Passphrase protection of secret keys

Enzo Michelangeli em at
Fri Mar 8 14:04:02 CET 2002

RFC2440 says that the correctness of a passphrase can be checked just
verifying a checksum in the Secret Key Packets:

 5.5.3. Secret Key Packet Formats
   The 16-bit checksum that follows the algorithm-specific portion is
   the algebraic sum, mod 65536, of the plaintext of all the algorithm-
   specific octets (including MPI prefix and data).  With V3 keys, the
   checksum is stored in the clear.  With V4 keys, the checksum is
   encrypted like the algorithm-specific data. This value is used to
   check that the passphrase was correct.

Is this true also inside the gpg keyring files, or just in the exported
keys? And in any case, wouldn't it be more prudent to obsolete that checksum
requirement and/or deliberately ignore it in the keyring implementations, in
order to slow down dictionary attacks? The correctness of the passphrase
could always be checked, fast enough if done once for legitimate purposes,
against the corresponding public key.


More information about the Gnupg-devel mailing list