Passphrase protection of secret keys
Enzo Michelangeli
Enzo Michelangeli" <em@em.no-ip.com
Fri Mar 8 14:04:02 2002
RFC2440 says that the correctness of a passphrase can be checked just
verifying a checksum in the Secret Key Packets:
5.5.3. Secret Key Packet Formats
[...]
The 16-bit checksum that follows the algorithm-specific portion is
the algebraic sum, mod 65536, of the plaintext of all the algorithm-
specific octets (including MPI prefix and data). With V3 keys, the
checksum is stored in the clear. With V4 keys, the checksum is
encrypted like the algorithm-specific data. This value is used to
check that the passphrase was correct.
Is this true also inside the gpg keyring files, or just in the exported
keys? And in any case, wouldn't it be more prudent to obsolete that checksum
requirement and/or deliberately ignore it in the keyring implementations, in
order to slow down dictionary attacks? The correctness of the passphrase
could always be checked, fast enough if done once for legitimate purposes,
against the corresponding public key.
Enzo