GPG's S2K iteration count
David Shaw
dshaw at jabberwocky.com
Thu Nov 2 14:54:50 CET 2006
On Thu, Nov 02, 2006 at 10:58:52PM +1300, Peter Gutmann wrote:
> I've been sent a test keyring from a user with the following password-
> processing characteristics:
>
> Iterated and salted string-to-key(s2k 3):
> Hash alg - SHA1(hash 2)
> Salt - fa f8 53 61 9f 7c 90 b1
> Count - 8388608(coded count 208)
>
> Is there any reason why GPG uses 8 million iterations of hashing for key
> setup? This is a recent change to the source:
>
> if( s2k->mode == 3 )
> - s2k->count = 96; /* 65536 iterations */
> + s2k->count = 208; /* 8388608 byte count */
>
> and seems like a completely excessive value, it's going to cause problems on
> less-powerful clients. I think this came from loop-aes (where you only need
> to enter the password once when mounting the FS), but why is it now in GPG
> (particularly since Werner seemed to be against it when it was originally
> proposed)?
That change is in loop-AES, but so far as I can tell is not present in
in GnuPG, in either the 1.4 or 1.9 branches of the code. The only
change to the S2K count in years was a few weeks ago when I added the
--s2k-count option to allow people to set different values. The
default, however, is still 65536.
David
More information about the Gnupg-devel
mailing list