iterated+salted s2k insecure ?

jmos@gmx.net jmos@gmx.net
Wed Mar 20 00:00:01 2002


Hello!

I am wondering if "s2k-mode 3" (which is the default for GnuPG 1.0.6)
is secure.
I read RFC 2440 section 3.6.1.3. "Iterated and Salted S2K" and it
seems to me that certain passphrase lengths are subject to an attack
to the corresponding session key.
E.g. passphrases that consist of 7, 27, 47, 67 or 87 characters
result in a session key with only 256 possibilities which are shared
among all passphrases with the given lengths.
I would consider this a strong security risk because 256 possiblities
for a session key is nothing.

I do not know if I understood the RFC right but maybe one of you gurus
can (hopefully) proof me wrong!

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net