Change s2k count?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 3 22:05:50 CET 2009


On 12/03/2009 03:48 PM, Robert J. Hansen wrote:
> The point is not to get asymptotically as high a count as possible.  The
> point is to get enough of a count to slow down brute forcers.

actually, i think getting as high a count as possible is a good goal,
based on a few assumptions:

 0) we're talking about secret key material, which is to be
symmetrically-encrypted with the user's passphrase.

 1) such secret key material is very rarely legitimately transferred
between machines.

 2) a delay of 0.1 seconds between passphrase entry and access to the
secret key is an acceptable delay in the case of legitimate use of the key.

 3) if the encrypted key is somehow transferred off the machine, we want
it to be as expensive as possible to brute force the symmetric encryption.

So i think the machine profiling step (using times, *not* gettimeofday)
to get an acceptable upper-bound is a quite reasonable thing to have in
place by default for key passphrase S2K usage.

I'm not so sure it makes sense for symmetrically-encrypted messages
other than secret key material, though, since the above assumptions
don't necessarily hold.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091203/91f131a9/attachment-0001.pgp>


More information about the Gnupg-devel mailing list