Passphrase protection of secret keys

Werner Koch wk at
Fri Mar 8 17:00:02 CET 2002

On Fri, 8 Mar 2002 21:00:05 +0800, Enzo Michelangeli said:

> Is this true also inside the gpg keyring files, or just in the exported
> keys? And in any case, wouldn't it be more prudent to obsolete that checksum

Yes it is still true.  However GnuPG checks a signature right after
creation, so the Klima/Rosa attack won't work.

> requirement and/or deliberately ignore it in the keyring implementations, in
> order to slow down dictionary attacks? The correctness of the passphrase

Plaintext (i.e. the unprotected secret key) detection can be done w/o
calculating the checksum and thus faster, so it won't help.

Forthcoming GnuPG versions are going to use there own format to
protect secret keys. See:



More information about the Gnupg-devel mailing list