iterated+salted s2k insecure ?
bobmathews at mindspring.com
Thu Mar 21 03:20:01 CET 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday 20 March 2002 04:47 pm, jmos at gmx.net wrote:
> These random bytes followed by the passphrase data are repeatedly
> hashed until the number of bytes specified by the octet count has
> been hashed.
"Repeatedly hashed" doesn't mean that the hash value is computed and then fed
back into the hash function again and again. It means that the same salt and
password are fed into one hash calculation repeatedly, and one hash value is
computed at the end.
> Normally GnuPG uses 96 as the octet count.
I just checked, and the octet count was 65536. Don't forget that part of the
count field is actually a left-shift amount.
> So, if someone uses a passphrase of 87 octets length the 8 octets
> of salt are prepended to yield a total of 95 octets. The result is
> normally a 20 octets hash value.
The 20 octet hash value is not computed until after the required number of
octets have been passed through the hash function.
> But to satisfy the octet count of 96 one more octet has to be hashed.
> This is taken from the 20 octets hash value which was calculated before.
No, if 96 octets are to be hashed, the extra octet would come from the
beginning of the salt.
-----BEGIN PGP SIGNATURE-----
Comment: What's this? http://bobmathews.home.mindspring.com/bob/
-----END PGP SIGNATURE-----
More information about the Gnupg-devel