8

By default gpg use CAST5 with SHA1 (not so good) as it had AES256 and hash512!

Now I want to use the perfect code to encrypt my files for both symmetric & asymmetric

For symmetric encryption I use this code:

gpg -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 File

Is that the most I can get from gpg for symmetric encryption or there are more?

For asymmetric encryption I use this code:

gpg -er Key --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --cert-digest-algo SHA512 File

Can I add any other codes to make the encryption more secure?

There are z(n), --s2k-mode n and --s2k-count n.

What do these switches do? Which one should I use and with which parameters?

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
user195971
  • 81
  • 1
  • 2
  • This other question is probably relevant to consider as well: https://crypto.stackexchange.com/questions/5118/is-aes-256-weaker-than-192-and-128-bit-versions – kasperd Aug 05 '14 at 13:17

2 Answers2

12

The "most" you can get is "it won't be broken" and there is no level beyond that. CAST5 (aka "CAST-128") arguably already achieves this to a large extent, since no attack is known on the full algorithm despite some active research for a long time (best known attack appears to be due to Wang, Wang and Hu in 2009 and "breaks", in an academic way, a CAST5 reduced to 6 rounds only, whereas the full version has 12 or 16 rounds). Similarly, SHA-1 has known weaknesses with regards to collisions (and these are "academic", too, i.e. still theoretical), but collisions are not relevant to algorithms for converting passwords to keys.

Thus, switching to AES-256, SHA-512 or any algorithm with a big, mean-looking number, will not give you "more security". It will give you a feeling of safety, in the same way that red cars are often believed to be faster. If that's your thing, then, by all means, use AES -- after all, one point of security is to reduce anxiety. But, scientifically, algorithm switching is not necessary. GnuPG defaults to CAST5 and SHA-1 because this maximizes interoperability with older implementations of OpenPGP.

A minor point can be made, though, about the algorithm block size. CAST5 uses 64-bit blocks, which means that there are some more-or-less theoretical weaknesses if you encrypt a single file with a length beyond a few gigabytes. That's an edge case. If you are on the habit of encrypting huge files, you may want to switch to AES (AES-128 would be fine).

As for the "s2k" parameters: the "iteration count" (with --s2k-count) is meant to slow down dictionary attacks by making processing of the password inherently slow. The higher the count, the slower it gets. So, for security, you want the count to be as high as possible, but, for usability, you do not want it to be too high: a higher count makes password processing slower for everybody, you and the attacker alike. So you should raise the count to as high a value as is tolerable for you on your machines.

Of course, this slowdown factor is a way to tolerate relatively weak passwords. All other things being equal, it is better to have a high-entropy password which would resist dictionary attacks anyway.

Thomas Pornin
  • 326,555
  • 60
  • 792
  • 962
  • Wonderful answer, but If I want the red car (AES256withSHA512) what should be the password length 32,64 or 128 characters and how to force gpg to use them for every thing in asymmetric encryption, look at the code in the quetion and give me your opinion. – user195971 Feb 08 '13 at 07:12
  • @Thomas Pornin - If the OP is using s2k-cipher-algo AES256, does it make sense to use 512 bit hash s2k-digest-algo SHA512 ? The cipher AES256 only needs 256 bits, so SHA256 would have been sufficient. Seems to me, SHA512 does not add any advantage over SHA256. Is it correct, or am I missing something ? – Martin Vegter Dec 08 '14 at 02:18
  • Some people may argue that SHA-512 is a better choice because it internally relies on 64-bit operations that are easy for your CPU, but harder to optimize than the 32-bit operations used in SHA-256 when implementing a dictionary attack with off-the-shelf GPU. This advantage is slight and will hold only as long as GPU remain poor at 64-bit integer operations. – Thomas Pornin Dec 08 '14 at 12:22
3

From the manpage:

-s2k-mode n

Selects how passphrases are mangled. If n is 0 a plain passphrase (which is not recommended) will be used, a 1 adds a salt to the passphrase and a 3 (the default) iterates the whole process a number of times (see –s2k-count). Unless --rfc1991 is used, this mode is also used for conventional encryption. 

--s2k-count n

Specify how many times the passphrase mangling is repeated. This value may range between 1024 and 65011712 inclusive. The default is inquired from gpg-agent. Note that not all values in the 1024-65011712 range are legal and if an illegal value is selected, GnuPG will round up to the nearest legal value. This option is only meaningful if --s2k-mode is 3.

This explains it quite well in my opinion. By default s2k-mode is set to the 'most secure' method available. With s2k-count you can increase the amount of times your password gets mangled. Honnestly I would just leave it by default for the sake of compatibility. Considering the algorithms you are using (AES-256) you should be quite secure as long as you use a strong password.

Lucas Kauffman
  • 54,437
  • 17
  • 116
  • 196
  • and should i use sha256 or sha512, and how long the password should for every one of them? – user195971 Feb 07 '13 at 09:53
  • I always use a password beyond 14 characters containing upper,lower case characters, numbers and signs. There are different supported hashing algorithms, but SHA-512 is probably the best way to go. – Lucas Kauffman Feb 07 '13 at 10:03
  • thanks for your answer, I'll leave the question a little more for any one want to comment or put better answer. – user195971 Feb 07 '13 at 10:05
  • Yea, I'm not the crypto expert on here, I think people like @ThomasPornin might give you better answers. – Lucas Kauffman Feb 07 '13 at 10:11