GPG --symmetric option and passphrases

vedaal at hush.com vedaal at hush.com
Tue Oct 7 00:17:12 CEST 2008 

David Shaw dshaw at jabberwocky.com wrote on
Mon Oct 6 19:44:40 CEST 2008 :

>There is no limit in OpenPGP for a passphrase length, 
>beyond that of the inherent limit 
>imposed by the hash used for string-to-key conversion


interesting,

am way out of my depth here, 
in that i don't understand the mechanics of block cipher primitives 
;-)

truecypt has a maximum allowable passphrase of 64 characters
(sort-of relatively small for an application that allows a 1 
petabyte container size for encryption ;-) )
[i couldn't find it in their documentation on why they decided on 
the limit of 64]

i 'thought'
that the reason that this was so,
was either that

[1] a 64 character passphrase should be more than enough for even 
the most paranoid user, if it could even be remembered reliably 
accurately ;-)

or 

[2] a passphrase for a block cipher that has a 64 character session 
key 
*somehow* wouldn't provide any 'more' protection if it exceeded 64 
characters
(although am a little *fuzzy* at this point, because a session key 
has 64 hexadecimal characters, and a passphrase of 64 'keyboard' 
characters is way beyond 2^256 possibilities)


is this inaccurate?

is there a 'ceiling' limit, beyond which a passphrase length does 
not cryptographically protect the key?

(not a limit beyond which it is 'easier' to attack the key than the 
passphrase,
that's easy to figure out, depending on if random characters are 
used, or diceware words, or other options with a known total number 
of possibilities,

{i.e. 
for random 95 keyboard characters
 [ 95^39 ~= 1.35 x 10^77 ] > [2^256 ~= 1.15 x 10^77 ] },


but a limit where the password length after it becomes a key,
doesn't provide any more protection ?

>So, for SHA-1, the passphrase can be up to 2^64-1 bits,


so, does it depend only on the hash?

if SHA-512 were to be used,
would it mean that the passphrase could theoretically be 2^512-1 ?


tia,

vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Spend quality time on the open seas with a great boating charter. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4dtQZFptS2Q73nCwbYlkFqRhcK8rObdNseHWJVc2aCGMWxUD/

More information about the Gnupg-users mailing list