Change s2k count?

Werner Koch wk at
Thu Dec 3 10:54:32 CET 2009

On Mon, 30 Nov 2009 10:29:08 -0500, David Shaw wrote:

> There are a number of factors: obviously we must take care with the
> setting here - too high and it can make decrypting with a passphrase
> (either a secret key decryption or a passphrase protected message)

I don't consider the latter a real problem.  If you use symmetric only
encryption it is very likely that you are working in a custom
environment which is for example needed to take care about key
management.  In that case you can setup a non-default s2k count.

In the rare case that you receive symmetric only message, you got the
key by, say, phone and conveying the key takes some time anyway.  Thus
an extra delay on a small device should not be too troublesome.

For passphrase protected secret keys, passphrase caching helps to
avoid delays.

> It could be argued that cell phone usage actually needs the iterated
> hash even more as typing a long high-entropy passphrase is extremely
> difficult on a cell phone.

I doubt that keeping highly confidential keys on a smartphone is a
good idea at all.  On most devices (notable exception is the Neo
Freerunner) you don't entirely control the device due to malware and
the phone system operator's ability to gain access to it.

> dropping.  If 65536 was the right value for 11 years ago, we
> probably could do with a brief discussion on whether we should raise
> it for today (and if so, how much).

I agree.  I heard that PGP measures the performance during key
generation and selects the S2K count depending on that value.  Most
people are using their keys on just one machine and thus it would fit
their needs.  If they are switching to another hardware they can
easily change the passphrase and thus use a new S2K count.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list