iterated+salted s2k insecure ?

jmos at jmos at
Thu Mar 21 01:50:01 CET 2002

>I am wondering if "s2k-mode 3" (which is the default for GnuPG 1.0.6)
>is secure.
>I read RFC 2440 section "Iterated and Salted S2K" and it
>seems to me that certain passphrase lengths are subject to an attack
>to the corresponding session key.
>E.g. passphrases that consist of 7, 27, 47, 67 or 87 characters
>result in a session key with only 256 possibilities which are shared
>among all passphrases with the given lengths.
>I would consider this a strong security risk because 256 possiblities
>for a session key is nothing.
>I do not know if I understood the RFC right but maybe one of you gurus
>can (hopefully) proof me wrong!

Ok no one answered, I guess I have to be a little more precise.

According to RFC 2440 "Iterated+Salted S2K" works as follows:

First, eight random bytes (the 'salt') are calculated.
These random bytes followed by the passphrase data are repeatedly
hashed until the number of bytes specified by the octet count has
been hashed. Normally GnuPG uses 96 as the octet count.
So, if someone uses a passphrase of 87 octets length the 8 octets
of salt are prepended to yield a total of 95 octets. The result is normally
a 20 octets hash value. But to satisfy the octet count of 96 one more
octet has to be hashed. This is taken from the 20 octets hash value
which was calculated before. But because only one more octet is hashed
there are only 256 possibilities for the resulting hash value and therefore
for the corresponding session key (at least for keys that are smaller than
160 bits).
The same for passphrases with 67, 47, 27 and 7 octets length except that
the hashing is done more often.

Any comments ?
Did I understand the RFC right ?

GMX - Die Kommunikationsplattform im Internet.

More information about the Gnupg-devel mailing list