Passphrase protection of secret keys

Werner Koch wk@gnupg.org
Fri Mar 8 17:00:02 2002


On Fri, 8 Mar 2002 21:00:05 +0800, Enzo Michelangeli said:

> Is this true also inside the gpg keyring files, or just in the exported
> keys? And in any case, wouldn't it be more prudent to obsolete that checksum

Yes it is still true.  However GnuPG checks a signature right after
creation, so the Klima/Rosa attack won't work.

> requirement and/or deliberately ignore it in the keyring implementations, in
> order to slow down dictionary attacks? The correctness of the passphrase

Plaintext (i.e. the unprotected secret key) detection can be done w/o
calculating the checksum and thus faster, so it won't help.

Forthcoming GnuPG versions are going to use there own format to
protect secret keys. See:

 http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/newpg/agent/keyformat.txt?rev=1.4&content-type=text/vnd.viewcvs-markup&cvsroot=Project+Aegypten


Ciao,

  Werner