Ranked Order of Security for Encryption Algorithm Preferences: For GPG


GPG & PGP negotiate the encryption & hashing algorithm to use based on the recipient key's prioritized list of supported algorithms. The problem is DES/MD5 are forced to be included as the last choice if not already included due to the OpenPGP Standard.

Yes of course they all are quite secure and perhaps practically more secure than needed (other than quantum concerns or a major math discovery).

However, to maximize security what ordered ranking on gpg supported symmetric encryption would you choose and why?

GPG Supported Symmetric and Hashing Algorithms:

Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7),
AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11),
CAMELLIA192 (S12), CAMELLIA256 (S13)

Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)

Hashing algorithms are easy to order since SHAxxx family is agreed to be the best in GPG currently followed by RIPEMD160 SHA1 and MD5. It would be nice to outlaw anything but SHA-2 versions.

Riseup's Guide recommends:

personal-cipher-preferences AES256 AES192 AES CAST5

That seams wrong since you want to avoid the DES fall back as much as possible right? Why not this or a reasoned variation?


[then DES gets added by software supporting OpenPGP]

Nice answer discussing the GPG but not much on symmetric algorithms.
Top Hashing and Encryption Algorithms

Best Answer

OpenPGP enforces support for a set of basic algorithms for reasons of compatibility, and you already realized you cannot disable them entirely.

The idea is to provide as many better algorithms compared to DES and MD5 as possible, to increase chances of matches between sender and receiver. Omitting anything better than DES and MD5 is always at loss, there is no reason of doing so, given these are the worst algorithms supported. Don't just limit yourself to the "newest and best algorithms", or you could end up with the worst having known weaknesses when somebody else is using older implementations.

Also don't forget there are two places to configure those options: Your own preferences (in gpg.conf), and the one stored in your key to tell others using that key what your preferences are (gpg --edit-key, setpref ...). For latter, make sure to list preferences for all three categories, or you will limit yourself to the minimal set of algorithms enforced by the standard.

Symmetric Encryption Algorithms

Any algorithms supported by OpenPGP (apart from DES) are considered strong and no weaknesses are know. Blowfish has some problems with weak keys and might be a worse choice than others, as implementations might fail at choosing good keys.

Providing a total order for all the algorithms is difficult, as long as you put blowfish to the end. Putting AES in front seems reasonable, as it's probably the most used and analyzed algorithm among all of those.

Hashing Algorithms

Choice is easier here. MD5 is bad; SHA-1 better than MD5, but still has known problems. The other ones are considered strong.

Compression Algorithms

Compression is important, there are some esoteric attacks on the OpenPGP CFB mode prevented by compression.

The choice among those is pretty much up to you.