[PATCH] scd: Improve KDF-DO support
Arnaud.Fontaine at ssi.gouv.fr
Mon Feb 12 23:17:42 CET 2018
I think there is a misunderstanding: the current GnuPG implementation is ignoring the content of the KDF-DO, including the algorithm tag even if it is set to NONE.
The current (gît master branche) GnuPG implementation with your card (or mine) is just unusable because it systematically applies a derivation of the PIN entered by the user, even when KDF-DO algorithm is set to NONE, thus producing a "Bas PIN value" error making any operation, including PIN change of course, impossible.
I hope it is more clear this way.
Le 12 févr. 2018 6:18 PM, Achim Pietig <achim at pietig.com> a écrit :
as I understand Niibes implementation correctly, the actual definition in the card should work.
If the flag for KDF is set in Extended capabilites, the KDF-DO shall be evaluated (is part of application data 6E; if not can be read separately with Tag F9).
If all child DOs (F9) are filled with valid data, the KDF-support is installed and the passwords are still set to this format.
If the DO is empty (810100 means empty) or not valid, the passwords are in standard format and can be set by any software that can handle that.
During changing the passwords to KDF-format, the KDF-DO must be set to a proper value.
Am 12.02.2018 um 10:36 schrieb Arnaud Fontaine:
> so you (will) have the same problem with the current implementation
> where KDF_ITERSALTED_S2K is systematically applied when the card
> supports KDF (bit set in the extended capabilities) and a KDF-DO is
> present (whatever its content).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-devel