any way to use gpg(openpgp) with Argon2

Christoph Anton Mitterer calestyo at scientia.net
Sun Jun 24 14:35:16 CEST 2018


Hey.

>I doubt that it will make it into rfc4880bis.  I also see no
>reason for it.

Well, to replace the worse algos in place?


>Passphrases must die.

I don't see any reason for that, or better said... no better
replacement.
Apart from that, they simply won't go away anytime soon in reality, so
this is probably no good reason not to improve the RFC, especially when
the older hashing algorithms are left in place in the standard.


>I fact OpenPGP is mostly about public key encryption and thus we
>don't use passphrases for its main tasks.  Passphrases can be used
>to protect a private key but that is questionable because if you
>box is already compromised the passphrase does not help much.

Truly, if the box is fully compromised an attacker may be able to
eventually also get access to a well-protected private key.

But there you ignore so many scenarios in which the encryption of it
actually does provide a pretty solid layer, like:

- Any scenario in which an attacker gets only a one time snapshot of
the data of the box (theft, or e.g. getting access to backups of it,
which are in so many places made automatically e.g. on universities to
tape and so on). Sure you can always argue, that then other measures
would have needed to be taken (encryption of the box, the backups,
etc.) but often they simply are not.
- Any scenario, where the private key is (encrypted) in place, but the
user doesn't really unlock it on the compromised box.
- Any scenario where a plain text key on a otherwise secure and not
compromised system may be gotten hold on by others (e.g. some
governmental organisation simply getting in your rooms and taking it).


It's kinda strange to read on a place like this that password
protection of they keys wouldn't be necessary and that this should be
solved somehow else.

Any biometric protection is quite obviously completely rubbish, as it
can be quite easily "stolen" from the owner, most of the time even
without his knowledge.
For a passphrase, one would at least need to impose some force on the
owner (which is often illegal), and at least, he would then know that
his stuff is compromised.

And the token's you mention... just another black box by some
manufacturer that one needs to blindly trust, where one doesn't know
whether it has backdoors or not... and how many cases have we already
seen of just that (or of stupid design).

Every token is either then again secured by some passphrase or PIN, or
it's whole security is simply based on possession - which is pretty
pretty weak.


Sure, passphrases have their disadvantages... but when used correctly,
there is no real better alternative to them.



>The other use of passphrases is symmetric-only encryption (command -c)

That would be basically my case...


>In this case I consider it better to use --s2k-mode=0 along with a
>full entropy passphrase instead of relying on passphrase mangling
>algorithms - they are designed for manual interaction and not
>for large scale use with thousands of messages.

But that still doesn't take the provided "passphrase" directly as a
key, right?
It still hashes it, just without any salt and iterations.
So even if I'd use e.g. some standalone argon2 binary on my passphrase
and use the strongly hashed output of this with Simple S2K (mode 0) I
wouldn't gain any security as the weakest link would be still the
passphrase hashing in OpenPGP (now even simpler, as it has no salt or
any iteration).

Or do I get anything wrong here?



Thanks,

Chris.



More information about the Gnupg-devel mailing list