[lug] gpg question

Michael J. Pedersen marvin at keepthetouch.org
Fri Jan 19 08:56:06 MST 2001


On Fri, Jan 19, 2001 at 08:00:51AM -0700, Walter Pienciak wrote:
> > gpg: Warning: using insecure memory!
> > gpg: this cipher algorithm is depreciated; please use a more standard one!

In addition to what Walter said, I'd like to throw in my two cents worth on
this. Some facets of GPG weren't covered very well, due to time constraints.

Wayde, I'm thinking of re-doing this presentation as a two parter, or an
extended presentation, in a year or so. What would be your thoughts on this?

Now, on to answer your questions:
gpg presents the warning about insecure memory for one very specific reason.
While entering your passphrase, and while doing encryption and decryption, the
document, passphrase, and most likely the unencrypted secret key are all
stored in memory. This is how computers are supposed to work. But this fails
to add in one very important detail: swap memory. All of this data is
susceptible to being swapped to disk at any time during the run of the
program. gpg has some safeguards in it to prevent that from happening, but the
program must be installed setuid by root in order for them to work. If the
safeguards fail, you receive the first warning above about insecure memory,
which means that, in future, somebody could sift through your swap space, and
find all of that information, without having to crack anything. As you can
see, this is very bad for your privacy.

The second message, regarding the algorithm, is due to the complexities of
public key encryption. Public key encryption is extremely computationally
slow, and takes forever to do, especially on long messages. As a result, only
a very short message is done with public key encryption, which means that your
DSA/El Gamal keys are used for only a very short while. That short message is
what's known as a session key. This key is then used with something like idea,
3des, or another, more conventional algorithm. That cipher algorithm which you
are using is the one which has been marked deprecated, not the DSA/ElGamal
cipher. As walter said, using another one would get rid of that message. Using

gpg --version

You can see which ones are available to you, and select a different one from
there.

In addition, one thing I failed to mention entirely in that discussion was the
options file, which I feel very bad for not mentioning. It's located in
$HOME/.gnupg/options and is the default options for use with gpg. Editing this
file will allow you to specify a great many options, all of which are very
heavily commented in that file. I would recommend having a look at it, and
I'll still be available to try and answer any questions you may have.

Hope that helps out!

-- 
Michael J. Pedersen
My GnuPG KeyID: 4E724A60        My Public Key Available At: wwwkeys.pgp.net
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
GnuPG available at http://www.gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20010119/1c13cb29/attachment.pgp>


More information about the LUG mailing list