faster way of determing if the passphrase is correct or not

Igor Belyi gpgme at katehok.ac93.org
Mon Apr 11 00:09:13 CEST 2005


Michael Halcrow wrote:

>On Sun, Apr 10, 2005 at 04:39:41PM +0200, folkert at vanheusden.com wrote:
>  
>
>>For a program of mine I'd like to quickly verify if the entered
>>passphrase is correct. Currently I'm calling "gpgme_op_sign" and
>>check its return- value to see if the passphrase is correct or not
>>(if it cannot sign, the passphrase is incorrect). This seems to be a
>>slow method: my 2.8GHz P4 can only do it 220 times a second. So I
>>was wondering: is there a faster method? Any api-call I don't know
>>of? Or?
>>    
>>
>
>That cannot really be made any faster without sacrificing security. In
>the string-to-key converstion process, the passphrase is concatenated
>with the salt, and then that chunk of data is iteratively hashed
>(i.e., 65,536 times).  This makes it a little more difficult to do a
>dictionary attack on the passphrase.
>  
>
I don't know would it be faster but you can try a password change via 
gpgme_op_edit command.
In its first phase it just verifies correctness of the password which 
should be faster than
additionally signing something.

Igor




More information about the Gnupg-devel mailing list