Question about mangling of passphrases

jmos@gmx.net jmos@gmx.net
Sun Mar 17 02:03:01 2002


On Sat, Mar 16, 2002 at 01:00:23AM +0100, jmos@gmx.net wrote:
>>Hello GnuPG Users!
>> 
>> I wonder if it is safe to use GnuPG for symmetric encryption with 256 Bit
>> cyphers.
>> The problem I see is as follows: 
>> 
>> When someone uses symmetric only encryption GnuPG prompts for a
>> passphrase.  This passphrase is then hashed with an algorithm like
>> RIPE-MD160 (whis is the default) into a 160 Bit hash value.  This
>> 160 Bit hash value (or part of it) is then used as a key for a
>> symmetric cypher like BLOWFISH (whis has a key length of 128 Bit, so
>> I assume the least significant 128 Bits of the hash value are being
>> used).  But what happens if someone uses a cypher with a key length
>> of more than 160 Bit (e.g. 256 Bit) ?  The hash value is too small
>> to be used as the key for those cyphers.  So how does GnuPG mangle
>> the passphrase to yield a key with e.g. 256 Bit ?

>What happens is there are multiple hashes done so there will always be
>enough bits of hash to fill in the key bits.  Each additional hash
>beyond the first is preloaded with an increasing number of zeroes to
>force the resulting hash to be different.

>This is documented in RFC-2440, if you want to read more about it.
>Look for the "String-to-key (S2K) specifiers" section.

>David

O.K. Thanks David!

Could this process be used to "emulate" a stronger Hash algorithm
(one with a hash value with more than 160 bit) ?

Let me explain this:

In the GnuPG FAQ section 4.1 one can read the following:

"1024 bit for DSA signatures; even for plain ElGamal signatures this is
sufficient as the size of the hash is probably the weakest link if the key size
is larger than 1024 bits."

So If this process could be used to "emulate" a hash with a greater size it
would not
be anymore the weakest link and it would make sense to use DSA keys with
more than
1024 bit.

I guess this is nonsense but could you please tell why the above process of
taking
multiple hashes to fill in a symmetric key is safe and why it is not safe to
use the
same process to generate a hash with a greater size so that it would make
sense
to use greater key sizes for DSA ?

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net