Friday, February 10, 2012

GPGTools, MacGPG2 and the IDEA cipher

I am one of those (un)fortunate guys who started using PGP encryption since 1998. It has been 14 years now and contrary to common belief, things have become increasingly more cumbersome to use. Cryptography on a day-to-day basis is hard to handle. This comes from a person actively participating in the information security arena. When I think of how average users would fare with cryptography, I shudder.

Ok, enough of rants, on to technical stuff. Upgrading to Mac OS X Lion saw a fair share of a few weekends getting sucked up in worthless non-productive technical housekeeping. Macports broke as usual. Downloading XCode took almost an entire day. But the greatest pain was offered by GPGMail and GPGTools.

For years, GPGMail had been floundering. Thanks to the valiant effort of a team of volunteers, the small community that insists on using Apple's Mail.app but needs PGP/GPG support still stays afloat. My problem this time was not directly related to GPGMail integration with Mail.app (as was the case with my Leopard to Snow Leopard migration. Those were dark days for GPGMail).

My problem with GPG/PGP has always been the dropped support for the IDEA cipher. When I first created my PGP keypair in 1998, it used the IDEA cipher. Today, because some patent encumberance issues, the IDEA cipher got dropped out. Therefore, every time I upgrade MacGPG, I have to recompile the package with IDEA support. I did that successfully, and my gpg2 output now shows:

$ gpg2 --version
gpg (GnuPG/MacGPG2) 2.0.18
libgcrypt 1.5.0
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

So far so good. The problems started occuring when using the passphrase. For some insane reason, gpg2 never accepted my secret key's passprhase. I tried searching for hours at end on issues with pinentry, gpg2, IDEA, gpg-agent and what not, but no avail. I would be greeted with an "Invalid passphrase" message every time.

My solution? Get rid of the damn passphrase. I have had enough. I agree that I am a crypto wuss. The only way of getting rid of the passphrase was to migrate my key pair to a Linux machine and use GPG 1.4 on it. Oh yes, I had to recompile IDEA support for GPG 1.4 on my Linux machine as well.

Steps to enable IDEA support on GPG 1.4 for Linux:

wget http://www.spywarewarrior.com/uiuc/gpg-idea/idea.c.gz
gunzip idea.c.gz
gcc -Wall -O2 -shared -fPIC -o idea idea.c
cp idea /usr/lib/gnupg

Edit ~/.gnupg/gpg.conf. Add the following line:

load-extension idea

Now your Linux GPG 1.4 will support the IDEA cipher. Almost there.

Removing the passphrase from my secret key:

gpg --status-fd 1 --command-fd 0 --edit-key root@example.com < input

and here's the input file:

passwd
old_password

Y
save
Y

Last step, migrate pubring.gpg and secring.gpg back to my Mac. GPGMail works great. Yes, I feel a little insecure because I don't have a passphrase on my secret key anymore, but it is something I will trade off for a working mailer that uses PGP encryption. Crypto afficionados are now permitted to let loose their tirades and criticisms against me.