iterated+salted s2k insecure ?

Bob Mathews bobmathews at
Thu Mar 21 03:20:01 CET 2002

Hash: SHA1

On Wednesday 20 March 2002 04:47 pm, jmos at wrote:
> These random bytes followed by the passphrase data are repeatedly
> hashed until the number of bytes specified by the octet count has
> been hashed.

"Repeatedly hashed" doesn't mean that the hash value is computed and then fed 
back into the hash function again and again. It means that the same salt and 
password are fed into one hash calculation repeatedly, and one hash value is 
computed at the end.

> Normally GnuPG uses 96 as the octet count.

I just checked, and the octet count was 65536. Don't forget that part of the 
count field is actually a left-shift amount.

> So, if someone uses a passphrase of 87 octets length the 8 octets
> of salt are prepended to yield a total of 95 octets. The result is
> normally a 20 octets hash value.

The 20 octet hash value is not computed until after the required number of 
octets have been passed through the hash function.

> But to satisfy the octet count of 96 one more octet has to be hashed.
> This is taken from the 20 octets hash value which was calculated before.

No, if 96 octets are to be hashed, the extra octet would come from the 
beginning of the salt.

 -bob mathews

Comment: What's this?


More information about the Gnupg-devel mailing list