weak key used for an Initial Vector

Werner Koch wk at gnupg.org
Fri Aug 7 09:08:44 CEST 2015


On Thu,  6 Aug 2015 22:33, dar.linux at free.fr said:

> I've found googling that it was possible to disable the weak key warning
> thanks to the PRIV_CTL_DISABLE_WEAK_KEY value given to gcry_cipher_ctl()

No, that is not possible.  This symbol is private to libgcrypt; it is not
defined as part of the public API and thus also not in gcrypt.h.

> 1 - Is using weak blowfish key to generate an Initial Vector for another
> key/algorithm is really a security issue?

An IV is not a key.

> 2 - Will the PRIV_CTL_DISABLE_WEAK_KEY directive/feature stay available
> for future evolution of libgcrypt? Or it this a pure debug temporary
> feature?

It is part of the regression tests and has been introduced to run FIPS
CAVS tests.

> A software I maintain is relying on libgcrypt to provide strong
> encryption. The user provided password is hashed
> (accordingly to pkcs #5). In the event this hash is reported as weak by
> libgcrypt no problem, it's still possible to propagate the message to
> the user, asking for a better password...

Right, when using random keys or a hashed passphrase the case of weak
keys is rare enough that there is no strong need to handle them other
than for example out of memory errors.  For historic reasons gpg still
handles trhem by retrying or issuing a warning if a received session key
is weak.

> From that hash of the user provided password a SHA1 digest (8 bytes)
> is created to set a second key (using blowfish cipher).

You are using a 64 bit key?  Such a key is way to small for any
application.  Do not truncate the hash.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gcrypt-devel mailing list