s2k-count limits

Werner Koch wk at gnupg.org
Thu May 6 10:03:04 CEST 2010

On Thu,  6 May 2010 00:09, matteo.sasso at gmail.com said:

> thread a quick benchmark by Werner Koch showed that about 5 million
> iterations is a good challenge for today's hardware, as it kept his PC

FWIW, "iterations" as used here is an approximation and not the real
number of loops to run.  The OpenPGP scheme depends on the lengths of
the passphrase and the selected hash algorithm.

> - Iteration count is really important to protect a passphrase (and
> data) in a symmetric encryption scenario. Think encrypted, remote

I don't agree.  The main goal of the salted+iterated protection
mechanism is to thwart dictionary+brute-force attacks on week
passphrases.  It is a failstop mechanism and proper security design
should never ever rely on this mechanism.

For symmetric only encryption you need to use a strong key which may be
derived from a proper passphrases.  The accepted standard is a 128 bit
key which you should derive in a way that it reflects 128 bit of entropy
(most security policies view 80 to 90 bits as sufficient).  It is not
possible to remember such a long key without noting it down. For such
valuable data you can't rely on one or two human brains to remember such
a key.  The conclusion is that you need to use a key management system -
external to gpg - if you want to use symmetric encryption.

For public key encryption the passphrase is only used to protect the
secret part of the key.  It has never been claimed that this will give
you protection in the same range as the actual public key encryption -
it merely gives you some time to prepare for the key compromise.  For
highly secure stuff you would use a physical secure machine to hold the
secret key; which in the simplest case maybe a smartcard.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list