
> Their report goes on to state that they "have demonstrated that the
> bug affects keys generated with PGP v8.0.2 and all GnuPG versions
> due to the default options...  Specifically, these products
> apparently default to generating keys that specify the AES symmetric
> algorithms as the first three preferred algorithms."

Interesting.  I've heard what I thought was every possible variation
on the "this product won't handle files from that product because of
suchandsuch preference" problem, and it's always turned out to be a
misunderstanding of the problem.  This might just be the first time
it's real.

That they cannot use GnuPG *or* PGP 8 generated keys is interesting.
PGP 7.0.1 does support AES (it was the first version to do so).  I
wonder if there is something else going on (are they using PGP 7.0.1
straight or via the SDK, etc).

> Again, I am uncertain to the validity of this claim, but I have
> since created a new key that I have set (and updated) the
> preferences to exclude any AES algorithms.  If you are
> interested, I will let you know if this new key is interoperable
> with their current PGP install.

Please do.  I'd be very interested to see what happens.

David



More information about the Gnupg-users mailing list