GPG's S2K iteration count

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Nov 2 10:58:52 CET 2006


I've been sent a test keyring from a user with the following password-
processing characteristics:

  Iterated and salted string-to-key(s2k 3):
    Hash alg - SHA1(hash 2)
    Salt - fa f8 53 61 9f 7c 90 b1
    Count - 8388608(coded count 208)

Is there any reason why GPG uses 8 million iterations of hashing for key
setup?  This is a recent change to the source:

  if( s2k->mode == 3 )
-   s2k->count = 96; /* 65536 iterations */
+   s2k->count = 208; /* 8388608 byte count */
 
and seems like a completely excessive value, it's going to cause problems on
less-powerful clients.  I think this came from loop-aes (where you only need
to enter the password once when mounting the FS), but why is it now in GPG
(particularly since Werner seemed to be against it when it was originally
proposed)?

Peter.



More information about the Gnupg-devel mailing list