Reputation: 1110
GnuPG with IDEA support
I'm attempting to "integrate" support for the IDEA cipher into my current system that uses the GnuPG command-line interface for encrypting/decrypting data files sent between my company and our partners. I've read all of the instructions I can find online for various ways to get this set up, and I'm still unable to get the IDEA cipher to load properly.
First, my configuration: I'm using Windows 7 (64-bit) Professional and GnuPG 2.0.17. The --version lists as follows:
gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0)
libgcrypt 1.4.6
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
The command-line executable is actually located on a network share (\\<SERVERNAME>\<ShareName>\GnuPG\gpg.exe), which generally works perfectly for everything I have to encrypt/decrypt EXCEPT when I run into files encrypted using the IDEA cipher. I get the following message when it tries:
gpg: cipher algorithm 1 (IDEA) is unknown or disabled
gpg: encrypted with 2048-bit ELG key, ID C4186BB7, created 2003-05-14
"<[email protected]>"
gpg: public key decryption failed: Invalid cipher algorithm
gpg: decryption failed: No secret key
So, I started Googling everything I could find. I've downloaded the idea.dll library (after digging through all sorts of junk trying to find it) and placed it in the \\<SERVERNAME>\<ShareName>\GnuPG\lib directory, as instructed.
Most of the resources I can find talk about adding the line load-extension lib\idea to the gpg.conf file located in C:/Users/<username>/AppData/Roaming/gnupg. This doesn't work, as I still get the same results to the --version command (no IDEA cipher listed in the supported algorithms). I've also tried explicitly using the full path to the library instead of just the "shortcut" like this: load-extension "\\<SERVERNAME>\<ShareName>\GnuPG\lib\idea.dll", but no luck.
Another suggestion is to add the load-extension switch to the actual command-line like this:
\\<SERVERNAME>\<ShareName>\GnuPG\gpg.exe --load-extension idea
I've tried multiple variations of this option as well, including using the full file name, the full path and file name, etc., but I still can't get the IDEA cipher to load. I've tried putting the idea.dll in the GnuPG Home directory (C:/Users/<username>/AppData/Roaming/gnupg) and trying to get GnuPG to load it from that location with all of the same suggestions as listed above.
The idea.dll file I have doesn't have any version information listed in the Properties dialog, but it's modification date is listed as 20 September 2002. Any suggestions on something I may have overlooked here?
EDIT 1: I'd eventually like to move away from doing my encryption/decryption via command-line and migrate my application to use the BouncyCastle API, as I believe the IDEA cipher is "built-in" over there. Unfortunately, though, I'm having issues getting that working as well (see my SO question on the problems I'm facing with BouncyCastle).
EDIT 2: One other thing to note is that all of the testing I've done above has been from a basic (elevated) command prompt - completely outside of my actual application - so that I can eliminate that as a potential cause of the problem.
Upvotes: 1
Views: 2014
Answers (1)
Reputation: 1110
So, I kept digging around and even cross-posted my question on the Spiceworks community site. One of the things I found - but had basically ignored, as I didn't see the relevance at the time - was a thread in the GnuPG mailing list. However, one of the other users over on Spiceworks pointed it out to me again, so I gave it another read. I'm basically reposting what I posted over on that site as a reference for anyone else who might run into this issue.
Here's what Werner Koch said in his message on that mailing list:
Nope. GnuPG-2 does not support loading of extensions. the option is a dummy option. The reason for this is that crypto operations are done by Libgcrypt and not by gpg.exe.
The next version of Libgcrypt will support IDEA and thus GnuPG 2.1 will be able to decrypt old (i.e. PGP 2) files, directly. However, using IDEA is not a good idea, we have far better algorithms for ages.
...and the response from the person asking the question was:
When I have to make use of "idea.dll" so that I can decrypt messages that were encrypted with it, I then use Gpg 1.4.x, and I have it in an altogether separate folder from the real installation of Gpg 2.0.x. I could not agree with you more in regard to its comparatively inferior algorithms, but that does not preclude my needing it from time to time.
Is there any reason I should not place it in the same folder as the gpg.exe version 1.4.x and then make reference to it there? Thanks.
Based on these comments, I figured that, since I'm using GnuPG v2.0.17, maybe I need to try to find an older version of GnuPG (from the 1.4.x family) I can use. I found and downloaded the source code for 1.4.20, downloaded MnGW/MSYS and tried to compile it. Unfortunately, I had problems getting it to compile, and errors kept popping up in the process.
Then, I just happened to be looking at a Windows Explorer window to check a path for some of the files I was working with, and I noticed another directory that contained the gpg.exe file. I fired up a command prompt and just tried to run a --version check on it, and I got this:
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
**gpg: LoadLibrary failed: The system cannot find the file specified.
gpg: invalid module `c:\\lib\\gnupg\lib/idea': The specified module could not be
found.**
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
HOLY CRAP! It's version 1.4.9, and this time it actually appears that it's at least TRYING to load the IDEA library!
So, I tried again, but this time I used the --load-extension switch:
C:\gnu\gnupg\gpg --load-extension C:\GnuPG\lib\idea.dll --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: **IDEA**, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
HOLY CRAP AGAIN! There's the IDEA cipher this time!
So, now comes the real test - I tried my command line to decrypt the file using this older executable:
C:\GNU\GnuPG\gpg.exe --load-extension C:\GnuPG\lib\idea.dll --batch --passphrase <password> --output "C:\Testing\decrypted.txt" --decrypt "C:\Testing\encrypted.pgp"
Executing this now gives me the following output:
gpg: WARNING: cipher algorithm IDEA not found in recipient preferences
gpg: encrypted with 2048-bit ELG-E key, ID C4186BB7, created 2003-05-14
"<[email protected]>"
I looked, and sure enough, the decrypted file IS THERE! Even though I got the warning about the IDEA cipher algorithm, it still decrypted the file normally, and put it out exactly as expected!
I guess the answer here is that you can't use GnuPG v2.0.x to decrypt files encrypted using the IDEA cipher at all. It would seem that you have to drop back to a previous version of GnuPG in order to even load the library. Thanks for your help. I think I can finally put together a working command-line solution now. Maybe one day I'll actually finish working on the BouncyCastle API implementation, but for now I'm just happy to get the thing working. (doing my happy dance)
EDIT: So, for my "final" (but definitely not perfect) solution, I've got my application attempting to decrypt the file via the 2.0 version, then, if that fails (the decrypted file doesn't exist), try to decrypt using the 1.4 version with the IDEA cipher loaded. Through all of my testing so far, it seems that this works exactly as expected, and my IDEA-encrypted files are being decrypted normally. I should probably build something that actually reads the standard output from the command line to make the determination whether or not to try again with 1.4, but this looks like it's going to work for my purposes until I can figure out BouncyCastle.
Upvotes: 2
Related Questions
- gpg protection algorithm is not supported
- python gnupg decryption failing due to bad password on generated keys
- Can't suppress passphrase prompt automating GPG decryption
- gpg : encryption/decryption failed
- why pgp ask passphrase at the first time after I use --passphrase-fd
- Can I effectively choose gnupg recipients by email address?
- gpg with powershell
- Trouble decrypting using PostgreSQL's gnupg extension