Question regarding s2k algorithms

Robert J. Hansen rjh at
Mon Nov 17 05:07:47 CET 2008

Kevin Hilton wrote:
> Is the s2k-cipher-algo used in any other methods other than for 
> protection of the keyring?  Seems odd to me that CAST5 is the default
>  -- however I'm sure this is specified according the one of the RFCs.

Dunno; this is one of the parts of GnuPG I've never mucked with, so I
can't talk intelligently about it.  However, regarding your observation
that CAST5 is a weird choice, many non-PGP people would agree with you.
Like most of OpenPGP's weirdnesses, this is done to make backwards
compatibility with PGP 5 and 6 easier.

> There is no current security implication for using the SHA1 hash for 
> password hashing when using symmetric encryption?

None.  Well... potentially.  A largely theoretical attack has been
demonstrated against SHA1 when used for message authentication purposes;
it is possible this research will spur on attacks against SHA1 when used
for password hashing purposes.  However, I don't find it to be very
likely.  If it were to happen, then /wow/, would it be news.

> I'm only asking this in regards to selecting hash algorithms, because
> there seems to be a little hedging on the tried and true statement
> "Use the defaults" when it comes to the selection of hash algorithms.

I can't talk about the community's hedging in general; I can only talk
about my own.

Algorithms get used in a lot of very different ways.  Hash algorithms
get used to provide password hashing and message authentication.  It is
possible for an algorithm to be broken for one purpose and still useful
for another.

For instance, although I consider MD5 to be horribly broken for most
cryptographic purposes, I still use it to create one-time passwords.
The attacks against MD5 focus on MD5 as it is used in one problem
domain; MD5 in other domains is still quite useful.

The same thing is happening to SHA1.  SHA1 for purposes of signatures is
not looking very good.  SHA1 for other purposes is still perfectly fine.

However -- good luck explaining this to people.  It's one of those
infamous "subtle distinctions" I talk about incessantly.  Most people
don't want to spend the time and energy it takes to be a competent
cryptographic engineer.  They just want an answer.  For these people,
"SHA1 is still secure but is not looking good in the long-term; migrate
to something else; SHA256 looks pretty good" is the advice I give people.

And even then, with the subtleties reduced that far, it never fails that
people misconstrue what I say to be "SHA1 is broken!  We must use SHA256
for everything!".

It's kind of frustrating.

More information about the Gnupg-users mailing list