Question about mangling of passphrases

David Shaw
Sat Mar 16 02:01:02 2002

On Sat, Mar 16, 2002 at 01:00:23AM +0100, wrote:
> Hello GnuPG Users!
> I wonder if it is safe to use GnuPG for symmetric encryption with 256 Bit
> cyphers.
> The problem I see is as follows: 
>     When someone uses symmetric only encryption GnuPG prompts for a
> passphrase.  This passphrase is then hashed with an algorithm like
> RIPE-MD160 (whis is the default) into a 160 Bit hash value.  This
> 160 Bit hash value (or part of it) is then used as a key for a
> symmetric cypher like BLOWFISH (whis has a key length of 128 Bit, so
> I assume the least significant 128 Bits of the hash value are being
> used).  But what happens if someone uses a cypher with a key length
> of more than 160 Bit (e.g. 256 Bit) ?  The hash value is too small
> to be used as the key for those cyphers.  So how does GnuPG mangle
> the passphrase to yield a key with e.g. 256 Bit ?

What happens is there are multiple hashes done so there will always be
enough bits of hash to fill in the key bits.  Each additional hash
beyond the first is preloaded with an increasing number of zeroes to
force the resulting hash to be different.

This is documented in RFC-2440, if you want to read more about it.
Look for the "String-to-key (S2K) specifiers" section.


   David Shaw  |  |  WWW
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson