e-ignite

By far the most common search queries for people visiting my main site are about SHA settings with GnuPG.? These are a little complex, and depend on the type of key that you use (see my totorial on generating keys for more details on doing this), but once you understand what SHA algorithms do, it’s not quite so daunting

• What is SHA?

SHA stands for Secure Hash Algorithm.? This is the mathematical method of generating a signature on your files or emails.? It uses your private key so that you and only you can sign an email or file – this way, if the email is changed in any way before the recipient receives it, or if the file you placed on the internet is replaced without your knowledge, the signature verification will fail and this will show that it is not the original email or file that you sent.

• What algorithms are available?

There are several SHA algorithms avaliable – these are RIPEMD160, SHA-1, SHA224, SHA256, SHA384 and SHA512.? There are others such as Whirlpool and IDEA, but these are not included in OpenPGP or Enigmail.

• What SHA settings should I use?

There is no “right answer” to this question – to some extent, this is an entirely personal choice.? If you have a DSA signature key, you will need to use a 160 bit hash function (for example, RIPEMD160 or SHA-1) unless you have the most recent version of GnuPG.? If you enable DSA2, this will allow you to use either SHA224 or SHA256 with your DSA key – see this page for full instructions on enabling DSA2.

Arguably, 160 bit hash functions are becoming less and less secure.? There have been several published problems with SHA-1 security including the potential ability to break the function without having to try a full brute-force attack and try every possible code combination.? There is a very good Wikipedia article on SHA if you’re interested in reading more about the weaknesses.

Because of the weaknesses in SHA-1 and RIPEMD160, I would recommend that you use DSA2 with any DSA signing keys.? If you enable DSA2, you will be able to use SHA224 and SHA256 with any existing DSA key.? However, if you do not yet have a key, or don’t mind replacing your original, I would highly recommend that you use an RSA key.

RSA keys support virtually all hash functions.? This opens up opportunities to use the most secure hash functions including SHA256, SHA384 and SHA512. ? There are few drawbacks to the use of SHA512 – namely that it increases the size of the signature (which isn’t really a problem at all), and that it’s not fully supported on some clients.? If everyone you communicate with has Thunderbird and Enigmail (or Mobility Email) then you can freely use SHA512 without any problems.? Some systems (especially older products) only support up to SHA256, although this is changing rapidly.

• So how do I change my SHA settings?

In Enigmail, this is really easy.? Simply go to OpenPGP > PREFERENCES and select the PGP/MIME tab.? There’s a drop-down box? with a list of SHA options – just select one and hit? OK.

If you use OpenPGP with other applications (such as GPGee for file signing and verification) then you may have to edit your GPG.conf file.? To do so, simply go to your GPG Home Directory (on Windows XP / 2000, the default is C:\Documents and Settings\[user]\Application Data\GnuPG\) and open GPG.conf with Notepad or another text editor.? All you have to do is enter the following to a new line then save the file:

digest-algo SHA256 – just replace SHA256 with your preferred algorithm.

If you use a DSA key and you want to set a default SHA setting in GPG.conf, enter the following:

digest-algo SHA256
enable-dsa2
Remember with the above that you can either use SHA224 or SHA256, and you must add the enable DSA2 line.

So that’s it.? Relatively simple once you know how, and you should only have to do this once.? When it’s set up, the settings will be remembered for as long as Enigmail or GnuPG is installed on your computer.? But if you still have questions, please feel free to use the comments form below.