Session Key Questions

David Shaw dshaw at
Tue Oct 21 17:49:02 CEST 2008

On Tue, Oct 21, 2008 at 09:48:47AM -0500, Kevin Hilton wrote:
> >> When the session key is randomly generated (asymmetric encryption),
> >> how large is the session key?  Is the length set or does it depend on
> >> other parameter such as the length of the DSA/RSA key or hash?
> >
> > It is the key size of your symmetric cipher.  So AES256 == 256 bits, AES128
> > == 128 bits, etc.
> >
> Thanks for rapid response -- I guess I'm missing out on some of the
> more basic details.  Just a quick followup.  If I'm planning on using
> gpg to symmetrically encrypt a file for example, and choose a
> password.  This password is salted and hashed.  Say for theoretical
> reasons SHA512 was used to perform the hashing producing a 512 bit
> hash result.  Would then hash then be rounded, or the right most bits
> excluded if it were to used with AES encryption (which requires a 128
> bit key)?

You're close.  It's the leftmost bits.

RFC-4880, section

   If the hash size is greater than the session key size, the
   high-order (leftmost) octets of the hash are used as the key.

> In the opposite situation, say SHA1 produced a 160 bit hash
> result and I wanted to use AES256 (which requires a 256 bit key) --
> would "extra bits" be added onto the hash result to pad the results up
> to 256 bits?

RFC-4880, section

   If the hash size is less than the key size, multiple instances of
   the hash context are created -- enough to produce the required key
   data.  These instances are preloaded with 0, 1, 2, ... octets of
   zeros (that is to say, the first instance has no preloading, the
   second gets preloaded with 1 octet of zero, the third is preloaded
   with two octets of zeros, and so forth).

In other words, there are multiple hash contexts run, each responsible
for a different part of of the key (0-159 & 159-255 in your SHA1 and
AES256 example).

> Using the defaults as provided in the standard gpg.conf file -- what
> hash is used in the normal salting/hashing process during symmetric
> encryption?  I dont believe this is the s2k-digest-algo since this is
> for key protection.

SHA1, and yes, it is the s2k-digest-algo.  S2K isn't only for key
protection.  It's for any time you need to convert a string to a key.


More information about the Gnupg-users mailing list