iterated+salted s2k insecure ?

jmos at jmos at
Fri Mar 22 01:21:01 CET 2002

On Wednesday 20 March 2002 04:47 pm, jmos at wrote:
>> These random bytes followed by the passphrase data are repeatedly
>> hashed until the number of bytes specified by the octet count has
>> been hashed.

>"Repeatedly hashed" doesn't mean that the hash value is computed and then
>back into the hash function again and again. It means that the same salt
>password are fed into one hash calculation repeatedly, and one hash value
>computed at the end.

>> Normally GnuPG uses 96 as the octet count.

>I just checked, and the octet count was 65536. Don't forget that part of
>count field is actually a left-shift amount.

>> So, if someone uses a passphrase of 87 octets length the 8 octets
>> of salt are prepended to yield a total of 95 octets. The result is
>> normally a 20 octets hash value.

>The 20 octet hash value is not computed until after the required number of 
>octets have been passed through the hash function.

>> But to satisfy the octet count of 96 one more octet has to be hashed.
>> This is taken from the 20 octets hash value which was calculated before.

>No, if 96 octets are to be hashed, the extra octet would come from the 
>beginning of the salt.

> -bob mathews

Thanks Bob for your explanation of what is actually meant by the RFC !

Am I the only person who misunderstood that section ?

I think it could have been written a little bit more precise.


GMX - Die Kommunikationsplattform im Internet.

More information about the Gnupg-devel mailing list