Preferred cypher for pgp encryption in Java

Table of contents

Preferred Cyphers of a Key

PGP keys hold symmetric cipher preferences and the software that performs the encryption must take them into account which algorithm to choose.

OpenPGP Library for Java can also be customized with a list of preferred symmetric cipher algorithms, and when a public key is provided for encryption the library will try to match its list and the key preferences.

Preferred cypher matching

Cypher Algorithm matching (as of version 3.2.3.4)

1) Example
Key preferences: TWOFISH, AES-128, AES-192, AES-256
Library: AES256, AES192, AES128, TwoFish

Encrypt and SignAndEncrypt methods will select Twofish as it is the first in the key preferences and is present in the Library preferences

When setOverridingKeyPreferencese(true)
Encrypt and SignAndEncrypt methods will select AES-256 as it is the first in the Library preferences and is present in the key preferences

2) Example
Key preferences: AES-128, AES-256, CAST-5
Library: AES192, TRIPPLE_DES

Encrypt and SignAndEncrypt methods will select AES-128 as there is no match and this is the key first preference, unless the key is Elliptic Curve Diffie-Hellman in which case AES-256 will be used!

When setOverridingKeyPreferencese(true)
Encrypt and SignAndEncrypt methods will select AES-192 as it is the first in the Library preferences and there was no match with the key

Getting/Setting the preferred ciphers

A list of the supported ciphers is available in com.didisoft.pgp.CypherAlgorithm.Enum:

CypherAlgorithm.Enum.TRIPLE_DES;
CypherAlgorithm.Enum.CAST5;
CypherAlgorithm.Enum.BLOWFISH;
CypherAlgorithm.Enum.AES_128;
CypherAlgorithm.Enum.AES_192;
CypherAlgorithm.Enum.AES_256;
CypherAlgorithm.Enum.TWOFISH;
CypherAlgorithm.Enum.DES;
CypherAlgorithm.Enum.SAFER;
CypherAlgorithm.Enum.IDEA;
CypherAlgorithm.Enum.CAMELLIA_128
CypherAlgorithm.Enum.CAMELLIA_192
CypherAlgorithm.Enum.CAMELLIA_256

Note: Blowfish, IDEA, CAST-5, Safer, DES should be treated as outdated nowadays!

List of preferred ciphers

We can get the current list of ciphers preferred by the library with the methods PGPLib.getCyphers():

PGPLib pgp = new PGPLib();
CypherAlgorithm.Enum[] currentCyphers = pgp.getCyphers();

or we can get the preferred cypher(s) as String:

PGPLib pgp = new PGPLib();
System.out.println(pgp.getCypher());

Changing preferred ciphers

This can be changed through a setter method PGPLib.setCyphers(CypherAlgorithm.Enum[] cyphers)
As of version 3.x the default preferred symmetric cypher is AES_256.

The example below sets AES_256, AES_192, and AES_128 as preferred algorithms. If an encryption key has only AES_192 and TRIPLE_DES as its preferred algorithms, the library will match AES_192 and use it for the data encryption.

PGPLib pgp = new PGPLib();
pgp.setCyphers(new CypherAlgorithm.Enum[] {CypherAlgorithm.AES_256, CypherAlgorithm.AES_192, CypherAlgorithm.AES_128});

or we canset the cypher(s) as String:

PGPLib pgp = new PGPLib();
pgp.setCypher("AES_256, AES_192, AES_128 ");

Overriding key preferrencese

We can make the library preferences mandatory and in that case, it won’t take the key preferences into account at all!

If we initialize the library by invoking PGPLib.setOverrideKeyAlgorithmPreferences with true, this will make the library preferences mandatory:

PGPLib pgp = new PGPLib();
pgp.setOverrideKeyAlgorithmPreferences(true)

Now the first item of the preferred cypher, compression, and hash algorithms, from the library settings will be used at each cryptography operation, and the key preferences will be skipped.