Question regarding s2k algorithms

[David Shaw]

On Nov 16, 2008, at 9:47 PM, Kevin Hilton wrote:

> Ok so let me ask things in a different way
>
> Is the s2k-cipher-algo used in any other methods other than for
> protection of the keyring?  Seems odd to me that CAST5 is the default
> -- however I'm sure this is specified according the one of the RFCs.

The RFC says nothing about it.  CAST5 was chosen to maximize  
compatibility with older versions of PGP, but not be as slow as 3DES.   
If you specify --openpgp, it becomes 3DES.

It is used whenever a key needs to encrypted/decrypted with a  
passphrase.  The huge majority of the time that is protecting secret  
keys.  The other spot where this is needed is a little obscure:  
creating a message with both passphrase *and* public key encryption.   
That is, some recipients use their secret keys to decrypt, and some  
recipients use a passphrase.  In this case, the s2k-cipher-algo is  
used to encrypt the session key to the passphrase recipients (and like  
all symmetric encryption, it's up to you to make sure those recipients  
can decrypt it).

> There is no current security implication for using the SHA1 hash for
> password hashing when using symmetric encryption?  I'm only asking
> this in regards to selecting hash algorithms, because there seems to
> be a little hedging on the tried and true statement "Use the defaults"
> when it comes to the selection of hash algorithms.  The intention of
> the last statement is not to rehash the old discussion of which hash
> algorithm to use -- really it is not!!

Don't like SHA1?  That's fine, and we give you the ability to change  
it to something else, but then you become responsible for not shooting  
yourself in the foot. :)

Use the defaults.  Really.  If we felt that overall there was a better  
algorithm to use than the current default, we'd make that algorithm  
into the new default.

David