Change s2k count?

[David Shaw]

Hi everyone,

The discussion around s2k-count on gnupg-users made me think a bit about our current default there.  The default s2k count has been 65536 iterations for (as best I can tell) pretty near the entire lifespan of GnuPG.  Certainly it is at least 11 years as I see it in a code checkin from 1998.

There are a number of factors: obviously we must take care with the setting here - too high and it can make decrypting with a passphrase (either a secret key decryption or a passphrase protected message) unacceptably slow.  In addition, there are other factors to consider, like uses today that didn't exist as much 11 years ago - slow CPUs in cell phones and the like, which would have a hard time with a large iteration count.  Even so, most smartphone processors today are on par with or even faster than the average processor from 1998 (my own phone is roughly 2x faster than my 1998-era computer).  It could be argued that cell phone usage actually needs the iterated hash even more as typing a long high-entropy passphrase is extremely difficult on a cell phone.

The bottom line is that the speed of the average processor today is vastly faster than what it was then, and so the cushion against passphrase guessers that the iterated hash was giving us is steadily dropping.  If 65536 was the right value for 11 years ago, we probably could do with a brief discussion on whether we should raise it for today (and if so, how much).  

David