Today I discovered how to validate the Public Key Algorithm that's used for a given gpg key. Unfortunately, it's extremely unintuitive & took quite a bit of digging to figure out how. So I'm leaving this here in hopes it helps someone in their future searches.
Extracting packet metadata from your public key
Assuming you have a public key file exported to a file named 'pubkey.asc', type this command from the same working directory as the 'pubkey.asc' file:
gpg --list-packets pubkey.asc
Or if the key is in your keyring, type this, replacing my key's fingerprint ID for yours:
gpg --export 'B162 9E1F 1737 EC4F 74C9 E923 1EF1 68D2 68C4 0535' | gpg --list-packets
The output is metadata about the public key, including the lines:
:public key packet:
version 4, algo 17, created 1232569004, expires 0
...
keyid: 1EF168D268C40535
and
:public sub key packet:
version 4, algo 16, created 1232569004, expires 0
...
keyid: EADF81259040F433
The first block is the master key. This key is typically used for signatures only.
The second block is a subkey. This key is typically the encryption key.
OpenPGP Message Format (RFC 4880)
In each block, you'll see the lines "version X, algo Y".
The version refers to the Public-Key packet OpenPGP version, as defined in RFC #4880, section 5.5.2. Version 3 is deprecated; you should be using Version 4.
The "algo Y" is what we want. Y will be a number that maps to a specific Public-Key Algorighm, as defined in RFC #4880, section 9.1.
For example, if you see "algo 1", "algo 2", or "algo 3", then the key is using RSA.
If you see "algo 17", then you are using DSA (Digital Signature Algorithm). If you see that this key is using < 2048 bits, then you should deprecate & replace your key. DSA < 2048b was declared "Disallowed" by NIST in November 2011.
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Leave a Reply