[gnutls-dev] Another openpgp question...

Nikos Mavroyanopoulos nmav at gnutls.org
Wed Nov 26 15:18:21 CET 2003


On Wed, Nov 26, 2003 at 11:19:56AM +0200, Nikos Mavroyanopoulos wrote:

> > I am basically content for now that I have some encryption working, but
> > it would be nice to have some clarification on issues above.   
> Not all combinations of ciphers are available, even if the API implies
> that. The openpgp ciphersuites do not include MD5 as an HMAC option. They
> only allow SHA and RIPEMD-160. They also do not include the export
> ciphers since they were obsoleted by the TLS Working group.
Sorry, I'm totaly wrong here. There is no openpgp ciphersuites concept
(they are common for both openpgp and x.509 certificates).

The fact that you cannot use MD5 is that you are probably using the 
DHE_RSA or the DHE_DSS ciphersuites, which have only be defined with SHA as
the HMAC algorithm. MD5 is only used in the plain _RSA_ ciphersuites,
so you have to enable GNUTLS_KX_RSA, which requires a key marked as encrypt 
only (I think that gnupg asks for the type at the key generation proccess).

MD5 was faster than SHA-1 (I don't know about RIPEMD), and is not
weaker in any way (at least for the HMAC construction).

-- 
Nikos Mavroyanopoulos




More information about the Gnutls-devel mailing list