GnuPG private key resilience against off-line brute-force attacks (was: Re: Backup of private key)

[David Shaw]

On Nov 28, 2009, at 3:07 PM, M.B.Jr. wrote:

> Hi,
>
>
> On Sat, Nov 28, 2009 at 1:47 PM, David Shaw <dshaw at jabberwocky.com>  
> wrote:
>>>   The question is: what does GnuPG or OpenSSH do to slow down
>>> password brute-force? I mean does the password derivation function  
>>> use
>>> some iterations? If so how many? Can I configure them? I guess so  
>>> but
>>> I couldn't find any data on the net on a quick search. (Any  
>>> references
>>> are appreciated.)
>>
>> GnuPG (really OpenPGP) does iterated password hashing.  See section  
>> 3.7.13
>> "Iterated and Salted S2K" of RFC-4880 for the fine details, but the  
>> gist is
>> as you surmised - the passphrase is run through many hash  
>> iterations.  This
>> slows down passphrase guessers as they must also repeat the hashing  
>> part the
>> same number of times.  By default, GnuPG uses 65536 iterations of the
>> pasphrase hash, but can be configured via the --s2k-count option to  
>> be as
>> high as 65011712 iterations.
>
>
> Considering a password/passphrase, which has -- by default, its
> 65536th hash iteration result, locally stored for comparison.
>
> If I adjust (via --s2k-count) my GnuPG's iterations number, will it
> generate and store a new sum value for my actual passphase? Or for
> this passphrase specifically, it will continue working with the number
> of iterations used by the time the passphrase was created?

The s2k-count is only used when creating the passphrase for the first  
time (and that applies to both creating a new secret key as well as  
encrypting something with a passphrase via --symmetric).  If you want  
to change the s2k-count of an existing secret key, you need to set the  
new s2k-count and then change the passphrase.  You can "change" it to  
the same passphrase if you like - it's the creation of a new  
passphrase-to-key that picks up the new s2k-count.

David